[Backport]fix CVE-2023-39323
This commit is contained in:
luoyujie
hanchao
parent
2332a50120
commit
a55f2e83eb
140
0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
Normal file
140
0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From a56df8ee0ed2cd76c939f916d5f72f281f902f7c Mon Sep 17 00:00:00 2001
|
||||
From: Ian Lance Taylor <iant@golang.org>
|
||||
Date: Thu, 21 Sep 2023 07:16:29 +0800
|
||||
Subject: [PATCH] [Backport] cmd/compile: use absolute file name in isCgo check
|
||||
|
||||
Offering: Cloud Core Network
|
||||
CVE: CVE-2023-39323
|
||||
Reference: https://go-review.googlesource.com/c/go/+/533195
|
||||
|
||||
Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
|
||||
Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
|
||||
|
||||
Edited-by: machangwang m00509938
|
||||
|
||||
For #23672
|
||||
Updates #63211
|
||||
Fixes #63213
|
||||
Fixes CVE-2023-39323
|
||||
|
||||
Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
|
||||
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Run-TryBot: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
|
||||
Auto-Submit: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
||||
TryBot-Bypass: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
Signed-off-by: Ma Chang Wang machangwang@huawei.com
|
||||
---
|
||||
misc/cgo/errors/errors_test.go | 32 ++++++++++++++++++-------
|
||||
misc/cgo/errors/testdata/err5.go | 11 +++++++++
|
||||
src/cmd/compile/internal/noder/noder.go | 8 ++++++-
|
||||
3 files changed, 41 insertions(+), 10 deletions(-)
|
||||
create mode 100644 misc/cgo/errors/testdata/err5.go
|
||||
|
||||
diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
|
||||
index 68a30a44fe..dd60a98e8e 100644
|
||||
--- a/misc/cgo/errors/errors_test.go
|
||||
+++ b/misc/cgo/errors/errors_test.go
|
||||
@@ -20,6 +20,13 @@ func path(file string) string {
|
||||
return filepath.Join("testdata", file)
|
||||
}
|
||||
|
||||
+func bytesCut(s, sep []byte) (before, after []byte, found bool) {
|
||||
+ if i := bytes.Index(s, sep); i >= 0 {
|
||||
+ return s[:i], s[i+len(sep):], true
|
||||
+ }
|
||||
+ return s, nil, false
|
||||
+}
|
||||
+
|
||||
func check(t *testing.T, file string) {
|
||||
t.Run(file, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
@@ -36,17 +43,23 @@ func check(t *testing.T, file string) {
|
||||
continue
|
||||
}
|
||||
|
||||
- frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2)
|
||||
- if len(frags) == 1 {
|
||||
- continue
|
||||
+ if _, frag, ok := bytesCut(line, []byte("ERROR HERE: ")); ok {
|
||||
+ re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
|
||||
+ if err != nil {
|
||||
+ t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
|
||||
+ continue
|
||||
+ }
|
||||
+ errors = append(errors, re)
|
||||
}
|
||||
- frag := fmt.Sprintf(":%d:.*%s", i+1, frags[1])
|
||||
- re, err := regexp.Compile(frag)
|
||||
- if err != nil {
|
||||
- t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1])
|
||||
- continue
|
||||
+
|
||||
+ if _, frag, ok := bytesCut(line, []byte("ERROR MESSAGE: ")); ok {
|
||||
+ re, err := regexp.Compile(string(frag))
|
||||
+ if err != nil {
|
||||
+ t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
|
||||
+ continue
|
||||
+ }
|
||||
+ errors = append(errors, re)
|
||||
}
|
||||
- errors = append(errors, re)
|
||||
}
|
||||
if len(errors) == 0 {
|
||||
t.Fatalf("cannot find ERROR HERE")
|
||||
@@ -107,6 +120,7 @@ func TestReportsTypeErrors(t *testing.T) {
|
||||
for _, file := range []string{
|
||||
"err1.go",
|
||||
"err2.go",
|
||||
+ "err5.go",
|
||||
"issue11097a.go",
|
||||
"issue11097b.go",
|
||||
"issue18452.go",
|
||||
diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
|
||||
new file mode 100644
|
||||
index 0000000000..c12a290d38
|
||||
--- /dev/null
|
||||
+++ b/misc/cgo/errors/testdata/err5.go
|
||||
@@ -0,0 +1,11 @@
|
||||
+// Copyright 2023 The Go Authors. All rights reserved.
|
||||
+// Use of this source code is governed by a BSD-style
|
||||
+// license that can be found in the LICENSE file.
|
||||
+
|
||||
+package main
|
||||
+
|
||||
+//line /tmp/_cgo_.go:1
|
||||
+//go:cgo_dynamic_linker "/elf/interp"
|
||||
+// ERROR MESSAGE: only allowed in cgo-generated code
|
||||
+
|
||||
+func main() {}
|
||||
diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
|
||||
index 5fcad096c2..b802d22bc1 100644
|
||||
--- a/src/cmd/compile/internal/noder/noder.go
|
||||
+++ b/src/cmd/compile/internal/noder/noder.go
|
||||
@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
|
||||
// contain cgo directives, and for security reasons
|
||||
// (primarily misuse of linker flags), other files are not.
|
||||
// See golang.org/issue/23672.
|
||||
+// Note that cmd/go ignores files whose names start with underscore,
|
||||
+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
|
||||
+// It's easy to bypass this check by calling the compiler directly;
|
||||
+// we only protect against uses by cmd/go.
|
||||
func isCgoGeneratedFile(pos syntax.Pos) bool {
|
||||
- return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
|
||||
+ // We need the absolute file, independent of //line directives,
|
||||
+ // so we call pos.Base().Pos().
|
||||
+ return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
|
||||
}
|
||||
|
||||
// safeArg reports whether arg is a "safe" command-line argument,
|
||||
--
|
||||
2.28.0.windows.1
|
||||
|
||||
@ -63,7 +63,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.17.3
|
||||
Release: 23
|
||||
Release: 24
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -201,6 +201,7 @@ Patch6048: 0048-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
|
||||
Patch6049: 0049-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
|
||||
Patch6050: 0050-Backport-html-template-support-HTML-like-comments-in.patch
|
||||
Patch6051: 0051-Backport-html-template-properly-handle-special-tags-.patch
|
||||
Patch6052: 0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
|
||||
|
||||
ExclusiveArch: %{golang_arches}
|
||||
|
||||
@ -439,6 +440,12 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-24
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39323
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-39323
|
||||
|
||||
* Mon Sep 25 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-23
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39318,CVE-2023-39319
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user