diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-08-25 17:32:51 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-03 13:10:37 +0100 |
commit | 7d67a61029c49b3459b65da4da2c5022f3826713 (patch) | |
tree | b93bd3b484b37a9dfcc3fe74b6183e88017a1889 /meta/recipes-devtools/go | |
parent | 8bc3443c0813f884955def3bb8d7594acd397796 (diff) | |
download | poky-7d67a61029c49b3459b65da4da2c5022f3826713.tar.gz |
golang: fix CVE-2022-30632 and CVE-2022-30633
Source: https://github.com/golang/go
MR: 120622, 120625
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827
ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5
Description:
Fixed CVE:
1. CVE-2022-30632
2. CVE-2022-30633
(From OE-Core rev: 9ffaae887743d77839fb758657b1dec71a9b8880)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch | 71 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch | 131 |
3 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 6089fd501d..84babc38cb 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -27,6 +27,8 @@ SRC_URI += "\ | |||
27 | file://CVE-2021-31525.patch \ | 27 | file://CVE-2021-31525.patch \ |
28 | file://CVE-2022-30629.patch \ | 28 | file://CVE-2022-30629.patch \ |
29 | file://CVE-2022-30631.patch \ | 29 | file://CVE-2022-30631.patch \ |
30 | file://CVE-2022-30632.patch \ | ||
31 | file://CVE-2022-30633.patch \ | ||
30 | " | 32 | " |
31 | 33 | ||
32 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 34 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch new file mode 100644 index 0000000000..c54ef56a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 25 Aug 2022 13:12:40 +0530 | ||
4 | Subject: [PATCH] CVE-2022-30632 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df] | ||
7 | CVE: CVE-2022-30632 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/path/filepath/match.go | 16 +++++++++++++++- | ||
11 | src/path/filepath/match_test.go | 10 ++++++++++ | ||
12 | 2 files changed, 25 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go | ||
15 | index 46badb5..ba68daa 100644 | ||
16 | --- a/src/path/filepath/match.go | ||
17 | +++ b/src/path/filepath/match.go | ||
18 | @@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) { | ||
19 | // The only possible returned error is ErrBadPattern, when pattern | ||
20 | // is malformed. | ||
21 | func Glob(pattern string) (matches []string, err error) { | ||
22 | + return globWithLimit(pattern, 0) | ||
23 | +} | ||
24 | + | ||
25 | +func globWithLimit(pattern string, depth int) (matches []string, err error) { | ||
26 | + // This limit is used prevent stack exhaustion issues. See CVE-2022-30632. | ||
27 | + const pathSeparatorsLimit = 10000 | ||
28 | + if depth == pathSeparatorsLimit { | ||
29 | + return nil, ErrBadPattern | ||
30 | + } | ||
31 | + | ||
32 | + // Check pattern is well-formed. | ||
33 | + if _, err := Match(pattern, ""); err != nil { | ||
34 | + return nil, err | ||
35 | + } | ||
36 | if !hasMeta(pattern) { | ||
37 | if _, err = os.Lstat(pattern); err != nil { | ||
38 | return nil, nil | ||
39 | @@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) { | ||
40 | } | ||
41 | |||
42 | var m []string | ||
43 | - m, err = Glob(dir) | ||
44 | + m, err = globWithLimit(dir, depth+1) | ||
45 | if err != nil { | ||
46 | return | ||
47 | } | ||
48 | diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go | ||
49 | index b865762..c37c812 100644 | ||
50 | --- a/src/path/filepath/match_test.go | ||
51 | +++ b/src/path/filepath/match_test.go | ||
52 | @@ -154,6 +154,16 @@ func TestGlob(t *testing.T) { | ||
53 | } | ||
54 | } | ||
55 | |||
56 | +func TestCVE202230632(t *testing.T) { | ||
57 | + // Prior to CVE-2022-30632, this would cause a stack exhaustion given a | ||
58 | + // large number of separators (more than 4,000,000). There is now a limit | ||
59 | + // of 10,000. | ||
60 | + _, err := Glob("/*" + strings.Repeat("/", 10001)) | ||
61 | + if err != ErrBadPattern { | ||
62 | + t.Fatalf("Glob returned err=%v, want ErrBadPattern", err) | ||
63 | + } | ||
64 | +} | ||
65 | + | ||
66 | func TestGlobError(t *testing.T) { | ||
67 | _, err := Glob("[]") | ||
68 | if err == nil { | ||
69 | -- | ||
70 | 2.25.1 | ||
71 | |||
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch new file mode 100644 index 0000000000..c16cb5f50c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 25 Aug 2022 13:29:55 +0530 | ||
4 | Subject: [PATCH] CVE-2022-30633 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827] | ||
7 | CVE: CVE-2022-30633 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/encoding/xml/read.go | 27 +++++++++++++++++++-------- | ||
11 | src/encoding/xml/read_test.go | 14 ++++++++++++++ | ||
12 | 2 files changed, 33 insertions(+), 8 deletions(-) | ||
13 | |||
14 | diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go | ||
15 | index 10a60ee..4ffed80 100644 | ||
16 | --- a/src/encoding/xml/read.go | ||
17 | +++ b/src/encoding/xml/read.go | ||
18 | @@ -148,7 +148,7 @@ func (d *Decoder) DecodeElement(v interface{}, start *StartElement) error { | ||
19 | if val.Kind() != reflect.Ptr { | ||
20 | return errors.New("non-pointer passed to Unmarshal") | ||
21 | } | ||
22 | - return d.unmarshal(val.Elem(), start) | ||
23 | + return d.unmarshal(val.Elem(), start, 0) | ||
24 | } | ||
25 | |||
26 | // An UnmarshalError represents an error in the unmarshaling process. | ||
27 | @@ -304,8 +304,15 @@ var ( | ||
28 | textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem() | ||
29 | ) | ||
30 | |||
31 | +const maxUnmarshalDepth = 10000 | ||
32 | + | ||
33 | +var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth") | ||
34 | + | ||
35 | // Unmarshal a single XML element into val. | ||
36 | -func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error { | ||
37 | +func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error { | ||
38 | + if depth >= maxUnmarshalDepth { | ||
39 | + return errExeceededMaxUnmarshalDepth | ||
40 | + } | ||
41 | // Find start element if we need it. | ||
42 | if start == nil { | ||
43 | for { | ||
44 | @@ -398,7 +405,7 @@ func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error { | ||
45 | v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem()))) | ||
46 | |||
47 | // Recur to read element into slice. | ||
48 | - if err := d.unmarshal(v.Index(n), start); err != nil { | ||
49 | + if err := d.unmarshal(v.Index(n), start, depth+1); err != nil { | ||
50 | v.SetLen(n) | ||
51 | return err | ||
52 | } | ||
53 | @@ -521,13 +528,15 @@ Loop: | ||
54 | case StartElement: | ||
55 | consumed := false | ||
56 | if sv.IsValid() { | ||
57 | - consumed, err = d.unmarshalPath(tinfo, sv, nil, &t) | ||
58 | + // unmarshalPath can call unmarshal, so we need to pass the depth through so that | ||
59 | + // we can continue to enforce the maximum recusion limit. | ||
60 | + consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth) | ||
61 | if err != nil { | ||
62 | return err | ||
63 | } | ||
64 | if !consumed && saveAny.IsValid() { | ||
65 | consumed = true | ||
66 | - if err := d.unmarshal(saveAny, &t); err != nil { | ||
67 | + if err := d.unmarshal(saveAny, &t, depth+1); err != nil { | ||
68 | return err | ||
69 | } | ||
70 | } | ||
71 | @@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) { | ||
72 | // The consumed result tells whether XML elements have been consumed | ||
73 | // from the Decoder until start's matching end element, or if it's | ||
74 | // still untouched because start is uninteresting for sv's fields. | ||
75 | -func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) { | ||
76 | +func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) { | ||
77 | recurse := false | ||
78 | Loop: | ||
79 | for i := range tinfo.fields { | ||
80 | @@ -687,7 +696,7 @@ Loop: | ||
81 | } | ||
82 | if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local { | ||
83 | // It's a perfect match, unmarshal the field. | ||
84 | - return true, d.unmarshal(finfo.value(sv), start) | ||
85 | + return true, d.unmarshal(finfo.value(sv), start, depth+1) | ||
86 | } | ||
87 | if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local { | ||
88 | // It's a prefix for the field. Break and recurse | ||
89 | @@ -716,7 +725,9 @@ Loop: | ||
90 | } | ||
91 | switch t := tok.(type) { | ||
92 | case StartElement: | ||
93 | - consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t) | ||
94 | + // the recursion depth of unmarshalPath is limited to the path length specified | ||
95 | + // by the struct field tag, so we don't increment the depth here. | ||
96 | + consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth) | ||
97 | if err != nil { | ||
98 | return true, err | ||
99 | } | ||
100 | diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go | ||
101 | index 8c2e70f..6a20b1a 100644 | ||
102 | --- a/src/encoding/xml/read_test.go | ||
103 | +++ b/src/encoding/xml/read_test.go | ||
104 | @@ -5,6 +5,7 @@ | ||
105 | package xml | ||
106 | |||
107 | import ( | ||
108 | + "errors" | ||
109 | "io" | ||
110 | "reflect" | ||
111 | "strings" | ||
112 | @@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) { | ||
113 | t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) | ||
114 | } | ||
115 | } | ||
116 | + | ||
117 | +func TestCVE202228131(t *testing.T) { | ||
118 | + type nested struct { | ||
119 | + Parent *nested `xml:",any"` | ||
120 | + } | ||
121 | + var n nested | ||
122 | + err := Unmarshal(bytes.Repeat([]byte("<a>"), maxUnmarshalDepth+1), &n) | ||
123 | + if err == nil { | ||
124 | + t.Fatal("Unmarshal did not fail") | ||
125 | + } else if !errors.Is(err, errExeceededMaxUnmarshalDepth) { | ||
126 | + t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth) | ||
127 | + } | ||
128 | +} | ||
129 | -- | ||
130 | 2.25.1 | ||
131 | |||