From cc7f90041ba5d8ae8682ef7facd6df9c880f2760 Mon Sep 17 00:00:00 2001 From: luoyujie Date: Fri, 13 Oct 2023 15:17:49 +0800 Subject: [PATCH] cvefix:fix CVE-2023-39323 --- ...pile-use-absolute-file-name-in-isCgo.patch | 177 ++++++++++++++++++ golang.spec | 9 +- 2 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch diff --git a/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch b/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch new file mode 100644 index 0000000..3b516b2 --- /dev/null +++ b/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch @@ -0,0 +1,177 @@ +From 92f5a51debc3f483bde32ed3b812ec3906e68db1 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Thu, 21 Sep 2023 07:16:29 +0800 +Subject: [PATCH] [Backport] cmd/compile: use absolute file name in isCgo check + +Offering: Cloud Core Network +CVE: CVE-2023-39323 +Reference: https://go-review.googlesource.com/c/go/+/533195 + +Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases. +Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x. + +Edited-by: machangwang m00509938 + +For #23672 +Updates #63211 +Fixes #63213 +Fixes CVE-2023-39323 + +Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 +Reviewed-by: Matthew Dempsky +Reviewed-by: Roland Shoemaker +(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 +Auto-Submit: Michael Pratt +Reviewed-by: Ian Lance Taylor +TryBot-Bypass: Michael Pratt +Reviewed-by: Than McIntosh +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + misc/cgo/errors/errors_test.go | 31 +++++++++++++++++++++------- + misc/cgo/errors/testdata/err2.go | 12 +++++------ + misc/cgo/errors/testdata/err5.go | 11 ++++++++++ + src/cmd/compile/internal/gc/noder.go | 8 ++++++- + 4 files changed, 47 insertions(+), 15 deletions(-) + create mode 100644 misc/cgo/errors/testdata/err5.go + +diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go +index 1bdf843451..33ab9d30d9 100644 +--- a/misc/cgo/errors/errors_test.go ++++ b/misc/cgo/errors/errors_test.go +@@ -21,6 +21,13 @@ func path(file string) string { + return filepath.Join("testdata", file) + } + ++func bytesCut(s, sep []byte) (before, after []byte, found bool) { ++ if i := bytes.Index(s, sep); i >= 0 { ++ return s[:i], s[i+len(sep):], true ++ } ++ return s, nil, false ++} ++ + func check(t *testing.T, file string) { + t.Run(file, func(t *testing.T) { + t.Parallel() +@@ -37,16 +44,23 @@ func check(t *testing.T, file string) { + continue + } + +- frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2) +- if len(frags) == 1 { +- continue ++ if _, frag, ok := bytesCut(line, []byte("ERROR HERE: ")); ok { ++ re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- re, err := regexp.Compile(string(frags[1])) +- if err != nil { +- t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1]) +- continue ++ ++ if _, frag, ok := bytesCut(line, []byte("ERROR MESSAGE: ")); ok { ++ re, err := regexp.Compile(string(frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- errors = append(errors, re) + } + if len(errors) == 0 { + t.Fatalf("cannot find ERROR HERE") +@@ -107,6 +121,7 @@ func TestReportsTypeErrors(t *testing.T) { + for _, file := range []string{ + "err1.go", + "err2.go", ++ "err5.go", + "issue11097a.go", + "issue11097b.go", + "issue18452.go", +diff --git a/misc/cgo/errors/testdata/err2.go b/misc/cgo/errors/testdata/err2.go +index 1d22401aee..a90598fe35 100644 +--- a/misc/cgo/errors/testdata/err2.go ++++ b/misc/cgo/errors/testdata/err2.go +@@ -40,15 +40,15 @@ func main() { + C.foop = x // ERROR HERE + + // issue 13129: used to output error about C.unsignedshort with CC=clang +- var x C.ushort +- x = int(0) // ERROR HERE: C\.ushort ++ var x1 C.ushort ++ x1 = int(0) // ERROR HERE: C\.ushort + + // issue 13423 + _ = C.fopen() // ERROR HERE + + // issue 13467 +- var x rune = '✈' +- var _ rune = C.transform(x) // ERROR HERE: C\.int ++ var x2 rune = '✈' ++ var _ rune = C.transform(x2) // ERROR HERE: C\.int + + // issue 13635: used to output error about C.unsignedchar. + // This test tests all such types. +@@ -91,10 +91,10 @@ func main() { + + // issue 26745 + _ = func(i int) int { +- return C.i + 1 // ERROR HERE: :13 ++ return C.i + 1 // ERROR HERE: 14 + } + _ = func(i int) { +- C.fi(i) // ERROR HERE: :6 ++ C.fi(i) // ERROR HERE: 7 + } + + C.fi = C.fi // ERROR HERE +diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go +new file mode 100644 +index 0000000000..c12a290d38 +--- /dev/null ++++ b/misc/cgo/errors/testdata/err5.go +@@ -0,0 +1,11 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package main ++ ++//line /tmp/_cgo_.go:1 ++//go:cgo_dynamic_linker "/elf/interp" ++// ERROR MESSAGE: only allowed in cgo-generated code ++ ++func main() {} +diff --git a/src/cmd/compile/internal/gc/noder.go b/src/cmd/compile/internal/gc/noder.go +index 802aab2268..9e5ee8e572 100644 +--- a/src/cmd/compile/internal/gc/noder.go ++++ b/src/cmd/compile/internal/gc/noder.go +@@ -1618,8 +1618,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P + // contain cgo directives, and for security reasons + // (primarily misuse of linker flags), other files are not. + // See golang.org/issue/23672. ++// Note that cmd/go ignores files whose names start with underscore, ++// so the only _cgo_ files we will see from cmd/go are generated by cgo. ++// It's easy to bypass this check by calling the compiler directly; ++// we only protect against uses by cmd/go. + func isCgoGeneratedFile(pos syntax.Pos) bool { +- return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_") ++ // We need the absolute file, independent of //line directives, ++ // so we call pos.Base().Pos(). ++ return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_") + } + + // safeArg reports whether arg is a "safe" command-line argument, +-- +2.28.0 + diff --git a/golang.spec b/golang.spec index 72918b4..50163e1 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 34 +Release: 35 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -249,6 +249,7 @@ Patch6104: 0104-Backport-crypto-tls-restrict-RSA-keys-in-certificate.patch Patch6105: 0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patch Patch6106: 0106-Backport-html-template-support-HTML-like-comments-in.patch Patch6107: 0107-Backport-html-template-properly-handle-special-tags-.patch +Patch6108: 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch Patch9001: 0001-drop-hard-code-cert.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -488,6 +489,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Oct 13 2023 luoyujie - 1.15.7-35 +- Type:CVE +- CVE:CVE-2023-39323 +- SUG:NA +- DESC:fix CVE-2023-39323 + * Mon Sep 25 2023 luoyujie - 1.15.7-34 - Type:CVE - CVE:CVE-2023-39318,CVE-2023-39319 -- Gitee