diff --git a/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch b/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b516b2be204584a34723a2ed817fe189be906cf --- /dev/null +++ b/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch @@ -0,0 +1,177 @@ +From 92f5a51debc3f483bde32ed3b812ec3906e68db1 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Thu, 21 Sep 2023 07:16:29 +0800 +Subject: [PATCH] [Backport] cmd/compile: use absolute file name in isCgo check + +Offering: Cloud Core Network +CVE: CVE-2023-39323 +Reference: https://go-review.googlesource.com/c/go/+/533195 + +Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases. +Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x. + +Edited-by: machangwang m00509938 + +For #23672 +Updates #63211 +Fixes #63213 +Fixes CVE-2023-39323 + +Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 +Reviewed-by: Matthew Dempsky +Reviewed-by: Roland Shoemaker +(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 +Auto-Submit: Michael Pratt +Reviewed-by: Ian Lance Taylor +TryBot-Bypass: Michael Pratt +Reviewed-by: Than McIntosh +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + misc/cgo/errors/errors_test.go | 31 +++++++++++++++++++++------- + misc/cgo/errors/testdata/err2.go | 12 +++++------ + misc/cgo/errors/testdata/err5.go | 11 ++++++++++ + src/cmd/compile/internal/gc/noder.go | 8 ++++++- + 4 files changed, 47 insertions(+), 15 deletions(-) + create mode 100644 misc/cgo/errors/testdata/err5.go + +diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go +index 1bdf843451..33ab9d30d9 100644 +--- a/misc/cgo/errors/errors_test.go ++++ b/misc/cgo/errors/errors_test.go +@@ -21,6 +21,13 @@ func path(file string) string { + return filepath.Join("testdata", file) + } + ++func bytesCut(s, sep []byte) (before, after []byte, found bool) { ++ if i := bytes.Index(s, sep); i >= 0 { ++ return s[:i], s[i+len(sep):], true ++ } ++ return s, nil, false ++} ++ + func check(t *testing.T, file string) { + t.Run(file, func(t *testing.T) { + t.Parallel() +@@ -37,16 +44,23 @@ func check(t *testing.T, file string) { + continue + } + +- frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2) +- if len(frags) == 1 { +- continue ++ if _, frag, ok := bytesCut(line, []byte("ERROR HERE: ")); ok { ++ re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- re, err := regexp.Compile(string(frags[1])) +- if err != nil { +- t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1]) +- continue ++ ++ if _, frag, ok := bytesCut(line, []byte("ERROR MESSAGE: ")); ok { ++ re, err := regexp.Compile(string(frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- errors = append(errors, re) + } + if len(errors) == 0 { + t.Fatalf("cannot find ERROR HERE") +@@ -107,6 +121,7 @@ func TestReportsTypeErrors(t *testing.T) { + for _, file := range []string{ + "err1.go", + "err2.go", ++ "err5.go", + "issue11097a.go", + "issue11097b.go", + "issue18452.go", +diff --git a/misc/cgo/errors/testdata/err2.go b/misc/cgo/errors/testdata/err2.go +index 1d22401aee..a90598fe35 100644 +--- a/misc/cgo/errors/testdata/err2.go ++++ b/misc/cgo/errors/testdata/err2.go +@@ -40,15 +40,15 @@ func main() { + C.foop = x // ERROR HERE + + // issue 13129: used to output error about C.unsignedshort with CC=clang +- var x C.ushort +- x = int(0) // ERROR HERE: C\.ushort ++ var x1 C.ushort ++ x1 = int(0) // ERROR HERE: C\.ushort + + // issue 13423 + _ = C.fopen() // ERROR HERE + + // issue 13467 +- var x rune = '✈' +- var _ rune = C.transform(x) // ERROR HERE: C\.int ++ var x2 rune = '✈' ++ var _ rune = C.transform(x2) // ERROR HERE: C\.int + + // issue 13635: used to output error about C.unsignedchar. + // This test tests all such types. +@@ -91,10 +91,10 @@ func main() { + + // issue 26745 + _ = func(i int) int { +- return C.i + 1 // ERROR HERE: :13 ++ return C.i + 1 // ERROR HERE: 14 + } + _ = func(i int) { +- C.fi(i) // ERROR HERE: :6 ++ C.fi(i) // ERROR HERE: 7 + } + + C.fi = C.fi // ERROR HERE +diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go +new file mode 100644 +index 0000000000..c12a290d38 +--- /dev/null ++++ b/misc/cgo/errors/testdata/err5.go +@@ -0,0 +1,11 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package main ++ ++//line /tmp/_cgo_.go:1 ++//go:cgo_dynamic_linker "/elf/interp" ++// ERROR MESSAGE: only allowed in cgo-generated code ++ ++func main() {} +diff --git a/src/cmd/compile/internal/gc/noder.go b/src/cmd/compile/internal/gc/noder.go +index 802aab2268..9e5ee8e572 100644 +--- a/src/cmd/compile/internal/gc/noder.go ++++ b/src/cmd/compile/internal/gc/noder.go +@@ -1618,8 +1618,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P + // contain cgo directives, and for security reasons + // (primarily misuse of linker flags), other files are not. + // See golang.org/issue/23672. ++// Note that cmd/go ignores files whose names start with underscore, ++// so the only _cgo_ files we will see from cmd/go are generated by cgo. ++// It's easy to bypass this check by calling the compiler directly; ++// we only protect against uses by cmd/go. + func isCgoGeneratedFile(pos syntax.Pos) bool { +- return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_") ++ // We need the absolute file, independent of //line directives, ++ // so we call pos.Base().Pos(). ++ return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_") + } + + // safeArg reports whether arg is a "safe" command-line argument, +-- +2.28.0 + diff --git a/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch b/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch new file mode 100644 index 0000000000000000000000000000000000000000..3590f908686f53dfd271fd97e65e4115f2554346 --- /dev/null +++ b/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch @@ -0,0 +1,150 @@ +From caffd20df66f326bdbce11a7b3b92d583ed8d05c Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Sat, 7 Oct 2023 05:16:27 +0800 +Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go + +Offering: Cloud Core Network +CVE: CVE-2023-39325 +Reference: https://go-review.googlesource.com/c/go/+/534255 + +Pull in a security fix from x/net/http2: +http2: limit maximum handler goroutines to MaxConcurrentStreamso + +Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases. +Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x. + +Edited-by: machangwang m00509938 + +For #63417 +Fixes #63426 +Fixes CVE-2023-39325 + +Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401 +Reviewed-by: Tatiana Bradley +TryBot-Result: Security TryBots +Run-TryBot: Damien Neil +Reviewed-by: Ian Cottrell +Reviewed-on: https://go-review.googlesource.com/c/go/+/534255 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Damien Neil +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Michael Pratt +Auto-Submit: Dmitri Shuralyov +Signed-off-by: Ma Chang Wang machangwang@huawei.com + +Conflict: NA +Reference: https://open.codehub.huawei.com/OpenSourceCenter/golang/go/merge_requests/109 +--- + src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 0528cf6e31..480a5326d6 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4088,9 +4088,11 @@ type http2serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*http2stream ++ unstartedHandlers []http2unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -4475,6 +4477,8 @@ func (sc *http2serverConn) serve() { + return + case http2gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case http2handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -4520,6 +4524,7 @@ var ( + http2idleTimerMsg = new(http2serverMessage) + http2shutdownTimerMsg = new(http2serverMessage) + http2gracefulShutdownMsg = new(http2serverMessage) ++ http2handlerDoneMsg = new(http2serverMessage) + ) + + func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) } +@@ -5466,8 +5471,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error { +@@ -5714,8 +5718,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re + return rw, req, nil + } + ++type http2unstartedHandler struct { ++ streamID uint32 ++ rw *http2responseWriter ++ req *Request ++ handler func(ResponseWriter, *Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return http2ConnectionError(http2ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *http2serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) { ++ defer sc.sendServeMsg(http2handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.27.0 + diff --git a/golang.spec b/golang.spec index 72918b47ec782556cedf05131dcc7dda6e62c88b..8e6f3e08f6134df519b74abcb2b35859cda694a9 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 34 +Release: 36 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -249,6 +249,8 @@ Patch6104: 0104-Backport-crypto-tls-restrict-RSA-keys-in-certificate.patch Patch6105: 0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patch Patch6106: 0106-Backport-html-template-support-HTML-like-comments-in.patch Patch6107: 0107-Backport-html-template-properly-handle-special-tags-.patch +Patch6108: 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch +Patch6109: 0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch Patch9001: 0001-drop-hard-code-cert.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -488,6 +490,18 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Sat Oct 28 2023 hanchao - 1.15.7-36 +- Type:CVE +- CVE:CVE-2023-39325 +- SUG:NA +- DESC:fix CVE-2023-39325 + +* Fri Oct 13 2023 luoyujie - 1.15.7-35 +- Type:CVE +- CVE:CVE-2023-39323 +- SUG:NA +- DESC:fix CVE-2023-39323 + * Mon Sep 25 2023 luoyujie - 1.15.7-34 - Type:CVE - CVE:CVE-2023-39318,CVE-2023-39319