diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/go/go-1.12.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch | 110 |
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index c3c2d0cfee..fd2d641554 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc | |||
@@ -19,6 +19,7 @@ SRC_URI += "\ | |||
19 | file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ | 19 | file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ |
20 | file://0010-fix-CVE-2019-17596.patch \ | 20 | file://0010-fix-CVE-2019-17596.patch \ |
21 | file://CVE-2020-15586.patch \ | 21 | file://CVE-2020-15586.patch \ |
22 | file://CVE-2020-16845.patch \ | ||
22 | " | 23 | " |
23 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 24 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
24 | 25 | ||
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch new file mode 100644 index 0000000000..80f467522f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001 | ||
2 | From: Katie Hockman <katie@golang.org> | ||
3 | Date: Tue, 4 Aug 2020 11:45:32 -0400 | ||
4 | Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in | ||
5 | ReadUvarint | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This CL ensures that ReadUvarint consumes only a limited | ||
11 | amount of input (instead of an unbounded amount). | ||
12 | |||
13 | On some inputs, ReadUvarint could read an arbitrary number | ||
14 | of bytes before deciding to return an overflow error. | ||
15 | After this CL, ReadUvarint returns that same overflow | ||
16 | error sooner, after reading at most MaxVarintLen64 bytes. | ||
17 | |||
18 | Fix authored by Robert Griesemer and Filippo Valsorda. | ||
19 | |||
20 | Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, | ||
21 | and Preston Van Loon for reporting this. | ||
22 | |||
23 | Fixes #40618 | ||
24 | Fixes CVE-2020-16845 | ||
25 | |||
26 | Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f | ||
27 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 | ||
28 | Reviewed-by: Filippo Valsorda <valsorda@google.com> | ||
29 | Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 | ||
30 | Run-TryBot: Katie Hockman <katie@golang.org> | ||
31 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
32 | Reviewed-by: Alexander Rakoczy <alex@golang.org> | ||
33 | |||
34 | Upstream-Status: Backport [https://github.com/golang/go.git] | ||
35 | CVE: CVE-2020-16845 | ||
36 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
37 | --- | ||
38 | src/encoding/binary/varint.go | 5 +++-- | ||
39 | src/encoding/binary/varint_test.go | 18 ++++++++++++------ | ||
40 | 2 files changed, 15 insertions(+), 8 deletions(-) | ||
41 | |||
42 | diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go | ||
43 | index bcb8ac9a45..38af61075c 100644 | ||
44 | --- a/src/encoding/binary/varint.go | ||
45 | +++ b/src/encoding/binary/varint.go | ||
46 | @@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer") | ||
47 | func ReadUvarint(r io.ByteReader) (uint64, error) { | ||
48 | var x uint64 | ||
49 | var s uint | ||
50 | - for i := 0; ; i++ { | ||
51 | + for i := 0; i < MaxVarintLen64; i++ { | ||
52 | b, err := r.ReadByte() | ||
53 | if err != nil { | ||
54 | return x, err | ||
55 | } | ||
56 | if b < 0x80 { | ||
57 | - if i > 9 || i == 9 && b > 1 { | ||
58 | + if i == 9 && b > 1 { | ||
59 | return x, overflow | ||
60 | } | ||
61 | return x | uint64(b)<<s, nil | ||
62 | @@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) { | ||
63 | x |= uint64(b&0x7f) << s | ||
64 | s += 7 | ||
65 | } | ||
66 | + return x, overflow | ||
67 | } | ||
68 | |||
69 | // ReadVarint reads an encoded signed integer from r and returns it as an int64. | ||
70 | diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go | ||
71 | index ca411ecbd6..6ef4c99505 100644 | ||
72 | --- a/src/encoding/binary/varint_test.go | ||
73 | +++ b/src/encoding/binary/varint_test.go | ||
74 | @@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) { | ||
75 | } | ||
76 | } | ||
77 | |||
78 | -func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) { | ||
79 | +func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) { | ||
80 | x, n := Uvarint(buf) | ||
81 | if x != 0 || n != n0 { | ||
82 | t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0) | ||
83 | } | ||
84 | |||
85 | - x, err := ReadUvarint(bytes.NewReader(buf)) | ||
86 | - if x != 0 || err != err0 { | ||
87 | - t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0) | ||
88 | + r := bytes.NewReader(buf) | ||
89 | + len := r.Len() | ||
90 | + x, err := ReadUvarint(r) | ||
91 | + if x != x0 || err != err0 { | ||
92 | + t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0) | ||
93 | + } | ||
94 | + if read := len - r.Len(); read > MaxVarintLen64 { | ||
95 | + t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read) | ||
96 | } | ||
97 | } | ||
98 | |||
99 | func TestOverflow(t *testing.T) { | ||
100 | - testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow) | ||
101 | - testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow) | ||
102 | + testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow) | ||
103 | + testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow) | ||
104 | + testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow | ||
105 | } | ||
106 | |||
107 | func TestNonCanonicalZero(t *testing.T) { | ||
108 | -- | ||
109 | 2.17.0 | ||
110 | |||