!384 [sync] PR-381: golang: fix CVE-2024-24789

From: @openeuler-sync-bot 
Reviewed-by: @hcnbxx 
Signed-off-by: @hcnbxx

0061-Backport-net-mail-properly-handle-special-characters.patch

@@ -0,0 +1,214 @@
+From b1a3bda40d0e6862fa93b00a1be47214b5478ca3 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [Backport] net/mail: properly handle special characters in
+ phrase and obs-phrase
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24784
+Reference: https://go-review.googlesource.com/c/go/+/566195
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+For #65083
+Fixes #65848
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566195
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Signed-off-by: Ma Chang Wang  machangwang@huawei.com
+---
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 47bbf6ca97..84f48f0cba 100644
+--- a/src/net/mail/message.go
++++ b/src/net/mail/message.go
+@@ -231,7 +231,7 @@ func (a *Address) String() string {
+ 	// Add quotes if needed
+ 	quoteLocal := false
+ 	for i, r := range local {
+-		if isAtext(r, false, false) {
++		if isAtext(r, false) {
+ 			continue
+ 		}
+ 		if r == '.' {
+@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+ 	if !p.consume('<') {
+ 		atext := true
+ 		for _, r := range displayName {
+-			if !isAtext(r, true, false) {
++			if !isAtext(r, true) {
+ 				atext = false
+ 				break
+ 			}
+@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 	// handle empty group.
+ 	p.skipSpace()
+ 	if p.consume(';') {
+-		p.skipCFWS()
++		if !p.skipCFWS() {
++			return nil, errors.New("mail: misformatted parenthetical comment")
++		}
+ 		return group, nil
+ 	}
+ 
+@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 			return nil, errors.New("mail: misformatted parenthetical comment")
+ 		}
+ 		if p.consume(';') {
+-			p.skipCFWS()
++			if !p.skipCFWS() {
++				return nil, errors.New("mail: misformatted parenthetical comment")
++			}
+ 			break
+ 		}
+ 		if !p.consume(',') {
+@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ 	var words []string
+ 	var isPrevEncoded bool
+ 	for {
++		// obs-phrase allows CFWS after one word
++		if len(words) > 0 {
++			if !p.skipCFWS() {
++				return "", errors.New("mail: misformatted parenthetical comment")
++			}
++		}
+ 		// word = atom / quoted-string
+ 		var word string
+ 		p.skipSpace()
+@@ -612,7 +622,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+ 	i := 0
+ 
+@@ -623,7 +632,7 @@ Loop:
+ 		case size == 1 && r == utf8.RuneError:
+ 			return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-		case size == 0 || !isAtext(r, dot, permissive):
++		case size == 0 || !isAtext(r, dot):
+ 			break Loop
+ 
+ 		default:
+@@ -777,18 +786,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
++func isAtext(r rune, dot bool) bool {
+ 	switch r {
+ 	case '.':
+ 		return dot
+ 
+ 	// RFC 5322 3.2.3. specials
+-	case '(', ')', '[', ']', ';', '@', '\\', ',':
+-		return permissive
+-
+-	case '<', '>', '"', ':':
++	case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+ 		return false
+ 	}
+ 	return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 80a17b2853..00bc93e074 100644
+--- a/src/net/mail/message_test.go
++++ b/src/net/mail/message_test.go
+@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) {
+ 		13: {"group not closed: null@example.com", "expected comma"},
+ 		14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+ 		15: {"john.doe", "missing '@' or angle-addr"},
+-		16: {"john.doe@", "no angle-addr"},
++		16: {"john.doe@", "missing '@' or angle-addr"},
+ 		17: {"John Doe@foo.bar", "no angle-addr"},
++		18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
++		19: {" group: ; (asd", "misformatted parenthetical comment"},
++		20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+ 	}
+ 
+ 	for i, tc := range mustErrTestCases {
+@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) {
+ 				Address: "john.q.public@example.com",
+ 			}},
+ 		},
+-		{
+-			`"John (middle) Doe" <jdoe@machine.example>`,
+-			[]*Address{{
+-				Name:    "John (middle) Doe",
+-				Address: "jdoe@machine.example",
+-			}},
+-		},
++		// Comment in display name
+ 		{
+ 			`John (middle) Doe <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John (middle) Doe",
++				Name:    "John Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
++		// Display name is quoted string, so comment is not a comment
+ 		{
+-			`John !@M@! Doe <jdoe@machine.example>`,
++			`"John (middle) Doe" <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John !@M@! Doe",
++				Name:    "John (middle) Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
+@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) {
+ 				},
+ 			},
+ 		},
++		// Comment in group display name
++		{
++			`group (comment:): a@example.com, b@example.com;`,
++			[]*Address{
++				{
++					Address: "a@example.com",
++				},
++				{
++					Address: "b@example.com",
++				},
++			},
++		},
++		{
++			`x(:"):"@a.example;("@b.example;`,
++			[]*Address{
++				{
++					Address: `@a.example;(@b.example`,
++				},
++			},
++		},
+ 	}
+ 	for _, test := range tests {
+ 		if len(test.exp) == 1 {
+-- 
+2.33.0
+

0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch

@@ -0,0 +1,151 @@
+From ab4bfbf2bea972772e5e879f0da6e9e8de407e35 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Fri, 29 Mar 2024 11:41:57 +0800
+Subject: [PATCH 1/2] [1.17 backport]runtime: decrement netpollWaiters in
+ netpollunblock
+
+We used to decrement it in netpollgoready, but that missed
+the common case of a descriptor becoming ready due to I/O.
+All calls to netpollgoready go through netpollunblock,
+so this shouldn't miss any decrements we missed before.
+
+Note:
+The upstream does not submit this change to go1.17 according to
+the rules of MinorReleases.
+
+Edited-by: wangshuo
+
+Fixes #60782
+
+Change-Id: Ideefefa1ac96ca38e09fe2dd5d595c5dd7883237
+Reviewed-on: https://go-review.googlesource.com/c/go/+/503923
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Ian Lance Taylor <iant@google.com>
+Signed-off-by: Wang Shuo <wangshuo@kylinos.cn>
+---
+ src/runtime/crash_test.go                   |  9 +++
+ src/runtime/netpoll.go                      |  4 +-
+ src/runtime/testdata/testprognet/waiters.go | 69 +++++++++++++++++++++
+ 3 files changed, 81 insertions(+), 1 deletion(-)
+ create mode 100644 src/runtime/testdata/testprognet/waiters.go
+
+diff --git a/src/runtime/crash_test.go b/src/runtime/crash_test.go
+index e0c0bac..800686b 100644
+--- a/src/runtime/crash_test.go
++++ b/src/runtime/crash_test.go
+@@ -807,3 +807,12 @@ func TestDoublePanic(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestNetpollWaiters(t *testing.T) {
++	t.Parallel()
++	output := runTestProg(t, "testprognet", "NetpollWaiters")
++	want := "OK\n"
++	if output != want {
++		t.Fatalf("output is not %q\n%s", want, output)
++	}
++}
+diff --git a/src/runtime/netpoll.go b/src/runtime/netpoll.go
+index 4f8d244..7175c7f 100644
+--- a/src/runtime/netpoll.go
++++ b/src/runtime/netpoll.go
+@@ -477,13 +477,15 @@ func netpollunblock(pd *pollDesc, mode int32, ioready bool) *g {
+ 			// will check for timeout/cancel before waiting.
+ 			return nil
+ 		}
+-		var new uintptr
++		new := pdNil
+ 		if ioready {
+ 			new = pdReady
+ 		}
+ 		if atomic.Casuintptr(gpp, old, new) {
+ 			if old == pdWait {
+ 				old = 0
++			} else if old != 0 {
++				netpollWaiters.Add(-1)
+ 			}
+ 			return (*g)(unsafe.Pointer(old))
+ 		}
+diff --git a/src/runtime/testdata/testprognet/waiters.go b/src/runtime/testdata/testprognet/waiters.go
+new file mode 100644
+index 0000000..480e872
+--- /dev/null
++++ b/src/runtime/testdata/testprognet/waiters.go
+@@ -0,0 +1,69 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package main
++
++import (
++	"fmt"
++	"io"
++	"log"
++	"net"
++	"runtime/internal/atomic"
++	"sync"
++	"time"
++	_ "unsafe" // for go:linkname
++)
++
++// The bug is that netpollWaiters increases monotonically.
++// This doesn't cause a problem until it overflows.
++// Use linkname to see the value.
++//go:linkname netpollWaiters runtime.netpollWaiters
++var netpollWaiters uint32
++
++func init() {
++	register("NetpollWaiters", NetpollWaiters)
++}
++
++func NetpollWaiters() {
++	listener, err := net.Listen("tcp", "127.0.0.1:0")
++	if err != nil {
++		log.Fatal(err)
++	}
++
++	var wg sync.WaitGroup
++	wg.Add(1)
++	go func() {
++		defer wg.Done()
++		conn, err := listener.Accept()
++		if err != nil {
++			log.Fatal(err)
++		}
++		defer conn.Close()
++		if _, err := io.Copy(io.Discard, conn); err != nil {
++			log.Fatal(err)
++		}
++	}()
++
++	wg.Add(1)
++	go func() {
++		defer wg.Done()
++		conn, err := net.Dial("tcp", listener.Addr().String())
++		if err != nil {
++			log.Fatal(err)
++		}
++		defer conn.Close()
++		for i := 0; i < 10; i++ {
++			fmt.Fprintf(conn, "%d\n", i)
++			time.Sleep(time.Millisecond)
++		}
++	}()
++
++	wg.Wait()
++	if v := atomic.Load(&netpollWaiters); v != 0 {
++		log.Fatalf("current waiters %v", v)
++	}
++
++	fmt.Println("OK")
++}
++
+-- 
+2.27.0
+

0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch

@@ -0,0 +1,638 @@
+From aea735c6c33c7de237b2af634662fcf5ca352f18 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Fri, 29 Mar 2024 14:31:25 +0800
+Subject: [PATCH 2/2] [1.17 backport]runtime: adjust netpollWaiters after
+ goroutines are ready
+
+The runtime was adjusting netpollWaiters before the waiting
+goroutines were marked as ready. This could cause the scheduler
+to report a deadlock because there were no goroutines ready to run.
+Keeping netpollWaiters non-zero ensures that at least one goroutine
+will call netpoll(-1) from findRunnable.
+
+This does mean that if a program has network activity for a while
+and then never has it again, and also has no timers, then we can leave
+an M stranded in a call to netpoll from which it will never return.
+At least this won't be a common case. And it's not new; this has been
+a potential problem for some time.
+
+Note:
+The upstream does not submit this change to go1.17 according to
+the rules of MinorReleases.
+
+Edited-by: wangshuo
+
+Fixes #61454
+
+Change-Id: I17c7f891c2bb1262fda12c6929664e64686463c8
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511455
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Ian Lance Taylor <iant@golang.org>
+Reviewed-by: Heschi Kreinick <heschi@google.com>
+Signed-off-by: Wang Shuo <wangshuo@kylinos.cn>
+---
+ src/runtime/netpoll.go         | 67 +++++++++++++++++++++++++---------
+ src/runtime/netpoll_aix.go     | 11 +++---
+ src/runtime/netpoll_epoll.go   | 11 +++---
+ src/runtime/netpoll_fake.go    |  4 +-
+ src/runtime/netpoll_kqueue.go  | 11 +++---
+ src/runtime/netpoll_solaris.go | 11 +++---
+ src/runtime/netpoll_stub.go    | 12 ++++--
+ src/runtime/netpoll_windows.go | 15 ++++----
+ src/runtime/proc.go            | 22 +++++++----
+ 9 files changed, 106 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/netpoll.go b/src/runtime/netpoll.go
+index 7175c7f..1a96679 100644
+--- a/src/runtime/netpoll.go
++++ b/src/runtime/netpoll.go
+@@ -26,10 +26,12 @@ import (
+ // func netpollclose(fd uintptr) int32
+ //     Disable notifications for fd. Return an errno value.
+ //
+-// func netpoll(delta int64) gList
++// func netpoll(delta int64) (gList, int32)
+ //     Poll the network. If delta < 0, block indefinitely. If delta == 0,
+ //     poll without blocking. If delta > 0, block for up to delta nanoseconds.
+-//     Return a list of goroutines built by calling netpollready.
++//     Return a list of goroutines built by calling netpollready,
++//     and a delta to add to netpollWaiters when all goroutines are ready.
++//     This will never return an empty list with a non-zero delta.
+ //
+ // func netpollBreak()
+ //     Wake up the network poller, assumed to be blocked in netpoll.
+@@ -57,8 +59,9 @@ const (
+ // G pointer - the goroutine is blocked on the semaphore;
+ //             io notification or timeout/close changes the state to pdReady or nil respectively
+ //             and unparks the goroutine.
+-// nil - none of the above.
++// pdNil - none of the above.
+ const (
++	pdNil   uintptr = 0
+ 	pdReady uintptr = 1
+ 	pdWait  uintptr = 2
+ )
+@@ -315,14 +318,16 @@ func poll_runtime_pollSetDeadline(pd *pollDesc, d int64, mode int) {
+ 		}
+ 	}
+ 	// If we set the new deadline in the past, unblock currently pending IO if any.
++	// Note that pd.publishInfo has already been called, above, immediately after modifying rd and wd.
++	delta := int32(0)
+ 	var rg, wg *g
+ 	if pd.rd < 0 || pd.wd < 0 {
+ 		atomic.StorepNoWB(noescape(unsafe.Pointer(&wg)), nil) // full memory barrier between stores to rd/wd and load of rg/wg in netpollunblock
+ 		if pd.rd < 0 {
+-			rg = netpollunblock(pd, 'r', false)
++			rg = netpollunblock(pd, 'r', false, &delta)
+ 		}
+ 		if pd.wd < 0 {
+-			wg = netpollunblock(pd, 'w', false)
++			wg = netpollunblock(pd, 'w', false, &delta)
+ 		}
+ 	}
+ 	unlock(&pd.lock)
+@@ -332,6 +337,7 @@ func poll_runtime_pollSetDeadline(pd *pollDesc, d int64, mode int) {
+ 	if wg != nil {
+ 		netpollgoready(wg, 3)
+ 	}
++	netpollAdjustWaiters(delta)
+ }
+ 
+ //go:linkname poll_runtime_pollUnblock internal/poll.runtime_pollUnblock
+@@ -345,8 +351,9 @@ func poll_runtime_pollUnblock(pd *pollDesc) {
+ 	pd.wseq++
+ 	var rg, wg *g
+ 	atomic.StorepNoWB(noescape(unsafe.Pointer(&rg)), nil) // full memory barrier between store to closing and read of rg/wg in netpollunblock
+-	rg = netpollunblock(pd, 'r', false)
+-	wg = netpollunblock(pd, 'w', false)
++	delta := int32(0)
++	rg = netpollunblock(pd, 'r', false, &delta)
++	wg = netpollunblock(pd, 'w', false, &delta)
+ 	if pd.rt.f != nil {
+ 		deltimer(&pd.rt)
+ 		pd.rt.f = nil
+@@ -362,6 +369,7 @@ func poll_runtime_pollUnblock(pd *pollDesc) {
+ 	if wg != nil {
+ 		netpollgoready(wg, 3)
+ 	}
++	netpollAdjustWaiters(delta)
+ }
+ 
+ // netpollready is called by the platform-specific netpoll function.
+@@ -370,15 +378,18 @@ func poll_runtime_pollUnblock(pd *pollDesc) {
+ // from netpoll. The mode argument is 'r', 'w', or 'r'+'w' to indicate
+ // whether the fd is ready for reading or writing or both.
+ //
++// This returns a delta to apply to netpollWaiters.
++//
+ // This may run while the world is stopped, so write barriers are not allowed.
+ //go:nowritebarrier
+-func netpollready(toRun *gList, pd *pollDesc, mode int32) {
++func netpollready(toRun *gList, pd *pollDesc, mode int32) int32 {
++	delta := int32(0)
+ 	var rg, wg *g
+ 	if mode == 'r' || mode == 'r'+'w' {
+-		rg = netpollunblock(pd, 'r', true)
++		rg = netpollunblock(pd, 'r', true, &delta)
+ 	}
+ 	if mode == 'w' || mode == 'r'+'w' {
+-		wg = netpollunblock(pd, 'w', true)
++		wg = netpollunblock(pd, 'w', true, &delta)
+ 	}
+ 	if rg != nil {
+ 		toRun.push(rg)
+@@ -386,6 +397,7 @@ func netpollready(toRun *gList, pd *pollDesc, mode int32) {
+ 	if wg != nil {
+ 		toRun.push(wg)
+ 	}
++	return delta
+ }
+ 
+ func netpollcheckerr(pd *pollDesc, mode int32) int {
+@@ -410,7 +422,7 @@ func netpollblockcommit(gp *g, gpp unsafe.Pointer) bool {
+ 		// Bump the count of goroutines waiting for the poller.
+ 		// The scheduler uses this to decide whether to block
+ 		// waiting for the poller if there is nothing else to do.
+-		atomic.Xadd(&netpollWaiters, 1)
++		netpollAdjustWaiters(1)
+ 	}
+ 	return r
+ }
+@@ -461,7 +473,13 @@ func netpollblock(pd *pollDesc, mode int32, waitio bool) bool {
+ 	return old == pdReady
+ }
+ 
+-func netpollunblock(pd *pollDesc, mode int32, ioready bool) *g {
++// netpollunblock moves either pd.rg (if mode == 'r') or
++// pd.wg (if mode == 'w') into the pdReady state.
++// This returns any goroutine blocked on pd.{rg,wg}.
++// It adds any adjustment to netpollWaiters to *delta;
++// this adjustment should be applied after the goroutine has
++// been marked ready.
++func netpollunblock(pd *pollDesc, mode int32, ioready bool, delta *int32) *g {
+ 	gpp := &pd.rg
+ 	if mode == 'w' {
+ 		gpp = &pd.wg
+@@ -472,7 +490,7 @@ func netpollunblock(pd *pollDesc, mode int32, ioready bool) *g {
+ 		if old == pdReady {
+ 			return nil
+ 		}
+-		if old == 0 && !ioready {
++		if old == pdNil && !ioready {
+ 			// Only set pdReady for ioready. runtime_pollWait
+ 			// will check for timeout/cancel before waiting.
+ 			return nil
+@@ -483,9 +501,9 @@ func netpollunblock(pd *pollDesc, mode int32, ioready bool) *g {
+ 		}
+ 		if atomic.Casuintptr(gpp, old, new) {
+ 			if old == pdWait {
+-				old = 0
+-			} else if old != 0 {
+-				netpollWaiters.Add(-1)
++				old = pdNil
++			} else if old != pdNil {
++				*delta -= 1
+ 			}
+ 			return (*g)(unsafe.Pointer(old))
+ 		}
+@@ -505,6 +523,7 @@ func netpolldeadlineimpl(pd *pollDesc, seq uintptr, read, write bool) {
+ 		unlock(&pd.lock)
+ 		return
+ 	}
++	delta := int32(0)
+ 	var rg *g
+ 	if read {
+ 		if pd.rd <= 0 || pd.rt.f == nil {
+@@ -512,7 +531,7 @@ func netpolldeadlineimpl(pd *pollDesc, seq uintptr, read, write bool) {
+ 		}
+ 		pd.rd = -1
+ 		atomic.StorepNoWB(unsafe.Pointer(&pd.rt.f), nil) // full memory barrier between store to rd and load of rg in netpollunblock
+-		rg = netpollunblock(pd, 'r', false)
++		rg = netpollunblock(pd, 'r', false, &delta)
+ 	}
+ 	var wg *g
+ 	if write {
+@@ -521,7 +540,7 @@ func netpolldeadlineimpl(pd *pollDesc, seq uintptr, read, write bool) {
+ 		}
+ 		pd.wd = -1
+ 		atomic.StorepNoWB(unsafe.Pointer(&pd.wt.f), nil) // full memory barrier between store to wd and load of wg in netpollunblock
+-		wg = netpollunblock(pd, 'w', false)
++		wg = netpollunblock(pd, 'w', false, &delta)
+ 	}
+ 	unlock(&pd.lock)
+ 	if rg != nil {
+@@ -530,6 +549,7 @@ func netpolldeadlineimpl(pd *pollDesc, seq uintptr, read, write bool) {
+ 	if wg != nil {
+ 		netpollgoready(wg, 0)
+ 	}
++	netpollAdjustWaiters(delta)
+ }
+ 
+ func netpollDeadline(arg interface{}, seq uintptr) {
+@@ -544,6 +564,17 @@ func netpollWriteDeadline(arg interface{}, seq uintptr) {
+ 	netpolldeadlineimpl(arg.(*pollDesc), seq, false, true)
+ }
+ 
++// netpollAnyWaiters reports whether any goroutines are waiting for I/O.
++func netpollAnyWaiters() bool {
++	return atomic.Load(&netpollWaiters) > 0
++}
++// netpollAdjustWaiters adds delta to netpollWaiters.
++func netpollAdjustWaiters(delta int32) {
++	if delta != 0 {
++		atomic.Xadd(&netpollWaiters, delta)
++	}
++}
++
+ func (c *pollCache) alloc() *pollDesc {
+ 	lock(&c.lock)
+ 	if c.first == nil {
+diff --git a/src/runtime/netpoll_aix.go b/src/runtime/netpoll_aix.go
+index 4590ed8..a94e098 100644
+--- a/src/runtime/netpoll_aix.go
++++ b/src/runtime/netpoll_aix.go
+@@ -147,13 +147,13 @@ func netpollBreak() {
+ // delay == 0: does not block, just polls
+ // delay > 0: block for up to that many nanoseconds
+ //go:nowritebarrierrec
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	var timeout uintptr
+ 	if delay < 0 {
+ 		timeout = ^uintptr(0)
+ 	} else if delay == 0 {
+ 		// TODO: call poll with timeout == 0
+-		return gList{}
++		return gList{}, 0
+ 	} else if delay < 1e6 {
+ 		timeout = 1
+ 	} else if delay < 1e15 {
+@@ -179,7 +179,7 @@ retry:
+ 		// If a timed sleep was interrupted, just return to
+ 		// recalculate how long we should sleep now.
+ 		if timeout > 0 {
+-			return gList{}
++			return gList{}, 0
+ 		}
+ 		goto retry
+ 	}
+@@ -199,6 +199,7 @@ retry:
+ 		n--
+ 	}
+ 	var toRun gList
++	delta := int32(0)
+ 	for i := 1; i < len(pfds) && n > 0; i++ {
+ 		pfd := &pfds[i]
+ 
+@@ -216,10 +217,10 @@ retry:
+ 			if pfd.revents == _POLLERR {
+ 				pds[i].everr = true
+ 			}
+-			netpollready(&toRun, pds[i], mode)
++			delta += netpollready(&toRun, pds[i], mode)
+ 			n--
+ 		}
+ 	}
+ 	unlock(&mtxset)
+-	return toRun
++	return toRun, delta
+ }
+diff --git a/src/runtime/netpoll_epoll.go b/src/runtime/netpoll_epoll.go
+index 371ac59..63bcd27 100644
+--- a/src/runtime/netpoll_epoll.go
++++ b/src/runtime/netpoll_epoll.go
+@@ -104,9 +104,9 @@ func netpollBreak() {
+ // delay < 0: blocks indefinitely
+ // delay == 0: does not block, just polls
+ // delay > 0: block for up to that many nanoseconds
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	if epfd == -1 {
+-		return gList{}
++		return gList{}, 0
+ 	}
+ 	var waitms int32
+ 	if delay < 0 {
+@@ -133,11 +133,12 @@ retry:
+ 		// If a timed sleep was interrupted, just return to
+ 		// recalculate how long we should sleep now.
+ 		if waitms > 0 {
+-			return gList{}
++			return gList{}, 0
+ 		}
+ 		goto retry
+ 	}
+ 	var toRun gList
++	delta := int32(0)
+ 	for i := int32(0); i < n; i++ {
+ 		ev := &events[i]
+ 		if ev.events == 0 {
+@@ -173,8 +174,8 @@ retry:
+ 			if ev.events == _EPOLLERR {
+ 				pd.everr = true
+ 			}
+-			netpollready(&toRun, pd, mode)
++			delta += netpollready(&toRun, pd, mode)
+ 		}
+ 	}
+-	return toRun
++	return toRun, delta
+ }
+diff --git a/src/runtime/netpoll_fake.go b/src/runtime/netpoll_fake.go
+index 8366f28..adc3c29 100644
+--- a/src/runtime/netpoll_fake.go
++++ b/src/runtime/netpoll_fake.go
+@@ -31,6 +31,6 @@ func netpollarm(pd *pollDesc, mode int) {
+ func netpollBreak() {
+ }
+ 
+-func netpoll(delay int64) gList {
+-	return gList{}
++func netpoll(delay int64) (gList, int32) {
++	return gList{}, 0
+ }
+diff --git a/src/runtime/netpoll_kqueue.go b/src/runtime/netpoll_kqueue.go
+index 80d1b0c..6178a6a 100644
+--- a/src/runtime/netpoll_kqueue.go
++++ b/src/runtime/netpoll_kqueue.go
+@@ -105,9 +105,9 @@ func netpollBreak() {
+ // delay < 0: blocks indefinitely
+ // delay == 0: does not block, just polls
+ // delay > 0: block for up to that many nanoseconds
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	if kq == -1 {
+-		return gList{}
++		return gList{}, 0
+ 	}
+ 	var tp *timespec
+ 	var ts timespec
+@@ -134,11 +134,12 @@ retry:
+ 		// If a timed sleep was interrupted, just return to
+ 		// recalculate how long we should sleep now.
+ 		if delay > 0 {
+-			return gList{}
++			return gList{}, 0
+ 		}
+ 		goto retry
+ 	}
+ 	var toRun gList
++	delta := int32(0)
+ 	for i := 0; i < int(n); i++ {
+ 		ev := &events[i]
+ 
+@@ -184,8 +185,8 @@ retry:
+ 			if ev.flags == _EV_ERROR {
+ 				pd.everr = true
+ 			}
+-			netpollready(&toRun, pd, mode)
++			delta += netpollready(&toRun, pd, mode)
+ 		}
+ 	}
+-	return toRun
++	return toRun, delta
+ }
+diff --git a/src/runtime/netpoll_solaris.go b/src/runtime/netpoll_solaris.go
+index d217d5b..dbfa162 100644
+--- a/src/runtime/netpoll_solaris.go
++++ b/src/runtime/netpoll_solaris.go
+@@ -211,9 +211,9 @@ func netpollBreak() {
+ // delay < 0: blocks indefinitely
+ // delay == 0: does not block, just polls
+ // delay > 0: block for up to that many nanoseconds
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	if portfd == -1 {
+-		return gList{}
++		return gList{}, 0
+ 	}
+ 
+ 	var wait *timespec
+@@ -251,12 +251,13 @@ retry:
+ 		// If a timed sleep was interrupted and there are no events,
+ 		// just return to recalculate how long we should sleep now.
+ 		if delay > 0 {
+-			return gList{}
++			return gList{}, 0
+ 		}
+ 		goto retry
+ 	}
+ 
+ 	var toRun gList
++	delta := int32(0)
+ 	for i := 0; i < int(n); i++ {
+ 		ev := &events[i]
+ 
+@@ -311,9 +312,9 @@ retry:
+ 			// about the event port on SmartOS.
+ 			//
+ 			// See golang.org/x/issue/30840.
+-			netpollready(&toRun, pd, mode)
++			delta += netpollready(&toRun, pd, mode)
+ 		}
+ 	}
+ 
+-	return toRun
++	return toRun, delta
+ }
+diff --git a/src/runtime/netpoll_stub.go b/src/runtime/netpoll_stub.go
+index 33ab8eb..70b23a3 100644
+--- a/src/runtime/netpoll_stub.go
++++ b/src/runtime/netpoll_stub.go
+@@ -10,7 +10,6 @@ package runtime
+ import "runtime/internal/atomic"
+ 
+ var netpollInited uint32
+-var netpollWaiters uint32
+ 
+ var netpollStubLock mutex
+ var netpollNote note
+@@ -35,7 +34,7 @@ func netpollBreak() {
+ 
+ // Polls for ready network connections.
+ // Returns list of goroutines that become runnable.
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	// Implementation for platforms that do not support
+ 	// integrated network poller.
+ 	if delay != 0 {
+@@ -54,9 +53,16 @@ func netpoll(delay int64) gList {
+ 		// (eg when running TestNetpollBreak).
+ 		osyield()
+ 	}
+-	return gList{}
++	return gList{}, 0
+ }
+ 
+ func netpollinited() bool {
+ 	return atomic.Load(&netpollInited) != 0
+ }
++
++func netpollAnyWaiters() bool {
++	return false
++}
++
++func netpollAdjustWaiters(delta int32) {
++}
+diff --git a/src/runtime/netpoll_windows.go b/src/runtime/netpoll_windows.go
+index 4c1cd26..3782254 100644
+--- a/src/runtime/netpoll_windows.go
++++ b/src/runtime/netpoll_windows.go
+@@ -80,7 +80,7 @@ func netpollBreak() {
+ // delay < 0: blocks indefinitely
+ // delay == 0: does not block, just polls
+ // delay > 0: block for up to that many nanoseconds
+-func netpoll(delay int64) gList {
++func netpoll(delay int64) (gList, int32) {
+ 	var entries [64]overlappedEntry
+ 	var wait, qty, flags, n, i uint32
+ 	var errno int32
+@@ -90,7 +90,7 @@ func netpoll(delay int64) gList {
+ 	mp := getg().m
+ 
+ 	if iocphandle == _INVALID_HANDLE_VALUE {
+-		return gList{}
++		return gList{}, 0
+ 	}
+ 	if delay < 0 {
+ 		wait = _INFINITE
+@@ -117,12 +117,13 @@ func netpoll(delay int64) gList {
+ 		mp.blocked = false
+ 		errno = int32(getlasterror())
+ 		if errno == _WAIT_TIMEOUT {
+-			return gList{}
++			return gList{}, 0
+ 		}
+ 		println("runtime: GetQueuedCompletionStatusEx failed (errno=", errno, ")")
+ 		throw("runtime: netpoll failed")
+ 	}
+ 	mp.blocked = false
++	dleta := int32(0)
+ 	for i = 0; i < n; i++ {
+ 		op = entries[i].op
+ 		if op != nil {
+@@ -131,7 +132,7 @@ func netpoll(delay int64) gList {
+ 			if stdcall5(_WSAGetOverlappedResult, op.pd.fd, uintptr(unsafe.Pointer(op)), uintptr(unsafe.Pointer(&qty)), 0, uintptr(unsafe.Pointer(&flags))) == 0 {
+ 				errno = int32(getlasterror())
+ 			}
+-			handlecompletion(&toRun, op, errno, qty)
++			delta += handlecompletion(&toRun, op, errno, qty)
+ 		} else {
+ 			atomic.Store(&netpollWakeSig, 0)
+ 			if delay == 0 {
+@@ -141,10 +142,10 @@ func netpoll(delay int64) gList {
+ 			}
+ 		}
+ 	}
+-	return toRun
++	return toRun, delta
+ }
+ 
+-func handlecompletion(toRun *gList, op *net_op, errno int32, qty uint32) {
++func handlecompletion(toRun *gList, op *net_op, errno int32, qty uint32) int32 {
+ 	mode := op.mode
+ 	if mode != 'r' && mode != 'w' {
+ 		println("runtime: GetQueuedCompletionStatusEx returned invalid mode=", mode)
+@@ -152,5 +153,5 @@ func handlecompletion(toRun *gList, op *net_op, errno int32, qty uint32) {
+ 	}
+ 	op.errno = errno
+ 	op.qty = qty
+-	netpollready(toRun, op.pd, mode)
++	return netpollready(toRun, op.pd, mode)
+ }
+diff --git a/src/runtime/proc.go b/src/runtime/proc.go
+index e1fe26b..5edc8e3 100644
+--- a/src/runtime/proc.go
++++ b/src/runtime/proc.go
+@@ -1244,8 +1244,9 @@ func startTheWorldWithSema(emitTraceEvent bool) int64 {
+ 
+ 	mp := acquirem() // disable preemption because it can be holding p in a local var
+ 	if netpollinited() {
+-		list := netpoll(0) // non-blocking
++		list, delta := netpoll(0) // non-blocking
+ 		injectglist(&list)
++		netpollAdjustWaiters(delta)
+ 	}
+ 	lock(&sched.lock)
+ 
+@@ -2753,10 +2754,11 @@ top:
+ 	// blocked thread (e.g. it has already returned from netpoll, but does
+ 	// not set lastpoll yet), this thread will do blocking netpoll below
+ 	// anyway.
+-	if netpollinited() && atomic.Load(&netpollWaiters) > 0 && atomic.Load64(&sched.lastpoll) != 0 {
+-		if list := netpoll(0); !list.empty() { // non-blocking
++	if netpollinited() && netpollAnyWaiters() && atomic.Load64(&sched.lastpoll) != 0 {
++		if list, delta := netpoll(0); !list.empty() { // non-blocking
+ 			gp := list.pop()
+ 			injectglist(&list)
++			netpollAdjustWaiters(delta)
+ 			casgstatus(gp, _Gwaiting, _Grunnable)
+ 			if trace.enabled {
+ 				traceGoUnpark(gp, 0)
+@@ -2923,7 +2925,7 @@ top:
+ 	}
+ 
+ 	// Poll network until next timer.
+-	if netpollinited() && (atomic.Load(&netpollWaiters) > 0 || pollUntil != 0) && atomic.Xchg64(&sched.lastpoll, 0) != 0 {
++	if netpollinited() && (netpollAnyWaiters() || pollUntil != 0) && atomic.Xchg64(&sched.lastpoll, 0) != 0 {
+ 		atomic.Store64(&sched.pollUntil, uint64(pollUntil))
+ 		if _g_.m.p != 0 {
+ 			throw("findrunnable: netpoll with p")
+@@ -2945,7 +2947,7 @@ top:
+ 			// When using fake time, just poll.
+ 			delay = 0
+ 		}
+-		list := netpoll(delay) // block until new work is available
++		list, delta := netpoll(delay) // block until new work is available
+ 		atomic.Store64(&sched.pollUntil, 0)
+ 		atomic.Store64(&sched.lastpoll, uint64(nanotime()))
+ 		if faketime != 0 && list.empty() {
+@@ -2959,11 +2961,13 @@ top:
+ 		unlock(&sched.lock)
+ 		if _p_ == nil {
+ 			injectglist(&list)
++			netpollAdjustWaiters(delta)
+ 		} else {
+ 			acquirep(_p_)
+ 			if !list.empty() {
+ 				gp := list.pop()
+ 				injectglist(&list)
++				netpollAdjustWaiters(delta)
+ 				casgstatus(gp, _Gwaiting, _Grunnable)
+ 				if trace.enabled {
+ 					traceGoUnpark(gp, 0)
+@@ -2998,9 +3002,10 @@ func pollWork() bool {
+ 	if !runqempty(p) {
+ 		return true
+ 	}
+-	if netpollinited() && atomic.Load(&netpollWaiters) > 0 && sched.lastpoll != 0 {
+-		if list := netpoll(0); !list.empty() {
++	if netpollinited() && netpollAnyWaiters() && sched.lastpoll != 0 {
++		if list, delta := netpoll(0); !list.empty() {
+ 			injectglist(&list)
++			netpollAdjustWaiters(delta)
+ 			return true
+ 		}
+ 	}
+@@ -5402,7 +5407,7 @@ func sysmon() {
+ 		lastpoll := int64(atomic.Load64(&sched.lastpoll))
+ 		if netpollinited() && lastpoll != 0 && lastpoll+10*1000*1000 < now {
+ 			atomic.Cas64(&sched.lastpoll, uint64(lastpoll), uint64(now))
+-			list := netpoll(0) // non-blocking - returns list of goroutines
++			list, delta := netpoll(0) // non-blocking - returns list of goroutines
+ 			if !list.empty() {
+ 				// Need to decrement number of idle locked M's
+ 				// (pretending that one more is running) before injectglist.
+@@ -5414,6 +5419,7 @@ func sysmon() {
+ 				incidlelocked(-1)
+ 				injectglist(&list)
+ 				incidlelocked(1)
++				netpollAdjustWaiters(delta)
+ 			}
+ 		}
+ 		mDoFixup()
+-- 
+2.27.0
+

0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch

@@ -0,0 +1,88 @@
+From 7f16ae9ccc785bbffa7c64e14c5e9cb17cf2dc34 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 28 Mar 2024 16:49:40 -0700
+Subject: [PATCH] [Backport] net/http: update bundled golang.org/x/net/http2
+
+Offering: Cloud Core Network
+CVE: CVE-2023-45288
+Reference: https://go-review.googlesource.com/c/go/+/576075
+
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+Fixes CVE-2023-45288
+For #65051
+Fixes #65387
+
+Change-Id: I17da6da2fe0dd70062b49f94377875acb34829a1
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197267
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/576075
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Commit-Queue: Dmitri Shuralyov <dmitshur@golang.org>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Signed-off-by: Ma Chang Wang  machangwang@huawei.com
+---
+ src/net/http/h2_bundle.go | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index b87d14b6ea..29b82abb66 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
+ 	var hc http2headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if http2VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, http2ConnectionError(http2ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if http2VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, http2ConnectionError(http2ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, http2ConnectionError(http2ErrCodeCompression)
+ 		}
+-- 
+2.33.0
+

0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch

@@ -0,0 +1,113 @@
+From 2d5d295d8fb84ec472e6131ca00c4a5a9dcd3ad8 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 26 Apr 2024 04:09:54 +0800
+Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS
+CVE: CVE-2024-24787
+Reference: https://go-review.googlesource.com/c/go/+/583795
+
+The darwin linker allows setting the LTO library with the -lto_library
+flag. This wasn't caught by our "safe linker flags" check because it
+was covered by the -lx flag used for linking libraries. This change
+adds a specific check for excluded flags which otherwise satisfy our
+existing checks.
+
+Loading a mallicious LTO library would allow an attacker to cause the
+linker to execute abritrary code when "go build" was called.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #67119
+Fixes #67121
+Fixes CVE-2024-24787
+
+Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
+Reviewed-by: David Chase <drchase@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/cmd/go/internal/work/security.go            | 17 ++++++++++++++---
+ .../script/darwin_lto_library_ldflag.txt        | 17 +++++++++++++++++
+ 2 files changed, 31 insertions(+), 3 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 91e6e4c86b..5dddff9fbc 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -140,6 +140,12 @@ var validCompilerFlagsWithNextArg = []string{
+ 	"-x",
+ }
+ 
++var invalidLinkerFlags = []*lazyregexp.Regexp{
++	// On macOS this means the linker loads and executes the next argument.
++	// Have to exclude separately because -lfoo is allowed in general.
++	re(`-lto_library`),
++}
++
+ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-F([^@\-].*)`),
+ 	re(`-l([^@\-].*)`),
+@@ -229,14 +235,14 @@ var validLinkerFlagsWithNextArg = []string{
+ }
+ 
+ func checkCompilerFlags(name, source string, list []string) error {
+-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg)
++	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg)
+ }
+ 
+ func checkLinkerFlags(name, source string, list []string) error {
+-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg)
++	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg)
+ }
+ 
+-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string) error {
++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string) error {
+ 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
+ 	var (
+ 		allow    *regexp.Regexp
+@@ -266,6 +272,11 @@ Args:
+ 		if allow != nil && allow.FindString(arg) == arg {
+ 			continue Args
+ 		}
++		for _, re := range invalid {
++			if re.FindString(arg) == arg { // must be complete match
++				goto Bad
++			}
++		}
+ 		for _, re := range valid {
+ 			if re.FindString(arg) == arg { // must be complete match
+ 				continue Args
+diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+new file mode 100644
+index 0000000000..a079784b34
+--- /dev/null
++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+@@ -0,0 +1,17 @@
++[!darwin] skip
++[!cgo] skip
++
++! go build
++stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
++
++-- go.mod --
++module ldflag
++
++-- main.go --
++package main
++
++// #cgo CFLAGS: -flto
++// #cgo LDFLAGS: -lto_library bad.dylib
++import "C"
++
++func main() {}
+\ No newline at end of file
+-- 
+2.33.0
+

0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch

@@ -0,0 +1,58 @@
+From c4a663363a6899c73b02b6667607619af1799e15 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 15 May 2024 05:39:10 +0800
+Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an
+ error
+
+CVE: CVE-2024-24789
+Reference: https://go-review.googlesource.com/c/go/+/588795
+
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+
+For #66869
+Fixes #67553
+Fixes CVE-2024-24789
+
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Signed-off-by: vegbir <yangjiaqi16@huawei.com>
+---
+ src/archive/zip/reader.go | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c656b..987f543852 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+ 		if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+ 			// n is length of comment
+ 			n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-			if n+directoryEndLen+i <= len(b) {
+-				return i
++			if n+directoryEndLen+i > len(b) {
++				// Truncated comment.
++				// Some parsers (such as Info-ZIP) ignore the truncated comment
++				// rather than treating it as a hard error.
++				return -1
+ 			}
++			return i
+ 		}
+ 	}
+ 	return -1
+-- 
+2.33.0

golang.spec

@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        29
+Release:        34
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -210,6 +210,12 @@ Patch6057:	0057-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch
 Patch6058:	0058-release-branch.go1.21-html-template-escape-additiona.patch
 Patch6059:	0059-release-branch.go1.21-net-textproto-mime-multipart-a.patch
 Patch6060:	0060-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+Patch6061:	0061-Backport-net-mail-properly-handle-special-characters.patch
+Patch6062:	0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch
+Patch6063:	0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch
+Patch6064:	0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
+Patch6065:	0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
+Patch6066:	0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -448,6 +454,36 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon Jun 24 2024 yangjiaqi <yangjiaqi16@huawei.com> - 1.17.3-34
+- Type:CVE
+- CVE:CVE-2024-24789
+- SUG:NA
+- DESC:fix CVE-2024-24789
+
+* Mon May 27 2024 lujingxiao <lujingxiao@huawei.com> - 1.17.3-33
+- Type:CVE
+- CVE:CVE-2024-24787
+- SUG:NA
+- DESC:fix CVE-2024-24787
+
+* Tue Apr 16 2024 hanchao <hanchao63@huawei.com> - 1.17.3-32
+- Type:CVE
+- CVE:CVE-2023-45288
+- SUG:NA
+- DESC:fix CVE-2023-45288
+
+* Fri Mar 29 2024 wangshuo <wangshuo@kylinos.cn> - 1.17.3-31
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport the upstream patch, fix the overflow issue in runtime.netpollWaiters
+
+* Wed Mar 27 2024 hanchao <hanchao63@huawei.com> - 1.17.3-30
+- Type:CVE
+- CVE:CVE-2024-24784
+- SUG:NA
+- DESC:fix CVE-2024-24784
+
 * Wed Mar 27 2024 hanchao <hanchao63@huawei.com> - 1.17.3-29
 - Type:bugfix
 - CVE: