golang: fix CVE-2022-30632 and CVE-2022-30633

Source: https://github.com/golang/go MR: 120622, 120625 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827 ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5 Description: Fixed CVE: 1. CVE-2022-30632 2. CVE-2022-30633 (From OE-Core rev: 9ffaae887743d77839fb758657b1dec71a9b8880) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-08-25 17:32:51 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-03 13:10:37 +0100
commit: 7d67a61029c49b3459b65da4da2c5022f3826713 (patch)
tree: b93bd3b484b37a9dfcc3fe74b6183e88017a1889 /meta/recipes-devtools
parent: 8bc3443c0813f884955def3bb8d7594acd397796 (diff)
download: poky-7d67a61029c49b3459b65da4da2c5022f3826713.tar.gz
3 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 6089fd501d..84babc38cb 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -27,6 +27,8 @@ SRC_URI += "\
    file://CVE-2021-31525.patch \
    file://CVE-2022-30629.patch \
    file://CVE-2022-30631.patch \
+    file://CVE-2022-30632.patch \
+    file://CVE-2022-30633.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
new file mode 100644
index 0000000000..c54ef56a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
+From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 13:12:40 +0530
+Subject: [PATCH] CVE-2022-30632
+Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
+CVE: CVE-2022-30632
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/path/filepath/match.go      | 16 +++++++++++++++-
+ src/path/filepath/match_test.go | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
+index 46badb5..ba68daa 100644
+--- a/src/path/filepath/match.go
+++ b/src/path/filepath/match.go
+@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
+ // The only possible returned error is ErrBadPattern, when pattern
+ // is malformed.
+ func Glob(pattern string) (matches []string, err error) {
+       return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+       // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+       const pathSeparatorsLimit = 10000
+       if depth == pathSeparatorsLimit {
+               return nil, ErrBadPattern
+       }
+
+       // Check pattern is well-formed.
+       if _, err := Match(pattern, ""); err != nil {
+               return nil, err
+       }
+        if !hasMeta(pattern) {
+                if _, err = os.Lstat(pattern); err != nil {
+                        return nil, nil
+@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
+        }
+ 
+        var m []string
+-       m, err = Glob(dir)
+       m, err = globWithLimit(dir, depth+1)
+        if err != nil {
+                return
+        }
+diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
+index b865762..c37c812 100644
+--- a/src/path/filepath/match_test.go
+++ b/src/path/filepath/match_test.go
+@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
+        }
+ }
+ 
+func TestCVE202230632(t *testing.T) {
+       // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+       // large number of separators (more than 4,000,000). There is now a limit
+       // of 10,000.
+       _, err := Glob("/*" + strings.Repeat("/", 10001))
+       if err != ErrBadPattern {
+               t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+       }
+}
+
+ func TestGlobError(t *testing.T) {
+        _, err := Glob("[]")
+        if err == nil {
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
new file mode 100644
index 0000000000..c16cb5f50c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
@@ -0,0 +1,131 @@
+From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 13:29:55 +0530
+Subject: [PATCH] CVE-2022-30633
+Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827]
+CVE: CVE-2022-30633
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/xml/read.go      | 27 +++++++++++++++++++--------
+ src/encoding/xml/read_test.go | 14 ++++++++++++++
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
+index 10a60ee..4ffed80 100644
+--- a/src/encoding/xml/read.go
+++ b/src/encoding/xml/read.go
+@@ -148,7 +148,7 @@ func (d *Decoder) DecodeElement(v interface{}, start *StartElement) error {
+        if val.Kind() != reflect.Ptr {
+                return errors.New("non-pointer passed to Unmarshal")
+        }
+-       return d.unmarshal(val.Elem(), start)
+       return d.unmarshal(val.Elem(), start, 0)
+ }
+ 
+ // An UnmarshalError represents an error in the unmarshaling process.
+@@ -304,8 +304,15 @@ var (
+        textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+ )
+ 
+const maxUnmarshalDepth = 10000
+
+var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth")
+
+ // Unmarshal a single XML element into val.
+-func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
+func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error {
+       if depth >= maxUnmarshalDepth {
+               return errExeceededMaxUnmarshalDepth
+       }
+        // Find start element if we need it.
+        if start == nil {
+                for {
+@@ -398,7 +405,7 @@ func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
+                v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem())))
+ 
+                // Recur to read element into slice.
+-               if err := d.unmarshal(v.Index(n), start); err != nil {
+               if err := d.unmarshal(v.Index(n), start, depth+1); err != nil {
+                        v.SetLen(n)
+                        return err
+                }
+@@ -521,13 +528,15 @@ Loop:
+                case StartElement:
+                        consumed := false
+                        if sv.IsValid() {
+-                               consumed, err = d.unmarshalPath(tinfo, sv, nil, &t)
+                               // unmarshalPath can call unmarshal, so we need to pass the depth through so that
+                               // we can continue to enforce the maximum recusion limit.
+                               consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth)
+                                if err != nil {
+                                        return err
+                                }
+                                if !consumed && saveAny.IsValid() {
+                                        consumed = true
+-                                       if err := d.unmarshal(saveAny, &t); err != nil {
+                                       if err := d.unmarshal(saveAny, &t, depth+1); err != nil {
+                                                return err
+                                        }
+                                }
+@@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) {
+ // The consumed result tells whether XML elements have been consumed
+ // from the Decoder until start's matching end element, or if it's
+ // still untouched because start is uninteresting for sv's fields.
+-func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) {
+func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) {
+        recurse := false
+ Loop:
+        for i := range tinfo.fields {
+@@ -687,7 +696,7 @@ Loop:
+                }
+                if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local {
+                        // It's a perfect match, unmarshal the field.
+-                       return true, d.unmarshal(finfo.value(sv), start)
+                       return true, d.unmarshal(finfo.value(sv), start, depth+1)
+                }
+                if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local {
+                        // It's a prefix for the field. Break and recurse
+@@ -716,7 +725,9 @@ Loop:
+                }
+                switch t := tok.(type) {
+                case StartElement:
+-                       consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t)
+                       // the recursion depth of unmarshalPath is limited to the path length specified
+                       // by the struct field tag, so we don't increment the depth here.
+                       consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth)
+                        if err != nil {
+                                return true, err
+                        }
+diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
+index 8c2e70f..6a20b1a 100644
+--- a/src/encoding/xml/read_test.go
+++ b/src/encoding/xml/read_test.go
+@@ -5,6 +5,7 @@
+ package xml
+ 
+ import (
+       "errors"
+        "io"
+        "reflect"
+        "strings"
+@@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) {
+                t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want)
+        }
+ }
+
+func TestCVE202228131(t *testing.T) {
+       type nested struct {
+               Parent *nested `xml:",any"`
+       }
+       var n nested
+       err := Unmarshal(bytes.Repeat([]byte("<a>"), maxUnmarshalDepth+1), &n)
+       if err == nil {
+               t.Fatal("Unmarshal did not fail")
+       } else if !errors.Is(err, errExeceededMaxUnmarshalDepth) {
+               t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
+       }
+}
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-08-25 17:32:51 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-03 13:10:37 +0100
commit	7d67a61029c49b3459b65da4da2c5022f3826713 (patch)
tree	b93bd3b484b37a9dfcc3fe74b6183e88017a1889 /meta/recipes-devtools
parent	8bc3443c0813f884955def3bb8d7594acd397796 (diff)
download	poky-7d67a61029c49b3459b65da4da2c5022f3826713.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 6089fd501d..84babc38cb 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -27,6 +27,8 @@ SRC_URI += "\
27	file://CVE-2021-31525.patch \	27	file://CVE-2021-31525.patch \
28	file://CVE-2022-30629.patch \	28	file://CVE-2022-30629.patch \
29	file://CVE-2022-30631.patch \	29	file://CVE-2022-30631.patch \
		30	file://CVE-2022-30632.patch \
		31	file://CVE-2022-30633.patch \
30	"	32	"
31		33
32	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	34	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch new file mode 100644 index 0000000000..c54ef56a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
		1	From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 25 Aug 2022 13:12:40 +0530
		4	Subject: [PATCH] CVE-2022-30632
		5
		6	Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
		7	CVE: CVE-2022-30632
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/path/filepath/match.go \| 16 +++++++++++++++-
		11	src/path/filepath/match_test.go \| 10 ++++++++++
		12	2 files changed, 25 insertions(+), 1 deletion(-)
		13
		14	diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
		15	index 46badb5..ba68daa 100644
		16	--- a/src/path/filepath/match.go
		17	+++ b/src/path/filepath/match.go
		18	@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
		19	// The only possible returned error is ErrBadPattern, when pattern
		20	// is malformed.
		21	func Glob(pattern string) (matches []string, err error) {
		22	+ return globWithLimit(pattern, 0)
		23	+}
		24	+
		25	+func globWithLimit(pattern string, depth int) (matches []string, err error) {
		26	+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
		27	+ const pathSeparatorsLimit = 10000
		28	+ if depth == pathSeparatorsLimit {
		29	+ return nil, ErrBadPattern
		30	+ }
		31	+
		32	+ // Check pattern is well-formed.
		33	+ if _, err := Match(pattern, ""); err != nil {
		34	+ return nil, err
		35	+ }
		36	if !hasMeta(pattern) {
		37	if _, err = os.Lstat(pattern); err != nil {
		38	return nil, nil
		39	@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
		40	}
		41
		42	var m []string
		43	- m, err = Glob(dir)
		44	+ m, err = globWithLimit(dir, depth+1)
		45	if err != nil {
		46	return
		47	}
		48	diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
		49	index b865762..c37c812 100644
		50	--- a/src/path/filepath/match_test.go
		51	+++ b/src/path/filepath/match_test.go
		52	@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
		53	}
		54	}
		55
		56	+func TestCVE202230632(t *testing.T) {
		57	+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
		58	+ // large number of separators (more than 4,000,000). There is now a limit
		59	+ // of 10,000.
		60	+ _, err := Glob("/*" + strings.Repeat("/", 10001))
		61	+ if err != ErrBadPattern {
		62	+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
		63	+ }
		64	+}
		65	+
		66	func TestGlobError(t *testing.T) {
		67	_, err := Glob("[]")
		68	if err == nil {
		69	--
		70	2.25.1
		71


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch new file mode 100644 index 0000000000..c16cb5f50c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
@@ -0,0 +1,131 @@
		1	From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 25 Aug 2022 13:29:55 +0530
		4	Subject: [PATCH] CVE-2022-30633
		5
		6	Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827]
		7	CVE: CVE-2022-30633
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/encoding/xml/read.go \| 27 +++++++++++++++++++--------
		11	src/encoding/xml/read_test.go \| 14 ++++++++++++++
		12	2 files changed, 33 insertions(+), 8 deletions(-)
		13
		14	diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
		15	index 10a60ee..4ffed80 100644
		16	--- a/src/encoding/xml/read.go
		17	+++ b/src/encoding/xml/read.go
		18	@@ -148,7 +148,7 @@ func (d Decoder) DecodeElement(v interface{}, start StartElement) error {
		19	if val.Kind() != reflect.Ptr {
		20	return errors.New("non-pointer passed to Unmarshal")
		21	}
		22	- return d.unmarshal(val.Elem(), start)
		23	+ return d.unmarshal(val.Elem(), start, 0)
		24	}
		25
		26	// An UnmarshalError represents an error in the unmarshaling process.
		27	@@ -304,8 +304,15 @@ var (
		28	textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
		29	)
		30
		31	+const maxUnmarshalDepth = 10000
		32	+
		33	+var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth")
		34	+
		35	// Unmarshal a single XML element into val.
		36	-func (d Decoder) unmarshal(val reflect.Value, start StartElement) error {
		37	+func (d Decoder) unmarshal(val reflect.Value, start StartElement, depth int) error {
		38	+ if depth >= maxUnmarshalDepth {
		39	+ return errExeceededMaxUnmarshalDepth
		40	+ }
		41	// Find start element if we need it.
		42	if start == nil {
		43	for {
		44	@@ -398,7 +405,7 @@ func (d Decoder) unmarshal(val reflect.Value, start StartElement) error {
		45	v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem())))
		46
		47	// Recur to read element into slice.
		48	- if err := d.unmarshal(v.Index(n), start); err != nil {
		49	+ if err := d.unmarshal(v.Index(n), start, depth+1); err != nil {
		50	v.SetLen(n)
		51	return err
		52	}
		53	@@ -521,13 +528,15 @@ Loop:
		54	case StartElement:
		55	consumed := false
		56	if sv.IsValid() {
		57	- consumed, err = d.unmarshalPath(tinfo, sv, nil, &t)
		58	+ // unmarshalPath can call unmarshal, so we need to pass the depth through so that
		59	+ // we can continue to enforce the maximum recusion limit.
		60	+ consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth)
		61	if err != nil {
		62	return err
		63	}
		64	if !consumed && saveAny.IsValid() {
		65	consumed = true
		66	- if err := d.unmarshal(saveAny, &t); err != nil {
		67	+ if err := d.unmarshal(saveAny, &t, depth+1); err != nil {
		68	return err
		69	}
		70	}
		71	@@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) {
		72	// The consumed result tells whether XML elements have been consumed
		73	// from the Decoder until start's matching end element, or if it's
		74	// still untouched because start is uninteresting for sv's fields.
		75	-func (d Decoder) unmarshalPath(tinfo typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) {
		76	+func (d Decoder) unmarshalPath(tinfo typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) {
		77	recurse := false
		78	Loop:
		79	for i := range tinfo.fields {
		80	@@ -687,7 +696,7 @@ Loop:
		81	}
		82	if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local {
		83	// It's a perfect match, unmarshal the field.
		84	- return true, d.unmarshal(finfo.value(sv), start)
		85	+ return true, d.unmarshal(finfo.value(sv), start, depth+1)
		86	}
		87	if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local {
		88	// It's a prefix for the field. Break and recurse
		89	@@ -716,7 +725,9 @@ Loop:
		90	}
		91	switch t := tok.(type) {
		92	case StartElement:
		93	- consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t)
		94	+ // the recursion depth of unmarshalPath is limited to the path length specified
		95	+ // by the struct field tag, so we don't increment the depth here.
		96	+ consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth)
		97	if err != nil {
		98	return true, err
		99	}
		100	diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
		101	index 8c2e70f..6a20b1a 100644
		102	--- a/src/encoding/xml/read_test.go
		103	+++ b/src/encoding/xml/read_test.go
		104	@@ -5,6 +5,7 @@
		105	package xml
		106
		107	import (
		108	+ "errors"
		109	"io"
		110	"reflect"
		111	"strings"
		112	@@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) {
		113	t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want)
		114	}
		115	}
		116	+
		117	+func TestCVE202228131(t *testing.T) {
		118	+ type nested struct {
		119	+ Parent *nested `xml:",any"`
		120	+ }
		121	+ var n nested
		122	+ err := Unmarshal(bytes.Repeat([]byte("<a>"), maxUnmarshalDepth+1), &n)
		123	+ if err == nil {
		124	+ t.Fatal("Unmarshal did not fail")
		125	+ } else if !errors.Is(err, errExeceededMaxUnmarshalDepth) {
		126	+ t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
		127	+ }
		128	+}
		129	--
		130	2.25.1
		131