golang: fix CVE-2022-28131

Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae] CVE: CVE-2022-28131 (From OE-Core rev: 09a820fe21d7884c6733d569f6560ef1ded5435d) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ralph Siemsen <ralph.siemsen@linaro.org> 2022-11-17 11:54:50 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:06:36 +0000
commit: 40df9e039a7b7d1d4d11bf7411739cc9e7f4fbba (patch)
tree: d65bfb1b97a4c3cb90dcb587c4968fd42931863e /meta
parent: fdca6ac5fa291f073b8789865ee854481732b2ac (diff)
download: poky-40df9e039a7b7d1d4d11bf7411739cc9e7f4fbba.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 08eefdcb5c..525a3e77c5 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -47,6 +47,7 @@ SRC_URI += "\
    file://CVE-2021-33198.patch \
    file://CVE-2021-44716.patch \
    file://CVE-2022-24921.patch \
+    file://CVE-2022-28131.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
new file mode 100644
index 0000000000..8afa292144
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
@@ -0,0 +1,104 @@
+From 8136eb2e5c316a51d0da710fbd0504cbbefee526 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 28 Mar 2022 18:41:26 -0700
+Subject: [PATCH] encoding/xml: use iterative Skip, rather than recursive
+Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae]
+CVE: CVE-2022-28131
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+Prevents exhausting the stack limit in _incredibly_ deeply nested
+structures.
+Fixes #53711
+Updates #53614
+Fixes CVE-2022-28131
+Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417068
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Heschi Kreinick <heschi@google.com>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+---
+ src/encoding/xml/read.go      | 15 ++++++++-------
+ src/encoding/xml/read_test.go | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
+index 4ffed80..3fac859 100644
+--- a/src/encoding/xml/read.go
+++ b/src/encoding/xml/read.go
+@@ -743,12 +743,12 @@ Loop:
+ }
+ 
+ // Skip reads tokens until it has consumed the end element
+-// matching the most recent start element already consumed.
+-// It recurs if it encounters a start element, so it can be used to
+-// skip nested structures.
+// matching the most recent start element already consumed,
+// skipping nested structures.
+ // It returns nil if it finds an end element matching the start
+ // element; otherwise it returns an error describing the problem.
+ func (d *Decoder) Skip() error {
+       var depth int64
+        for {
+                tok, err := d.Token()
+                if err != nil {
+@@ -756,11 +756,12 @@ func (d *Decoder) Skip() error {
+                }
+                switch tok.(type) {
+                case StartElement:
+-                       if err := d.Skip(); err != nil {
+-                               return err
+-                       }
+                       depth++
+                case EndElement:
+-                       return nil
+                       if depth == 0 {
+                               return nil
+                       }
+                       depth--
+                }
+        }
+ }
+diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
+index 6a20b1a..7a621a5 100644
+--- a/src/encoding/xml/read_test.go
+++ b/src/encoding/xml/read_test.go
+@@ -5,9 +5,11 @@
+ package xml
+ 
+ import (
+       "bytes"
+        "errors"
+        "io"
+        "reflect"
+       "runtime"
+        "strings"
+        "testing"
+        "time"
+@@ -1093,3 +1095,19 @@ func TestCVE202228131(t *testing.T) {
+                t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
+        }
+ }
+
+func TestCVE202230633(t *testing.T) {
+       if runtime.GOARCH == "wasm" {
+               t.Skip("causes memory exhaustion on js/wasm")
+       }
+       defer func() {
+               p := recover()
+               if p != nil {
+                       t.Fatal("Unmarshal panicked")
+               }
+       }()
+       var example struct {
+               Things []string
+       }
+       Unmarshal(bytes.Repeat([]byte("<a>"), 17_000_000), &example)
+}
author	Ralph Siemsen <ralph.siemsen@linaro.org>	2022-11-17 11:54:50 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:06:36 +0000
commit	40df9e039a7b7d1d4d11bf7411739cc9e7f4fbba (patch)
tree	d65bfb1b97a4c3cb90dcb587c4968fd42931863e /meta
parent	fdca6ac5fa291f073b8789865ee854481732b2ac (diff)
download	poky-40df9e039a7b7d1d4d11bf7411739cc9e7f4fbba.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 08eefdcb5c..525a3e77c5 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -47,6 +47,7 @@ SRC_URI += "\
47	file://CVE-2021-33198.patch \	47	file://CVE-2021-33198.patch \
48	file://CVE-2021-44716.patch \	48	file://CVE-2021-44716.patch \
49	file://CVE-2022-24921.patch \	49	file://CVE-2022-24921.patch \
		50	file://CVE-2022-28131.patch \
50	"	51	"
51		52
52	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	53	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch new file mode 100644 index 0000000000..8afa292144 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
@@ -0,0 +1,104 @@
		1	From 8136eb2e5c316a51d0da710fbd0504cbbefee526 Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <roland@golang.org>
		3	Date: Mon, 28 Mar 2022 18:41:26 -0700
		4	Subject: [PATCH] encoding/xml: use iterative Skip, rather than recursive
		5
		6	Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae]
		7	CVE: CVE-2022-28131
		8	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
		9
		10
		11	Prevents exhausting the stack limit in _incredibly_ deeply nested
		12	structures.
		13
		14	Fixes #53711
		15	Updates #53614
		16	Fixes CVE-2022-28131
		17
		18	Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6
		19	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912
		20	Reviewed-by: Julie Qiu <julieqiu@google.com>
		21	Reviewed-by: Damien Neil <dneil@google.com>
		22	(cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49)
		23	Reviewed-on: https://go-review.googlesource.com/c/go/+/417068
		24	TryBot-Result: Gopher Robot <gobot@golang.org>
		25	Reviewed-by: Heschi Kreinick <heschi@google.com>
		26	Run-TryBot: Michael Knyszek <mknyszek@google.com>
		27	---
		28	src/encoding/xml/read.go \| 15 ++++++++-------
		29	src/encoding/xml/read_test.go \| 18 ++++++++++++++++++
		30	2 files changed, 26 insertions(+), 7 deletions(-)
		31
		32	diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
		33	index 4ffed80..3fac859 100644
		34	--- a/src/encoding/xml/read.go
		35	+++ b/src/encoding/xml/read.go
		36	@@ -743,12 +743,12 @@ Loop:
		37	}
		38
		39	// Skip reads tokens until it has consumed the end element
		40	-// matching the most recent start element already consumed.
		41	-// It recurs if it encounters a start element, so it can be used to
		42	-// skip nested structures.
		43	+// matching the most recent start element already consumed,
		44	+// skipping nested structures.
		45	// It returns nil if it finds an end element matching the start
		46	// element; otherwise it returns an error describing the problem.
		47	func (d *Decoder) Skip() error {
		48	+ var depth int64
		49	for {
		50	tok, err := d.Token()
		51	if err != nil {
		52	@@ -756,11 +756,12 @@ func (d *Decoder) Skip() error {
		53	}
		54	switch tok.(type) {
		55	case StartElement:
		56	- if err := d.Skip(); err != nil {
		57	- return err
		58	- }
		59	+ depth++
		60	case EndElement:
		61	- return nil
		62	+ if depth == 0 {
		63	+ return nil
		64	+ }
		65	+ depth--
		66	}
		67	}
		68	}
		69	diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
		70	index 6a20b1a..7a621a5 100644
		71	--- a/src/encoding/xml/read_test.go
		72	+++ b/src/encoding/xml/read_test.go
		73	@@ -5,9 +5,11 @@
		74	package xml
		75
		76	import (
		77	+ "bytes"
		78	"errors"
		79	"io"
		80	"reflect"
		81	+ "runtime"
		82	"strings"
		83	"testing"
		84	"time"
		85	@@ -1093,3 +1095,19 @@ func TestCVE202228131(t *testing.T) {
		86	t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
		87	}
		88	}
		89	+
		90	+func TestCVE202230633(t *testing.T) {
		91	+ if runtime.GOARCH == "wasm" {
		92	+ t.Skip("causes memory exhaustion on js/wasm")
		93	+ }
		94	+ defer func() {
		95	+ p := recover()
		96	+ if p != nil {
		97	+ t.Fatal("Unmarshal panicked")
		98	+ }
		99	+ }()
		100	+ var example struct {
		101	+ Things []string
		102	+ }
		103	+ Unmarshal(bytes.Repeat([]byte("<a>"), 17_000_000), &example)
		104	+}