go: CVE-2020-16845

Backport CVE patch from the upstream: https://github.com/golang/go.git commit 027d7241ce050d197e7fabea3d541ffbe3487258 (From OE-Core rev: 4fa2a6c171e62855ad9a2bd7a2d8507067f62988) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2020-08-11 00:41:18 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-09-10 13:21:41 +0100
commit: ba9c9dc10677371c55041e4bba38350f0e777d15 (patch)
tree: ec6d99cb09251109174f3078020c033ea97bb393
parent: a76794a159e729b8f0abd121189bfc3ee9b490ec (diff)
download: poky-ba9c9dc10677371c55041e4bba38350f0e777d15.tar.gz
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index c3c2d0cfee..fd2d641554 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
    file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
    file://0010-fix-CVE-2019-17596.patch \
    file://CVE-2020-15586.patch \
+    file://CVE-2020-16845.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
new file mode 100644
index 0000000000..80f467522f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
@@ -0,0 +1,110 @@
+From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Tue, 4 Aug 2020 11:45:32 -0400
+Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in
+ ReadUvarint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This CL ensures that ReadUvarint consumes only a limited
+amount of input (instead of an unbounded amount).
+On some inputs, ReadUvarint could read an arbitrary number
+of bytes before deciding to return an overflow error.
+After this CL, ReadUvarint returns that same overflow
+error sooner, after reading at most MaxVarintLen64 bytes.
+Fix authored by Robert Griesemer and Filippo Valsorda.
+Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
+and Preston Van Loon for reporting this.
+Fixes #40618
+Fixes CVE-2020-16845
+Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
+Run-TryBot: Katie Hockman <katie@golang.org>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Alexander Rakoczy <alex@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go.git]
+CVE: CVE-2020-16845
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ src/encoding/binary/varint.go      |  5 +++--
+ src/encoding/binary/varint_test.go | 18 ++++++++++++------
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go
+index bcb8ac9a45..38af61075c 100644
+--- a/src/encoding/binary/varint.go
+++ b/src/encoding/binary/varint.go
+@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer")
+ func ReadUvarint(r io.ByteReader) (uint64, error) {
+        var x uint64
+        var s uint
+-       for i := 0; ; i++ {
+       for i := 0; i < MaxVarintLen64; i++ {
+                b, err := r.ReadByte()
+                if err != nil {
+                        return x, err
+                }
+                if b < 0x80 {
+-                       if i > 9 || i == 9 && b > 1 {
+                       if i == 9 && b > 1 {
+                                return x, overflow
+                        }
+                        return x | uint64(b)<<s, nil
+@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) {
+                x |= uint64(b&0x7f) << s
+                s += 7
+        }
+       return x, overflow
+ }
+ 
+ // ReadVarint reads an encoded signed integer from r and returns it as an int64.
+diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go
+index ca411ecbd6..6ef4c99505 100644
+--- a/src/encoding/binary/varint_test.go
+++ b/src/encoding/binary/varint_test.go
+@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) {
+        }
+ }
+ 
+-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) {
+func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) {
+        x, n := Uvarint(buf)
+        if x != 0 || n != n0 {
+                t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0)
+        }
+ 
+-       x, err := ReadUvarint(bytes.NewReader(buf))
+-       if x != 0 || err != err0 {
+-               t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0)
+       r := bytes.NewReader(buf)
+       len := r.Len()
+       x, err := ReadUvarint(r)
+       if x != x0 || err != err0 {
+               t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0)
+       }
+       if read := len - r.Len(); read > MaxVarintLen64 {
+               t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read)
+        }
+ }
+ 
+ func TestOverflow(t *testing.T) {
+-       testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow)
+-       testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow)
+       testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow)
+       testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow)
+       testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow
+ }
+ 
+ func TestNonCanonicalZero(t *testing.T) {
+-- 
+2.17.0
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2020-08-11 00:41:18 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-09-10 13:21:41 +0100
commit	ba9c9dc10677371c55041e4bba38350f0e777d15 (patch)
tree	ec6d99cb09251109174f3078020c033ea97bb393
parent	a76794a159e729b8f0abd121189bfc3ee9b490ec (diff)
download	poky-ba9c9dc10677371c55041e4bba38350f0e777d15.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index c3c2d0cfee..fd2d641554 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
19	file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \	19	file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
20	file://0010-fix-CVE-2019-17596.patch \	20	file://0010-fix-CVE-2019-17596.patch \
21	file://CVE-2020-15586.patch \	21	file://CVE-2020-15586.patch \
		22	file://CVE-2020-16845.patch \
22	"	23	"
23	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	24	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
24		25


diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch new file mode 100644 index 0000000000..80f467522f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
@@ -0,0 +1,110 @@
		1	From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001
		2	From: Katie Hockman <katie@golang.org>
		3	Date: Tue, 4 Aug 2020 11:45:32 -0400
		4	Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in
		5	ReadUvarint
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	This CL ensures that ReadUvarint consumes only a limited
		11	amount of input (instead of an unbounded amount).
		12
		13	On some inputs, ReadUvarint could read an arbitrary number
		14	of bytes before deciding to return an overflow error.
		15	After this CL, ReadUvarint returns that same overflow
		16	error sooner, after reading at most MaxVarintLen64 bytes.
		17
		18	Fix authored by Robert Griesemer and Filippo Valsorda.
		19
		20	Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
		21	and Preston Van Loon for reporting this.
		22
		23	Fixes #40618
		24	Fixes CVE-2020-16845
		25
		26	Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
		27	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
		28	Reviewed-by: Filippo Valsorda <valsorda@google.com>
		29	Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
		30	Run-TryBot: Katie Hockman <katie@golang.org>
		31	TryBot-Result: Gobot Gobot <gobot@golang.org>
		32	Reviewed-by: Alexander Rakoczy <alex@golang.org>
		33
		34	Upstream-Status: Backport [https://github.com/golang/go.git]
		35	CVE: CVE-2020-16845
		36	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		37	---
		38	src/encoding/binary/varint.go \| 5 +++--
		39	src/encoding/binary/varint_test.go \| 18 ++++++++++++------
		40	2 files changed, 15 insertions(+), 8 deletions(-)
		41
		42	diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go
		43	index bcb8ac9a45..38af61075c 100644
		44	--- a/src/encoding/binary/varint.go
		45	+++ b/src/encoding/binary/varint.go
		46	@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer")
		47	func ReadUvarint(r io.ByteReader) (uint64, error) {
		48	var x uint64
		49	var s uint
		50	- for i := 0; ; i++ {
		51	+ for i := 0; i < MaxVarintLen64; i++ {
		52	b, err := r.ReadByte()
		53	if err != nil {
		54	return x, err
		55	}
		56	if b < 0x80 {
		57	- if i > 9 \|\| i == 9 && b > 1 {
		58	+ if i == 9 && b > 1 {
		59	return x, overflow
		60	}
		61	return x \| uint64(b)<<s, nil
		62	@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) {
		63	x \|= uint64(b&0x7f) << s
		64	s += 7
		65	}
		66	+ return x, overflow
		67	}
		68
		69	// ReadVarint reads an encoded signed integer from r and returns it as an int64.
		70	diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go
		71	index ca411ecbd6..6ef4c99505 100644
		72	--- a/src/encoding/binary/varint_test.go
		73	+++ b/src/encoding/binary/varint_test.go
		74	@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) {
		75	}
		76	}
		77
		78	-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) {
		79	+func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) {
		80	x, n := Uvarint(buf)
		81	if x != 0 \|\| n != n0 {
		82	t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0)
		83	}
		84
		85	- x, err := ReadUvarint(bytes.NewReader(buf))
		86	- if x != 0 \|\| err != err0 {
		87	- t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0)
		88	+ r := bytes.NewReader(buf)
		89	+ len := r.Len()
		90	+ x, err := ReadUvarint(r)
		91	+ if x != x0 \|\| err != err0 {
		92	+ t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0)
		93	+ }
		94	+ if read := len - r.Len(); read > MaxVarintLen64 {
		95	+ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read)
		96	}
		97	}
		98
		99	func TestOverflow(t *testing.T) {
		100	- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow)
		101	- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow)
		102	+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow)
		103	+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow)
		104	+ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow
		105	}
		106
		107	func TestNonCanonicalZero(t *testing.T) {
		108	--
		109	2.17.0
		110