1 files changed, 198 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
new file mode 100644
index 0000000000..e4270d8a75
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
@@ -0,0 +1,198 @@
+From ba99f699d26483ea1045f47c760e9be30799e311 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 2 Feb 2022 16:41:32 -0500
+Subject: [PATCH] regexp/syntax: reject very deeply nested regexps in Parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b]
+CVE: CVE-2022-24921
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org
+The regexp code assumes it can recurse over the structure of
+a regexp safely. Go's growable stacks make that reasonable
+for all plausible regexps, but implausible ones can reach the
+“infinite recursion?” stack limit.
+This CL limits the depth of any parsed regexp to 1000.
+That is, the depth of the parse tree is required to be ≤ 1000.
+Regexps that require deeper parse trees will return ErrInternalError.
+A future CL will change the error to ErrInvalidDepth,
+but using ErrInternalError for now avoids introducing new API
+in point releases when this is backported.
+Fixes #51112.
+Fixes #51117.
+Change-Id: I97d2cd82195946eb43a4ea8561f5b95f91fb14c5
+Reviewed-on: https://go-review.googlesource.com/c/go/+/384616
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/384855
+---
+ src/regexp/syntax/parse.go      | 72 ++++++++++++++++++++++++++++++++-
+ src/regexp/syntax/parse_test.go |  7 ++++
+ 2 files changed, 77 insertions(+), 2 deletions(-)
+diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
+index 8c6d43a..55bd20d 100644
+--- a/src/regexp/syntax/parse.go
+++ b/src/regexp/syntax/parse.go
+@@ -76,13 +76,29 @@ const (
+        opVerticalBar
+ )
+ 
+// maxHeight is the maximum height of a regexp parse tree.
+// It is somewhat arbitrarily chosen, but the idea is to be large enough
+// that no one will actually hit in real use but at the same time small enough
+// that recursion on the Regexp tree will not hit the 1GB Go stack limit.
+// The maximum amount of stack for a single recursive frame is probably
+// closer to 1kB, so this could potentially be raised, but it seems unlikely
+// that people have regexps nested even this deeply.
+// We ran a test on Google's C++ code base and turned up only
+// a single use case with depth > 100; it had depth 128.
+// Using depth 1000 should be plenty of margin.
+// As an optimization, we don't even bother calculating heights
+// until we've allocated at least maxHeight Regexp structures.
+const maxHeight = 1000
+
+ type parser struct {
+        flags       Flags     // parse mode flags
+        stack       []*Regexp // stack of parsed expressions
+        free        *Regexp
+        numCap      int // number of capturing groups seen
+        wholeRegexp string
+-       tmpClass    []rune // temporary char class work space
+       tmpClass    []rune          // temporary char class work space
+       numRegexp   int             // number of regexps allocated
+       height      map[*Regexp]int // regexp height for height limit check
+ }
+ 
+ func (p *parser) newRegexp(op Op) *Regexp {
+@@ -92,16 +108,52 @@ func (p *parser) newRegexp(op Op) *Regexp {
+                *re = Regexp{}
+        } else {
+                re = new(Regexp)
+               p.numRegexp++
+        }
+        re.Op = op
+        return re
+ }
+ 
+ func (p *parser) reuse(re *Regexp) {
+       if p.height != nil {
+               delete(p.height, re)
+       }
+        re.Sub0[0] = p.free
+        p.free = re
+ }
+ 
+func (p *parser) checkHeight(re *Regexp) {
+       if p.numRegexp < maxHeight {
+               return
+       }
+       if p.height == nil {
+               p.height = make(map[*Regexp]int)
+               for _, re := range p.stack {
+                       p.checkHeight(re)
+               }
+       }
+       if p.calcHeight(re, true) > maxHeight {
+               panic(ErrInternalError)
+       }
+}
+
+func (p *parser) calcHeight(re *Regexp, force bool) int {
+       if !force {
+               if h, ok := p.height[re]; ok {
+                       return h
+               }
+       }
+       h := 1
+       for _, sub := range re.Sub {
+               hsub := p.calcHeight(sub, false)
+               if h < 1+hsub {
+                       h = 1 + hsub
+               }
+       }
+       p.height[re] = h
+       return h
+}
+
+ // Parse stack manipulation.
+ 
+ // push pushes the regexp re onto the parse stack and returns the regexp.
+@@ -137,6 +189,7 @@ func (p *parser) push(re *Regexp) *Regexp {
+        }
+ 
+        p.stack = append(p.stack, re)
+       p.checkHeight(re)
+        return re
+ }
+ 
+@@ -252,6 +305,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
+        re.Sub = re.Sub0[:1]
+        re.Sub[0] = sub
+        p.stack[n-1] = re
+       p.checkHeight(re)
+ 
+        if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
+                return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
+@@ -699,6 +753,21 @@ func literalRegexp(s string, flags Flags) *Regexp {
+ // Flags, and returns a regular expression parse tree. The syntax is
+ // described in the top-level comment.
+ func Parse(s string, flags Flags) (*Regexp, error) {
+       return parse(s, flags)
+}
+
+func parse(s string, flags Flags) (_ *Regexp, err error) {
+       defer func() {
+               switch r := recover(); r {
+               default:
+                       panic(r)
+               case nil:
+                       // ok
+               case ErrInternalError:
+                       err = &Error{Code: ErrInternalError, Expr: s}
+               }
+       }()
+
+        if flags&Literal != 0 {
+                // Trivial parser for literal string.
+                if err := checkUTF8(s); err != nil {
+@@ -710,7 +779,6 @@ func Parse(s string, flags Flags) (*Regexp, error) {
+        // Otherwise, must do real work.
+        var (
+                p          parser
+-               err        error
+                c          rune
+                op         Op
+                lastRepeat string
+diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
+index 5581ba1..1ef6d8a 100644
+--- a/src/regexp/syntax/parse_test.go
+++ b/src/regexp/syntax/parse_test.go
+@@ -207,6 +207,11 @@ var parseTests = []parseTest{
+        // Valid repetitions.
+        {`((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}))`, ``},
+        {`((((((((((x{1}){2}){2}){2}){2}){2}){2}){2}){2}){2})`, ``},
+
+       // Valid nesting.
+       {strings.Repeat("(", 999) + strings.Repeat(")", 999), ``},
+       {strings.Repeat("(?:", 999) + strings.Repeat(")*", 999), ``},
+       {"(" + strings.Repeat("|", 12345) + ")", ``}, // not nested at all
+ }
+ 
+ const testFlags = MatchNL | PerlX | UnicodeGroups
+@@ -482,6 +487,8 @@ var invalidRegexps = []string{
+        `a{100000}`,
+        `a{100000,}`,
+        "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
+       strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
+       strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
+        `\Q\E*`,
+ }
+

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch new file mode 100644 index 0000000000..e4270d8a75 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
@@ -0,0 +1,198 @@
	1	From ba99f699d26483ea1045f47c760e9be30799e311 Mon Sep 17 00:00:00 2001
	2	From: Russ Cox <rsc@golang.org>
	3	Date: Wed, 2 Feb 2022 16:41:32 -0500
	4	Subject: [PATCH] regexp/syntax: reject very deeply nested regexps in Parse
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b]
	10	CVE: CVE-2022-24921
	11	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org
	12
	13
	14	The regexp code assumes it can recurse over the structure of
	15	a regexp safely. Go's growable stacks make that reasonable
	16	for all plausible regexps, but implausible ones can reach the
	17	“infinite recursion?” stack limit.
	18
	19	This CL limits the depth of any parsed regexp to 1000.
	20	That is, the depth of the parse tree is required to be ≤ 1000.
	21	Regexps that require deeper parse trees will return ErrInternalError.
	22	A future CL will change the error to ErrInvalidDepth,
	23	but using ErrInternalError for now avoids introducing new API
	24	in point releases when this is backported.
	25
	26	Fixes #51112.
	27	Fixes #51117.
	28
	29	Change-Id: I97d2cd82195946eb43a4ea8561f5b95f91fb14c5
	30	Reviewed-on: https://go-review.googlesource.com/c/go/+/384616
	31	Trust: Russ Cox <rsc@golang.org>
	32	Run-TryBot: Russ Cox <rsc@golang.org>
	33	Reviewed-by: Ian Lance Taylor <iant@golang.org>
	34	Reviewed-on: https://go-review.googlesource.com/c/go/+/384855
	35	---
	36	src/regexp/syntax/parse.go \| 72 ++++++++++++++++++++++++++++++++-
	37	src/regexp/syntax/parse_test.go \| 7 ++++
	38	2 files changed, 77 insertions(+), 2 deletions(-)
	39
	40	diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
	41	index 8c6d43a..55bd20d 100644
	42	--- a/src/regexp/syntax/parse.go
	43	+++ b/src/regexp/syntax/parse.go
	44	@@ -76,13 +76,29 @@ const (
	45	opVerticalBar
	46	)
	47
	48	+// maxHeight is the maximum height of a regexp parse tree.
	49	+// It is somewhat arbitrarily chosen, but the idea is to be large enough
	50	+// that no one will actually hit in real use but at the same time small enough
	51	+// that recursion on the Regexp tree will not hit the 1GB Go stack limit.
	52	+// The maximum amount of stack for a single recursive frame is probably
	53	+// closer to 1kB, so this could potentially be raised, but it seems unlikely
	54	+// that people have regexps nested even this deeply.
	55	+// We ran a test on Google's C++ code base and turned up only
	56	+// a single use case with depth > 100; it had depth 128.
	57	+// Using depth 1000 should be plenty of margin.
	58	+// As an optimization, we don't even bother calculating heights
	59	+// until we've allocated at least maxHeight Regexp structures.
	60	+const maxHeight = 1000
	61	+
	62	type parser struct {
	63	flags Flags // parse mode flags
	64	stack []*Regexp // stack of parsed expressions
	65	free *Regexp
	66	numCap int // number of capturing groups seen
	67	wholeRegexp string
	68	- tmpClass []rune // temporary char class work space
	69	+ tmpClass []rune // temporary char class work space
	70	+ numRegexp int // number of regexps allocated
	71	+ height map[*Regexp]int // regexp height for height limit check
	72	}
	73
	74	func (p parser) newRegexp(op Op) Regexp {
	75	@@ -92,16 +108,52 @@ func (p parser) newRegexp(op Op) Regexp {
	76	*re = Regexp{}
	77	} else {
	78	re = new(Regexp)
	79	+ p.numRegexp++
	80	}
	81	re.Op = op
	82	return re
	83	}
	84
	85	func (p parser) reuse(re Regexp) {
	86	+ if p.height != nil {
	87	+ delete(p.height, re)
	88	+ }
	89	re.Sub0[0] = p.free
	90	p.free = re
	91	}
	92
	93	+func (p parser) checkHeight(re Regexp) {
	94	+ if p.numRegexp < maxHeight {
	95	+ return
	96	+ }
	97	+ if p.height == nil {
	98	+ p.height = make(map[*Regexp]int)
	99	+ for _, re := range p.stack {
	100	+ p.checkHeight(re)
	101	+ }
	102	+ }
	103	+ if p.calcHeight(re, true) > maxHeight {
	104	+ panic(ErrInternalError)
	105	+ }
	106	+}
	107	+
	108	+func (p parser) calcHeight(re Regexp, force bool) int {
	109	+ if !force {
	110	+ if h, ok := p.height[re]; ok {
	111	+ return h
	112	+ }
	113	+ }
	114	+ h := 1
	115	+ for _, sub := range re.Sub {
	116	+ hsub := p.calcHeight(sub, false)
	117	+ if h < 1+hsub {
	118	+ h = 1 + hsub
	119	+ }
	120	+ }
	121	+ p.height[re] = h
	122	+ return h
	123	+}
	124	+
	125	// Parse stack manipulation.
	126
	127	// push pushes the regexp re onto the parse stack and returns the regexp.
	128	@@ -137,6 +189,7 @@ func (p parser) push(re Regexp) *Regexp {
	129	}
	130
	131	p.stack = append(p.stack, re)
	132	+ p.checkHeight(re)
	133	return re
	134	}
	135
	136	@@ -252,6 +305,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
	137	re.Sub = re.Sub0[:1]
	138	re.Sub[0] = sub
	139	p.stack[n-1] = re
	140	+ p.checkHeight(re)
	141
	142	if op == OpRepeat && (min >= 2 \|\| max >= 2) && !repeatIsValid(re, 1000) {
	143	return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
	144	@@ -699,6 +753,21 @@ func literalRegexp(s string, flags Flags) *Regexp {
	145	// Flags, and returns a regular expression parse tree. The syntax is
	146	// described in the top-level comment.
	147	func Parse(s string, flags Flags) (*Regexp, error) {
	148	+ return parse(s, flags)
	149	+}
	150	+
	151	+func parse(s string, flags Flags) (_ *Regexp, err error) {
	152	+ defer func() {
	153	+ switch r := recover(); r {
	154	+ default:
	155	+ panic(r)
	156	+ case nil:
	157	+ // ok
	158	+ case ErrInternalError:
	159	+ err = &Error{Code: ErrInternalError, Expr: s}
	160	+ }
	161	+ }()
	162	+
	163	if flags&Literal != 0 {
	164	// Trivial parser for literal string.
	165	if err := checkUTF8(s); err != nil {
	166	@@ -710,7 +779,6 @@ func Parse(s string, flags Flags) (*Regexp, error) {
	167	// Otherwise, must do real work.
	168	var (
	169	p parser
	170	- err error
	171	c rune
	172	op Op
	173	lastRepeat string
	174	diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
	175	index 5581ba1..1ef6d8a 100644
	176	--- a/src/regexp/syntax/parse_test.go
	177	+++ b/src/regexp/syntax/parse_test.go
	178	@@ -207,6 +207,11 @@ var parseTests = []parseTest{
	179	// Valid repetitions.
	180	{`((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}))`, ``},
	181	{`((((((((((x{1}){2}){2}){2}){2}){2}){2}){2}){2}){2})`, ``},
	182	+
	183	+ // Valid nesting.
	184	+ {strings.Repeat("(", 999) + strings.Repeat(")", 999), ``},
	185	+ {strings.Repeat("(?:", 999) + strings.Repeat(")*", 999), ``},
	186	+ {"(" + strings.Repeat("\|", 12345) + ")", ``}, // not nested at all
	187	}
	188
	189	const testFlags = MatchNL \| PerlX \| UnicodeGroups
	190	@@ -482,6 +487,8 @@ var invalidRegexps = []string{
	191	`a{100000}`,
	192	`a{100000,}`,
	193	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
	194	+ strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
	195	+ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
	196	`\Q\E*`,
	197	}
	198