From 6611d964e4c6d134ed72bbad1cdf12a6469b0e02 Mon Sep 17 00:00:00 2001
From: luoyujie <luoyujie5@huawei.com>
Date: Fri, 13 Oct 2023 15:29:19 +0800
Subject: [PATCH] [Backport]fix CVE-2023-39323

---
 ...pile-use-absolute-file-name-in-isCgo.patch | 140 ++++++++++++++++++
 golang.spec                                   |   9 +-
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch

diff --git a/0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch b/0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
new file mode 100644
index 0000000..98e003b
--- /dev/null
+++ b/0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
@@ -0,0 +1,140 @@
+From a56df8ee0ed2cd76c939f916d5f72f281f902f7c Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 21 Sep 2023 07:16:29 +0800
+Subject: [PATCH] [Backport] cmd/compile: use absolute file name in isCgo check
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39323
+Reference: https://go-review.googlesource.com/c/go/+/533195
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+For #23672
+Updates #63211
+Fixes #63213
+Fixes CVE-2023-39323
+
+Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ misc/cgo/errors/errors_test.go          | 32 ++++++++++++++++++-------
+ misc/cgo/errors/testdata/err5.go        | 11 +++++++++
+ src/cmd/compile/internal/noder/noder.go |  8 ++++++-
+ 3 files changed, 41 insertions(+), 10 deletions(-)
+ create mode 100644 misc/cgo/errors/testdata/err5.go
+
+diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
+index 68a30a44fe..dd60a98e8e 100644
+--- a/misc/cgo/errors/errors_test.go
++++ b/misc/cgo/errors/errors_test.go
+@@ -20,6 +20,13 @@ func path(file string) string {
+ 	return filepath.Join("testdata", file)
+ }
+ 
++func bytesCut(s, sep []byte) (before, after []byte, found bool) {
++	if i := bytes.Index(s, sep); i >= 0 {
++		return s[:i], s[i+len(sep):], true
++	}
++	return s, nil, false
++}
++
+ func check(t *testing.T, file string) {
+ 	t.Run(file, func(t *testing.T) {
+ 		t.Parallel()
+@@ -36,17 +43,23 @@ func check(t *testing.T, file string) {
+ 				continue
+ 			}
+ 
+-			frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2)
+-			if len(frags) == 1 {
+-				continue
++			if _, frag, ok := bytesCut(line, []byte("ERROR HERE: ")); ok {
++				re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			frag := fmt.Sprintf(":%d:.*%s", i+1, frags[1])
+-			re, err := regexp.Compile(frag)
+-			if err != nil {
+-				t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1])
+-				continue
++
++			if _, frag, ok := bytesCut(line, []byte("ERROR MESSAGE: ")); ok {
++				re, err := regexp.Compile(string(frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			errors = append(errors, re)
+ 		}
+ 		if len(errors) == 0 {
+ 			t.Fatalf("cannot find ERROR HERE")
+@@ -107,6 +120,7 @@ func TestReportsTypeErrors(t *testing.T) {
+ 	for _, file := range []string{
+ 		"err1.go",
+ 		"err2.go",
++		"err5.go",
+ 		"issue11097a.go",
+ 		"issue11097b.go",
+ 		"issue18452.go",
+diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
+new file mode 100644
+index 0000000000..c12a290d38
+--- /dev/null
++++ b/misc/cgo/errors/testdata/err5.go
+@@ -0,0 +1,11 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package main
++
++//line /tmp/_cgo_.go:1
++//go:cgo_dynamic_linker "/elf/interp"
++// ERROR MESSAGE: only allowed in cgo-generated code
++
++func main() {}
+diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
+index 5fcad096c2..b802d22bc1 100644
+--- a/src/cmd/compile/internal/noder/noder.go
++++ b/src/cmd/compile/internal/noder/noder.go
+@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
++// Note that cmd/go ignores files whose names start with underscore,
++// so the only _cgo_ files we will see from cmd/go are generated by cgo.
++// It's easy to bypass this check by calling the compiler directly;
++// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
++	// We need the absolute file, independent of //line directives,
++	// so we call pos.Base().Pos().
++	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
+-- 
+2.28.0.windows.1
+
diff --git a/golang.spec b/golang.spec
index a86d77c..589d201 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        23
+Release:        24
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -201,6 +201,7 @@ Patch6048:	0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.pa
 Patch6049:	0049-Backport-net-http-permit-requests-with-invalid-Host-headers.patch
 Patch6050:	0050-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6051:	0051-Backport-html-template-properly-handle-special-tags-.patch
+Patch6052:	0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -439,6 +440,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-24
+- Type:CVE
+- CVE:CVE-2023-39323
+- SUG:NA
+- DESC:fix CVE-2023-39323
+
 * Mon Sep 25 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-23
 - Type:CVE
 - CVE:CVE-2023-39318,CVE-2023-39319
-- 
Gitee