diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch new file mode 100644 index 0000000000..2e2dc62c49 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <roland@golang.org> | ||
3 | Date: Tue, 11 May 2021 11:31:31 -0700 | ||
4 | Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized | ||
5 | |||
6 | Since the number of files in the EOCD record isn't validated, it isn't | ||
7 | safe to preallocate Reader.Files using that field. A malformed archive | ||
8 | can indicate it contains up to 1 << 128 - 1 files. We can still safely | ||
9 | preallocate the slice by checking if the specified number of files in | ||
10 | the archive is reasonable, given the size of the archive. | ||
11 | |||
12 | Thanks to the OSS-Fuzz project for discovering this issue and to | ||
13 | Emmanuel Odeke for reporting it. | ||
14 | |||
15 | Fixes #46242 | ||
16 | Fixes CVE-2021-33196 | ||
17 | |||
18 | Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 | ||
19 | Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 | ||
20 | Trust: Roland Shoemaker <roland@golang.org> | ||
21 | Trust: Katie Hockman <katie@golang.org> | ||
22 | Trust: Joe Tsai <thebrokentoaster@gmail.com> | ||
23 | Run-TryBot: Roland Shoemaker <roland@golang.org> | ||
24 | TryBot-Result: Go Bot <gobot@golang.org> | ||
25 | Reviewed-by: Katie Hockman <katie@golang.org> | ||
26 | Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com> | ||
27 | |||
28 | Upstream-Status: Backport | ||
29 | CVE: CVE-2021-33196 | ||
30 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
31 | |||
32 | --- | ||
33 | src/archive/zip/reader.go | 10 +++++- | ||
34 | src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++ | ||
35 | 2 files changed, 68 insertions(+), 1 deletion(-) | ||
36 | |||
37 | Index: go/src/archive/zip/reader.go | ||
38 | =================================================================== | ||
39 | --- go.orig/src/archive/zip/reader.go | ||
40 | +++ go/src/archive/zip/reader.go | ||
41 | @@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz | ||
42 | return err | ||
43 | } | ||
44 | z.r = r | ||
45 | - z.File = make([]*File, 0, end.directoryRecords) | ||
46 | + // Since the number of directory records is not validated, it is not | ||
47 | + // safe to preallocate z.File without first checking that the specified | ||
48 | + // number of files is reasonable, since a malformed archive may | ||
49 | + // indicate it contains up to 1 << 128 - 1 files. Since each file has a | ||
50 | + // header which will be _at least_ 30 bytes we can safely preallocate | ||
51 | + // if (data size / 30) >= end.directoryRecords. | ||
52 | + if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { | ||
53 | + z.File = make([]*File, 0, end.directoryRecords) | ||
54 | + } | ||
55 | z.Comment = end.comment | ||
56 | rs := io.NewSectionReader(r, 0, size) | ||
57 | if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil { | ||
58 | Index: go/src/archive/zip/reader_test.go | ||
59 | =================================================================== | ||
60 | --- go.orig/src/archive/zip/reader_test.go | ||
61 | +++ go/src/archive/zip/reader_test.go | ||
62 | @@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) { | ||
63 | t.Errorf("Error reading the archive: %v", err) | ||
64 | } | ||
65 | } | ||
66 | + | ||
67 | +func TestCVE202133196(t *testing.T) { | ||
68 | + // Archive that indicates it has 1 << 128 -1 files, | ||
69 | + // this would previously cause a panic due to attempting | ||
70 | + // to allocate a slice with 1 << 128 -1 elements. | ||
71 | + data := []byte{ | ||
72 | + 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08, | ||
73 | + 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
74 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
75 | + 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02, | ||
76 | + 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00, | ||
77 | + 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20, | ||
78 | + 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00, | ||
79 | + 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00, | ||
80 | + 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, | ||
81 | + 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00, | ||
82 | + 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00, | ||
83 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
84 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
85 | + 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c, | ||
86 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, | ||
87 | + 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
88 | + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, | ||
89 | + 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
90 | + 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00, | ||
91 | + 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, | ||
92 | + 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00, | ||
93 | + 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00, | ||
94 | + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, | ||
95 | + 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff, | ||
96 | + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
97 | + 0xff, 0xff, 0xff, 0x00, 0x00, | ||
98 | + } | ||
99 | + _, err := NewReader(bytes.NewReader(data), int64(len(data))) | ||
100 | + if err != ErrFormat { | ||
101 | + t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) | ||
102 | + } | ||
103 | + | ||
104 | + // Also check that an archive containing a handful of empty | ||
105 | + // files doesn't cause an issue | ||
106 | + b := bytes.NewBuffer(nil) | ||
107 | + w := NewWriter(b) | ||
108 | + for i := 0; i < 5; i++ { | ||
109 | + _, err := w.Create("") | ||
110 | + if err != nil { | ||
111 | + t.Fatalf("Writer.Create failed: %s", err) | ||
112 | + } | ||
113 | + } | ||
114 | + if err := w.Close(); err != nil { | ||
115 | + t.Fatalf("Writer.Close failed: %s", err) | ||
116 | + } | ||
117 | + r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len())) | ||
118 | + if err != nil { | ||
119 | + t.Fatalf("NewReader failed: %s", err) | ||
120 | + } | ||
121 | + if len(r.File) != 5 { | ||
122 | + t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) | ||
123 | + } | ||
124 | +} | ||