diff --git a/0026-net-http-fix-hijack-hang-at-abortPendingRead.patch b/0026-net-http-fix-hijack-hang-at-abortPendingRead.patch new file mode 100644 index 0000000000000000000000000000000000000000..a80c86513946fde1390b2de1a8a40ec7d266a16f --- /dev/null +++ b/0026-net-http-fix-hijack-hang-at-abortPendingRead.patch @@ -0,0 +1,59 @@ +From 78770c121e8c2315d7bdf9e66870abffdaedbe9b Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Thu, 20 May 2021 09:18:27 +0800 +Subject: [PATCH] net/http: fix hijack hang at abortPendingRead + +When concurrent many http requests which need hijack the connenction, +hijack may hang at abortPendingRead() on cr.cond.Wait(). + +The read can be from readRequest() from conn.serve() or +w.conn.r.startBackgroundRead(). especially in startBackgroundRead() +which always set the deadline time.Time{}. + +This problem seems easy reproduce on arm. + +Signed-off-by: jingrui + +Conflict:NA +Reference:https://github.com/golang/go/pull/46278/commits/78770c121e8c2315d7bdf9e66870abffdaedbe9b + +--- + src/net/http/server.go | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/net/http/server.go b/src/net/http/server.go +index 4e73508973..01e7e10011 100644 +--- a/src/net/http/server.go ++++ b/src/net/http/server.go +@@ -736,9 +736,25 @@ func (cr *connReader) abortPendingRead() { + } + cr.aborted = true + cr.conn.rwc.SetReadDeadline(aLongTimeAgo) +- for cr.inRead { +- cr.cond.Wait() +- } ++ done := make(chan struct{}) ++ go func() { ++ for cr.inRead { ++ cr.cond.Wait() ++ } ++ close(done) ++ }() ++ ++ func() { ++ for { ++ select { ++ case <-done: ++ return ++ case <-time.After(100*time.Millisecond): ++ cr.conn.rwc.SetReadDeadline(aLongTimeAgo) ++ } ++ } ++ }() ++ + cr.conn.rwc.SetReadDeadline(time.Time{}) + } + +-- +2.27.0 + diff --git a/0027-release-branch.go1.15-std-update-golang.org-x-net-to.patch b/0027-release-branch.go1.15-std-update-golang.org-x-net-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..e225222580fd07daa4f6ee6dabb4de9962975e3b --- /dev/null +++ b/0027-release-branch.go1.15-std-update-golang.org-x-net-to.patch @@ -0,0 +1,97 @@ +From a69dc2bbc96ffea5f90aa0fa64cdccc6226f70b3 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Fri, 2 Jul 2021 17:19:00 +0800 +Subject: [PATCH] [PATCH 38/44] [release-branch.go1.15] std: update + golang.org/x/net to 20210428183841-261fb518b1ed + +Steps: + go get -d golang.org/x/net@release-branch.go1.15 + go mod tidy + go mod vendor + +This http2 bundle does not need to be updated. + +Fixes #45711 + +Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813 +Reviewed-on: https://go-review.googlesource.com/c/go/+/314790 +Trust: Katie Hockman +Run-TryBot: Katie Hockman +Reviewed-by: Dmitri Shuralyov + +Conflict:NA +Reference:https://github.com/golang/go/commit/5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 +--- + src/go.mod | 2 +- + src/go.sum | 4 ++-- + src/vendor/golang.org/x/net/http/httpguts/httplex.go | 11 +++++++---- + src/vendor/modules.txt | 2 +- + 4 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/go.mod b/src/go.mod +index 9c9026f..979f88e 100644 +--- a/src/go.mod ++++ b/src/go.mod +@@ -4,7 +4,7 @@ go 1.12 + + require ( + golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 +- golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 ++ golang.org/x/net v0.0.0-20210428183841-261fb518b1ed + golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect + golang.org/x/text v0.3.2 // indirect + ) +diff --git a/src/go.sum b/src/go.sum +index e408f66..8bdf9ee 100644 +--- a/src/go.sum ++++ b/src/go.sum +@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk + golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0= + golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= +-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw= ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= + golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= + golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 h1:2WjIC11WRITGlVWmyLXKjzIVj1ZwoWZ//tadeUUV6/o= +diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +index e7de24e..54e1102 100644 +--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go ++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +@@ -137,11 +137,14 @@ func trimOWS(x string) string { + // contains token amongst its comma-separated tokens, ASCII + // case-insensitively. + func headerValueContainsToken(v string, token string) bool { +- v = trimOWS(v) +- if comma := strings.IndexByte(v, ','); comma != -1 { +- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token) ++ ++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') { ++ if tokenEqual(trimOWS(v[:comma]), token) { ++ return true ++ } ++ v = v[comma+1:] + } +- return tokenEqual(v, token) ++ return tokenEqual(trimOWS(v), token) + } + + // lowerASCII returns the ASCII lowercase version of b. +diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt +index cff8acd..b665ce0 100644 +--- a/src/vendor/modules.txt ++++ b/src/vendor/modules.txt +@@ -7,7 +7,7 @@ golang.org/x/crypto/hkdf + golang.org/x/crypto/internal/chacha20 + golang.org/x/crypto/internal/subtle + golang.org/x/crypto/poly1305 +-# golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 ++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed + golang.org/x/net/dns/dnsmessage + golang.org/x/net/http/httpguts + golang.org/x/net/http/httpproxy +-- +2.27.0 + diff --git a/0028-release-branch.go1.15-net-verify-results-from-Lookup.patch b/0028-release-branch.go1.15-net-verify-results-from-Lookup.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea2d49a5a00c984bcce7cb4080ba525b38b961eb --- /dev/null +++ b/0028-release-branch.go1.15-net-verify-results-from-Lookup.patch @@ -0,0 +1,375 @@ +From 31d60cda1f58b7558fc5725d2b9e4531655d980e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 27 May 2021 10:40:06 -0700 +Subject: [PATCH] [release-branch.go1.15] net: verify results from Lookup* are + valid domain names + +For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and +LookupAddr check that the returned domain names are in fact valid DNS +names using the existing isDomainName function. + +Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for +reporting this issue. + +Updates #46241 +Fixes #46356 +Fixes CVE-2021-33195 + +Conflict:NA +Reference:https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e + +Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 +Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 +Trust: Roland Shoemaker +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Filippo Valsorda +Reviewed-by: Katie Hockman +(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908) +Reviewed-on: https://go-review.googlesource.com/c/go/+/323269 +--- + src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++ + src/net/lookup.go | 111 ++++++++++++++++++++--- + 2 files changed, 255 insertions(+), 13 deletions(-) + +diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go +index 06553636ee..819f20b887 100644 +--- a/src/net/dnsclient_unix_test.go ++++ b/src/net/dnsclient_unix_test.go +@@ -1799,3 +1799,160 @@ func TestPTRandNonPTR(t *testing.T) { + t.Errorf("names = %q; want %q", names, want) + } + } ++ ++func TestCVE202133195(t *testing.T) { ++ fake := fakeDNSServer{ ++ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) { ++ r := dnsmessage.Message{ ++ Header: dnsmessage.Header{ ++ ID: q.Header.ID, ++ Response: true, ++ RCode: dnsmessage.RCodeSuccess, ++ RecursionAvailable: true, ++ }, ++ Questions: q.Questions, ++ } ++ switch q.Questions[0].Type { ++ case dnsmessage.TypeCNAME: ++ r.Answers = []dnsmessage.Resource{} ++ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeA, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.AResource{ ++ A: TestAddr, ++ }, ++ }, ++ ) ++ case dnsmessage.TypeSRV: ++ n := q.Questions[0].Name ++ if n.String() == "_hdr._tcp.golang.org." { ++ n = dnsmessage.MustNewName(".golang.org.") ++ } ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: n, ++ Type: dnsmessage.TypeSRV, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.SRVResource{ ++ Target: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeMX: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeMX, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.MXResource{ ++ MX: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeNS: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeNS, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.NSResource{ ++ NS: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypePTR: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypePTR, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.PTRResource{ ++ PTR: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ } ++ return r, nil ++ }, ++ } ++ ++ r := Resolver{PreferGo: true, Dial: fake.DialContext} ++ // Change the default resolver to match our manipulated resolver ++ originalDefault := DefaultResolver ++ DefaultResolver = &r ++ defer func() { ++ DefaultResolver = originalDefault ++ }() ++ ++ _, err := r.LookupCNAME(context.Background(), "golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupCNAME("golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupMX(context.Background(), "golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupMX("golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupNS(context.Background(), "golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupNS("golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupAddr(context.Background(), "1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupAddr("1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++} +diff --git a/src/net/lookup.go b/src/net/lookup.go +index 5f7119872a..0660268249 100644 +--- a/src/net/lookup.go ++++ b/src/net/lookup.go +@@ -389,8 +389,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. + func LookupCNAME(host string) (cname string, err error) { +- return DefaultResolver.lookupCNAME(context.Background(), host) ++ return DefaultResolver.LookupCNAME(context.Background(), host) + } + + // LookupCNAME returns the canonical name for the given host. +@@ -403,8 +406,18 @@ func LookupCNAME(host string) (cname string, err error) { + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. +-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) { +- return r.lookupCNAME(ctx, host) ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. ++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) { ++ cname, err := r.lookupCNAME(ctx, host) ++ if err != nil { ++ return "", err ++ } ++ if !isDomainName(cname) { ++ return "", &DNSError{Err: "CNAME target is invalid", Name: host} ++ } ++ return cname, nil + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -416,8 +429,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. + func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) { +- return DefaultResolver.lookupSRV(context.Background(), service, proto, name) ++ return DefaultResolver.LookupSRV(context.Background(), service, proto, name) + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -429,28 +445,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. +-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) { +- return r.lookupSRV(ctx, service, proto, name) ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. ++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) { ++ cname, addrs, err := r.lookupSRV(ctx, service, proto, name) ++ if err != nil { ++ return "", nil, err ++ } ++ if cname != "" && !isDomainName(cname) { ++ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name} ++ } ++ for _, addr := range addrs { ++ if addr == nil { ++ continue ++ } ++ if !isDomainName(addr.Target) { ++ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name} ++ } ++ } ++ return cname, addrs, nil + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func LookupMX(name string) ([]*MX, error) { +- return DefaultResolver.lookupMX(context.Background(), name) ++ return DefaultResolver.LookupMX(context.Background(), name) + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { +- return r.lookupMX(ctx, name) ++ records, err := r.lookupMX(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, mx := range records { ++ if mx == nil { ++ continue ++ } ++ if !isDomainName(mx.Host) { ++ return nil, &DNSError{Err: "MX target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func LookupNS(name string) ([]*NS, error) { +- return DefaultResolver.lookupNS(context.Background(), name) ++ return DefaultResolver.LookupNS(context.Background(), name) + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) { +- return r.lookupNS(ctx, name) ++ records, err := r.lookupNS(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, ns := range records { ++ if ns == nil { ++ continue ++ } ++ if !isDomainName(ns.Host) { ++ return nil, &DNSError{Err: "NS target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupTXT returns the DNS TXT records for the given domain name. +@@ -466,14 +536,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error) + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. + // ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++// + // When using the host C library resolver, at most one result will be + // returned. To bypass the host resolver, use a custom Resolver. + func LookupAddr(addr string) (names []string, err error) { +- return DefaultResolver.lookupAddr(context.Background(), addr) ++ return DefaultResolver.LookupAddr(context.Background(), addr) + } + + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. +-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) { +- return r.lookupAddr(ctx, addr) ++// ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) { ++ names, err := r.lookupAddr(ctx, addr) ++ if err != nil { ++ return nil, err ++ } ++ for _, name := range names { ++ if !isDomainName(name) { ++ return nil, &DNSError{Err: "PTR target is invalid", Name: addr} ++ } ++ } ++ return names, nil + } +-- +2.27.0 + diff --git a/0029-archive-zip-remove-unused-special-case.patch b/0029-archive-zip-remove-unused-special-case.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b141f88ee9215c8d5b93bb90ada1da53bae9b0f --- /dev/null +++ b/0029-archive-zip-remove-unused-special-case.patch @@ -0,0 +1,81 @@ +From 483d6d99256b3c486e0c99106e232b4909938328 Mon Sep 17 00:00:00 2001 +From: Andrew Gerrand +Date: Fri, 31 May 2019 22:00:42 +1000 +Subject: [PATCH] archive/zip: remove unused special case + +This removes a special case that was added to fix issue #10956, but that +was never actually effective. The code in the test case still fails to +read, so perhaps the zip64 support added in CL 6463050 inadvertently +caught this particular case. + +It's possible that the original theorized bug still exists, but I'm not +convinced it was ever fixed. + +Update #28700 + +Change-Id: I4854de616364510f64a6def30b308686563f8dbb +Reviewed-on: https://go-review.googlesource.com/c/go/+/179757 +Run-TryBot: Brad Fitzpatrick +TryBot-Result: Gobot Gobot +Reviewed-by: Brad Fitzpatrick + +Conflict:NA +Reference:https://github.com/golang/go/commit/483d6d99256b3c486e0c99106e232b4909938328 + +--- + src/archive/zip/reader.go | 4 ---- + src/archive/zip/reader_test.go | 12 +++++++----- + 2 files changed, 7 insertions(+), 9 deletions(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index 2260b398c3..13ff9ddcf4 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -8,7 +8,6 @@ import ( + "bufio" + "encoding/binary" + "errors" +- "fmt" + "hash" + "hash/crc32" + "io" +@@ -84,9 +83,6 @@ func (z *Reader) init(r io.ReaderAt, size int64) error { + if err != nil { + return err + } +- if end.directoryRecords > uint64(size)/fileHeaderLen { +- return fmt.Errorf("archive/zip: TOC declares impossible %d files in %d byte zip", end.directoryRecords, size) +- } + z.r = r + z.File = make([]*File, 0, end.directoryRecords) + z.Comment = end.comment +diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go +index 6b3f2f33bb..328559cc7d 100644 +--- a/src/archive/zip/reader_test.go ++++ b/src/archive/zip/reader_test.go +@@ -981,15 +981,17 @@ func TestIssue10957(t *testing.T) { + } + } + +-// Verify the number of files is sane. ++// Verify that this particular malformed zip file is rejected. + func TestIssue10956(t *testing.T) { + data := []byte("PK\x06\x06PK\x06\a0000\x00\x00\x00\x00\x00\x00\x00\x00" + + "0000PK\x05\x06000000000000" + + "0000\v\x00000\x00\x00\x00\x00\x00\x00\x000") +- _, err := NewReader(bytes.NewReader(data), int64(len(data))) +- const want = "TOC declares impossible 3472328296227680304 files in 57 byte" +- if err == nil && !strings.Contains(err.Error(), want) { +- t.Errorf("error = %v; want %q", err, want) ++ r, err := NewReader(bytes.NewReader(data), int64(len(data))) ++ if err == nil { ++ t.Errorf("got nil error, want ErrFormat") ++ } ++ if r != nil { ++ t.Errorf("got non-nil Reader, want nil") + } + } + +-- +2.27.0 + diff --git a/0030-release-branch.go1.15-archive-zip-only-preallocate-F.patch b/0030-release-branch.go1.15-archive-zip-only-preallocate-F.patch new file mode 100644 index 0000000000000000000000000000000000000000..4be111d1da11b2b4ec2b0df989003944e307ee00 --- /dev/null +++ b/0030-release-branch.go1.15-archive-zip-only-preallocate-F.patch @@ -0,0 +1,130 @@ +From c92adf420a3d9a5510f9aea382d826f0c9216a10 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 11 May 2021 11:31:31 -0700 +Subject: [PATCH] [release-branch.go1.15] archive/zip: only preallocate File + slice if reasonably sized + +Since the number of files in the EOCD record isn't validated, it isn't +safe to preallocate Reader.Files using that field. A malformed archive +can indicate it contains up to 1 << 128 - 1 files. We can still safely +preallocate the slice by checking if the specified number of files in +the archive is reasonable, given the size of the archive. + +Thanks to the OSS-Fuzz project for discovering this issue and to +Emmanuel Odeke for reporting it. + +Updates #46242 +Fixes #46396 +Fixes CVE-2021-33196 + +Conflict:NA +Reference:https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10 + +Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 +Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 +Trust: Roland Shoemaker +Trust: Katie Hockman +Trust: Joe Tsai +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Katie Hockman +Reviewed-by: Joe Tsai +(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c) +Reviewed-on: https://go-review.googlesource.com/c/go/+/322949 +Reviewed-by: Filippo Valsorda +--- + src/archive/zip/reader.go | 10 +++++- + src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index 13ff9ddcf4..2d5151af3d 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, size int64) error { + return err + } + z.r = r +- z.File = make([]*File, 0, end.directoryRecords) ++ // Since the number of directory records is not validated, it is not ++ // safe to preallocate z.File without first checking that the specified ++ // number of files is reasonable, since a malformed archive may ++ // indicate it contains up to 1 << 128 - 1 files. Since each file has a ++ // header which will be _at least_ 30 bytes we can safely preallocate ++ // if (data size / 30) >= end.directoryRecords. ++ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { ++ z.File = make([]*File, 0, end.directoryRecords) ++ } + z.Comment = end.comment + rs := io.NewSectionReader(r, 0, size) + if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil { +diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go +index adca87a8b3..6f67d2e4a9 100644 +--- a/src/archive/zip/reader_test.go ++++ b/src/archive/zip/reader_test.go +@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) { + t.Errorf("Error reading the archive: %v", err) + } + } ++ ++func TestCVE202133196(t *testing.T) { ++ // Archive that indicates it has 1 << 128 -1 files, ++ // this would previously cause a panic due to attempting ++ // to allocate a slice with 1 << 128 -1 elements. ++ data := []byte{ ++ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08, ++ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02, ++ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00, ++ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20, ++ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00, ++ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00, ++ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00, ++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, ++ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00, ++ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, ++ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0x00, 0x00, ++ } ++ _, err := NewReader(bytes.NewReader(data), int64(len(data))) ++ if err != ErrFormat { ++ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) ++ } ++ ++ // Also check that an archive containing a handful of empty ++ // files doesn't cause an issue ++ b := bytes.NewBuffer(nil) ++ w := NewWriter(b) ++ for i := 0; i < 5; i++ { ++ _, err := w.Create("") ++ if err != nil { ++ t.Fatalf("Writer.Create failed: %s", err) ++ } ++ } ++ if err := w.Close(); err != nil { ++ t.Fatalf("Writer.Close failed: %s", err) ++ } ++ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len())) ++ if err != nil { ++ t.Fatalf("NewReader failed: %s", err) ++ } ++ if len(r.File) != 5 { ++ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) ++ } ++} +-- +2.27.0 + diff --git a/0031-release-branch.go1.15-net-http-httputil-always-remov.patch b/0031-release-branch.go1.15-net-http-httputil-always-remov.patch new file mode 100644 index 0000000000000000000000000000000000000000..b55ff982f11c441640c15f217ebc2bcde2edd27e --- /dev/null +++ b/0031-release-branch.go1.15-net-http-httputil-always-remov.patch @@ -0,0 +1,73 @@ +From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Fri, 21 May 2021 14:02:30 -0400 +Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove + hop-by-hop headers + +Previously, we'd fail to remove the Connection header from a request +like this: + + Connection: + Connection: x-header + +Updates #46313 +Fixes #46314 +Fixes CVE-2021-33197 + +Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d +Reviewed-on: https://go-review.googlesource.com/c/go/+/321929 +Run-TryBot: Filippo Valsorda +Reviewed-by: Katie Hockman +Trust: Katie Hockman +Trust: Filippo Valsorda +TryBot-Result: Go Bot +Reviewed-on: https://go-review.googlesource.com/c/go/+/323091 +Run-TryBot: Katie Hockman + +Conflict:NA +Reference:https://github.com/golang/go/commit/cbd1ca84453fecf3825a6bb9f985823e8bc32b76 + +--- + src/net/http/httputil/reverseproxy.go | 22 ++++---- + src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++- + 2 files changed, 70 insertions(+), 15 deletions(-) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 3f48fab544..f49cefbb4f 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -248,22 +248,18 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + // important is "Connection" because we want a persistent + // connection, regardless of what the client sent to us. + for _, h := range hopHeaders { +- hv := outreq.Header.Get(h) +- if hv == "" { +- continue +- } +- if h == "Te" && hv == "trailers" { +- // Issue 21096: tell backend applications that +- // care about trailer support that we support +- // trailers. (We do, but we don't go out of +- // our way to advertise that unless the +- // incoming client request thought it was +- // worth mentioning) +- continue +- } + outreq.Header.Del(h) + } + ++ // Issue 21096: tell backend applications that care about trailer support ++ // that we support trailers. (We do, but we don't go out of our way to ++ // advertise that unless the incoming client request thought it was worth ++ // mentioning.) Note that we look at req.Header, not outreq.Header, since ++ // the latter has passed through removeConnectionHeaders. ++ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") { ++ outreq.Header.Set("Te", "trailers") ++ } ++ + // After stripping all the hop-by-hop connection headers above, add back any + // necessary for protocol upgrades, such as for websockets. + if reqUpType != "" { +-- +2.27.0 + diff --git a/0032-release-branch.go1.15-math-big-check-for-excessive-e.patch b/0032-release-branch.go1.15-math-big-check-for-excessive-e.patch new file mode 100644 index 0000000000000000000000000000000000000000..745e88c108dea4440ca1aaf5798c81e37d7ab99e --- /dev/null +++ b/0032-release-branch.go1.15-math-big-check-for-excessive-e.patch @@ -0,0 +1,114 @@ +From df9ce19db6df32d94eae8760927bdfbc595433c3 Mon Sep 17 00:00:00 2001 +From: Robert Griesemer +Date: Sun, 2 May 2021 11:27:03 -0700 +Subject: [PATCH] [release-branch.go1.15] math/big: check for excessive + exponents in Rat.SetString + +Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284 + +Thanks to Emmanuel Odeke for reporting this issue. + +Updates #45910 +Fixes #46305 +Fixes CVE-2021-33198 + +Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c +Reviewed-on: https://go-review.googlesource.com/c/go/+/316149 +Trust: Robert Griesemer +Trust: Katie Hockman +Run-TryBot: Robert Griesemer +TryBot-Result: Go Bot +Reviewed-by: Katie Hockman +Reviewed-by: Emmanuel Odeke +(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0) +Reviewed-on: https://go-review.googlesource.com/c/go/+/321831 +Run-TryBot: Katie Hockman +Reviewed-by: Roland Shoemaker + +Conflict:NA +Reference:https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3 + +--- + src/math/big/ratconv.go | 15 ++++++++------- + src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go +index 941139e72d..ac3c8bd11f 100644 +--- a/src/math/big/ratconv.go ++++ b/src/math/big/ratconv.go +@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error { + // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants) + // exponent may be provided as well, except for hexadecimal floats which + // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot +-// be distinguished from a mantissa digit). ++// be distinguished from a mantissa digit). If the exponent's absolute value ++// is too large, the operation may fail. + // The entire string, not just a prefix, must be valid for success. If the + // operation failed, the value of z is undefined but the returned value is nil. + func (z *Rat) SetString(s string) (*Rat, bool) { +@@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + if n < 0 { + n = -n + } ++ if n > 1e6 { ++ return nil, false // avoid excessively large exponents ++ } + pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs + if exp5 > 0 { + z.a.abs = z.a.abs.mul(z.a.abs, pow5) +@@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + } + + // apply exp2 contributions ++ if exp2 < -1e7 || exp2 > 1e7 { ++ return nil, false // avoid excessively large exponents ++ } + if exp2 > 0 { +- if int64(uint(exp2)) != exp2 { +- panic("exponent too large") +- } + z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2)) + } else if exp2 < 0 { +- if int64(uint(-exp2)) != -exp2 { +- panic("exponent too large") +- } + z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2)) + } + +diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go +index ba0d1ba9e1..15d206cb38 100644 +--- a/src/math/big/ratconv_test.go ++++ b/src/math/big/ratconv_test.go +@@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) { + } + } + } ++ ++func TestIssue45910(t *testing.T) { ++ var x Rat ++ for _, test := range []struct { ++ input string ++ want bool ++ }{ ++ {"1e-1000001", false}, ++ {"1e-1000000", true}, ++ {"1e+1000000", true}, ++ {"1e+1000001", false}, ++ ++ {"0p1000000000000", true}, ++ {"1p-10000001", false}, ++ {"1p-10000000", true}, ++ {"1p+10000000", true}, ++ {"1p+10000001", false}, ++ {"1.770p02041010010011001001", false}, // test case from issue ++ } { ++ _, got := x.SetString(test.input) ++ if got != test.want { ++ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want) ++ } ++ } ++} +-- +2.27.0 + diff --git a/0033-release-branch.go1.15-crypto-tls-test-key-type-when-.patch b/0033-release-branch.go1.15-crypto-tls-test-key-type-when-.patch new file mode 100644 index 0000000000000000000000000000000000000000..e946b5d0067d3e30d5be1c2f6fab9b2fe06d8e76 --- /dev/null +++ b/0033-release-branch.go1.15-crypto-tls-test-key-type-when-.patch @@ -0,0 +1,53 @@ +From c77980bc077f3774276ab2deba78d8e6bfe4b3bd Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 9 Jun 2021 11:31:27 -0700 +Subject: [PATCH] [release-branch.go1.15] crypto/tls: test key type when + casting + +When casting the certificate public key in generateClientKeyExchange, +check the type is appropriate. This prevents a panic when a server +agrees to a RSA based key exchange, but then sends an ECDSA (or +other) certificate. + +Updates #47143 +Fixes #47144 +Fixes CVE-2021-34558 + +Thanks to Imre Rad for reporting this issue. + +Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723 +Reviewed-by: Filippo Valsorda +Reviewed-by: Katie Hockman +Reviewed-on: https://go-review.googlesource.com/c/go/+/334030 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Reviewed-by: Dmitri Shuralyov + +Conflict:NA +Reference:https://github.com/golang/go/commit/c77980bc077f3774276ab2deba78d8e6bfe4b3bd + +--- + src/crypto/tls/key_agreement.go | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go +index 7e6534bd46..22f1b2e1f2 100644 +--- a/src/crypto/tls/key_agreement.go ++++ b/src/crypto/tls/key_agreement.go +@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello + return nil, nil, err + } + +- encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret) ++ rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) ++ if !ok { ++ return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite") ++ } ++ encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret) + if err != nil { + return nil, nil, err + } +-- +2.27.0 + diff --git a/0034-net-reject-leading-zeros-in-IP-address-parsers.patch b/0034-net-reject-leading-zeros-in-IP-address-parsers.patch new file mode 100644 index 0000000000000000000000000000000000000000..57c4d064e222bbdd3699c7cc51af59ecedbd6506 --- /dev/null +++ b/0034-net-reject-leading-zeros-in-IP-address-parsers.patch @@ -0,0 +1,124 @@ +From d3e3d03666bbd8784007bbb78a75864aac786967 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 7 Jun 2021 10:21:29 -0700 +Subject: [PATCH] net: reject leading zeros in IP address parsers + +In both net.ParseIP and net.ParseCIDR reject leading zeros in the +dot-decimal notation of IPv4 addresses. + +Fixes #30999 +Fixes #43389 + +Change-Id: I2b6a31fe84db89ac828cf5ed03eaa586ee96ab68 +Reviewed-on: https://go-review.googlesource.com/c/go/+/325829 +Trust: Roland Shoemaker +Trust: Katie Hockman +Run-TryBot: Roland Shoemaker +Reviewed-by: Filippo Valsorda +Reviewed-by: Katie Hockman +TryBot-Result: Go Bot + +Conflict:NA +Reference:https://github.com/golang/go/commit/d3e3d03666bbd8784007bbb78a75864aac786967 + +--- + src/net/hosts_test.go | 4 ++-- + src/net/ip.go | 4 ++++ + src/net/ip_test.go | 8 ++++++-- + src/net/testdata/ipv4-hosts | 8 ++------ + 5 files changed, 24 insertions(+), 10 deletions(-) + + +diff --git a/src/net/hosts_test.go b/src/net/hosts_test.go +index f850e2fccf..19c43999f9 100644 +--- a/src/net/hosts_test.go ++++ b/src/net/hosts_test.go +@@ -36,7 +36,7 @@ var lookupStaticHostTests = []struct { + }, + }, + { +- "testdata/ipv4-hosts", // see golang.org/issue/8996 ++ "testdata/ipv4-hosts", + []staticHostEntry{ + {"localhost", []string{"127.0.0.1", "127.0.0.2", "127.0.0.3"}}, + {"localhost.localdomain", []string{"127.0.0.3"}}, +@@ -102,7 +102,7 @@ var lookupStaticAddrTests = []struct { + }, + }, + { +- "testdata/ipv4-hosts", // see golang.org/issue/8996 ++ "testdata/ipv4-hosts", + []staticHostEntry{ + {"127.0.0.1", []string{"localhost"}}, + {"127.0.0.2", []string{"localhost"}}, +diff --git a/src/net/ip.go b/src/net/ip.go +index 0477269761..38e1aa2247 100644 +--- a/src/net/ip.go ++++ b/src/net/ip.go +@@ -574,6 +574,10 @@ func parseIPv4(s string) IP { + if !ok || n > 0xFF { + return nil + } ++ if c > 1 && s[0] == '0' { ++ // Reject non-zero components with leading zeroes. ++ return nil ++ } + s = s[c:] + p[i] = byte(n) + } +diff --git a/src/net/ip_test.go b/src/net/ip_test.go +index 3af5e41ceb..5bbda6024d 100644 +--- a/src/net/ip_test.go ++++ b/src/net/ip_test.go +@@ -21,9 +21,7 @@ var parseIPTests = []struct { + }{ + {"127.0.1.2", IPv4(127, 0, 1, 2)}, + {"127.0.0.1", IPv4(127, 0, 0, 1)}, +- {"127.001.002.003", IPv4(127, 1, 2, 3)}, + {"::ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, +- {"::ffff:127.001.002.003", IPv4(127, 1, 2, 3)}, + {"::ffff:7f01:0203", IPv4(127, 1, 2, 3)}, + {"0:0:0:0:0000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, + {"0:0:0:0:000000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, +@@ -43,6 +41,11 @@ var parseIPTests = []struct { + {"fe80::1%911", nil}, + {"", nil}, + {"a1:a2:a3:a4::b1:b2:b3:b4", nil}, // Issue 6628 ++ {"127.001.002.003", nil}, ++ {"::ffff:127.001.002.003", nil}, ++ {"123.000.000.000", nil}, ++ {"1.2..4", nil}, ++ {"0123.0.0.1", nil}, + } + + func TestParseIP(t *testing.T) { +@@ -358,6 +361,7 @@ var parseCIDRTests = []struct { + {"0.0.-2.0/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.-2.0/32"}}, + {"0.0.0.-3/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.-3/32"}}, + {"0.0.0.0/-0", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.0/-0"}}, ++ {"127.000.000.001/32", nil, nil, &ParseError{Type: "CIDR address", Text: "127.000.000.001/32"}}, + {"", nil, nil, &ParseError{Type: "CIDR address", Text: ""}}, + } + +diff --git a/src/net/testdata/ipv4-hosts b/src/net/testdata/ipv4-hosts +index 5208bb44ac..6b99675dfc 100644 +--- a/src/net/testdata/ipv4-hosts ++++ b/src/net/testdata/ipv4-hosts +@@ -1,12 +1,8 @@ + # See https://tools.ietf.org/html/rfc1123. +-# +-# The literal IPv4 address parser in the net package is a relaxed +-# one. It may accept a literal IPv4 address in dotted-decimal notation +-# with leading zeros such as "001.2.003.4". + + # internet address and host name + 127.0.0.1 localhost # inline comment separated by tab +-127.000.000.002 localhost # inline comment separated by space ++127.0.0.2 localhost # inline comment separated by space + + # internet address, host name and aliases +-127.000.000.003 localhost localhost.localdomain ++127.0.0.3 localhost localhost.localdomain +-- +2.27.0 + diff --git a/0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch b/0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch new file mode 100644 index 0000000000000000000000000000000000000000..093d3a834124d3691606b1726d773f88a62073b8 --- /dev/null +++ b/0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch @@ -0,0 +1,92 @@ +From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001 +From: Michael Knyszek +Date: Thu, 2 Sep 2021 16:51:59 -0400 +Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let + command line args overwrite global data + +On Wasm, wasm_exec.js puts command line arguments at the beginning +of the linear memory (following the "zero page"). Currently there +is no limit for this, and a very long command line can overwrite +the program's data section. Prevent this by limiting the command +line to 4096 bytes, and in the linker ensuring the data section +starts at a high enough address (8192). + +(Arguably our address assignment on Wasm is a bit confusing. This +is the minimum fix I can come up with.) + +Thanks to Ben Lubar for reporting this issue. + +Change by Cherry Mui . + +For #48797 +Fixes #48799 +Fixes CVE-2021-38297 + +Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 +Reviewed-by: Roland Shoemaker +Reviewed-by: Than McIntosh +Reviewed-on: https://go-review.googlesource.com/c/go/+/354591 +Trust: Michael Knyszek +Reviewed-by: Heschi Kreinick + +Conflict:src/cmd/link/internal/ld/data.go +Reference:https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 +--- + misc/wasm/wasm_exec.js | 7 +++++++ + src/cmd/link/internal/ld/data.go | 11 ++++++++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js +index 82041e6bb9..a0a264278b 100644 +--- a/misc/wasm/wasm_exec.js ++++ b/misc/wasm/wasm_exec.js +@@ -564,6 +564,13 @@ + offset += 8; + }); + ++ // The linker guarantees global data starts from at least wasmMinDataAddr. ++ // Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr. ++ const wasmMinDataAddr = 4096 + 4096; ++ if (offset >= wasmMinDataAddr) { ++ throw new Error("command line too long"); ++ } ++ + this._inst.exports.run(argc, argv); + if (this.exited) { + this._resolveExitPromise(); +diff --git a/src/cmd/link/internal/ld/data.go b/src/cmd/link/internal/ld/data.go +index 52035e9630..54a1d188cd 100644 +--- a/src/cmd/link/internal/ld/data.go ++++ b/src/cmd/link/internal/ld/data.go +@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, n int, s loader.Sym, va uint64 + return sect, n, va + } + ++// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for wasm_exec.js ++// to store command line args. Data sections starts from at least address 8192. ++// Keep in sync with wasm_exec.js. ++const wasmMinDataAddr = 4096 + 4096 ++ + // address assigns virtual addresses to all segments and sections and + // returns all segments in file order. + func (ctxt *Link) address() []*sym.Segment { +@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment { + order = append(order, &Segtext) + Segtext.Rwx = 05 + Segtext.Vaddr = va +- for _, s := range Segtext.Sections { ++ for i, s := range Segtext.Sections { + va = uint64(Rnd(int64(va), int64(s.Align))) + s.Vaddr = va + va += s.Length ++ ++ if ctxt.Arch.Family == sys.Wasm && i == 0 && va < wasmMinDataAddr { ++ va = wasmMinDataAddr ++ } + } + + Segtext.Length = va - uint64(*FlagTextAddr) +-- +2.27.0 + diff --git a/0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch b/0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch new file mode 100644 index 0000000000000000000000000000000000000000..0c471e57f634b303b739e6a197484bd59bdb0e21 --- /dev/null +++ b/0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch @@ -0,0 +1,53 @@ +From b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 7 Jul 2021 16:34:34 -0700 +Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body + +Reading from an incoming request body after the request handler aborts +with a panic can cause a panic, becuse http.Server does not (contrary +to its documentation) close the request body in this case. + +Always close the incoming request body in ReverseProxy.ServeHTTP to +ensure that any in-flight outgoing requests using the body do not +read from it. + +Updates #46866 +Fixes CVE-2021-36221 + +Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df +Reviewed-on: https://go-review.googlesource.com/c/go/+/333191 +Trust: Damien Neil +Reviewed-by: Brad Fitzpatrick +Reviewed-by: Filippo Valsorda + +Conflict:src/net/http/httputil/reverseproxy.go +Reference:https://github.com/golang/go/commit/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e + +--- + src/net/http/httputil/reverseproxy.go | 9 +++++ + src/net/http/httputil/reverseproxy_test.go | 39 ++++++++++++++++++++++ + 2 files changed, 48 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 5d39955d62..8b63368386 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -235,6 +235,15 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + if req.ContentLength == 0 { + outreq.Body = nil // Issue 16036: nil Body for http.Transport retries + } ++ if outreq.Body != nil { ++ // Reading from the request body after returning from a handler is not ++ // allowed, and the RoundTrip goroutine that reads the Body can outlive ++ // this handler. This can lead to a crash if the handler panics (see ++ // Issue 46866). Although calling Close doesn't guarantee there isn't ++ // any Read in flight after the handle returns, in practice it's safe to ++ // read after closing it. ++ defer outreq.Body.Close() ++ } + if outreq.Header == nil { + outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate + } +-- +2.27.0 + diff --git a/golang.spec b/golang.spec index b285328f792777a0444a0675ddc9e82e96ad33ba..67b66e623d448203ec8c35ca81a690a2f6fbe7a6 100644 --- a/golang.spec +++ b/golang.spec @@ -62,7 +62,7 @@ Name: golang Version: 1.13.15 -Release: 5 +Release: 6 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -164,6 +164,17 @@ Patch6022: 0022-fix-CVE-2020-29509-CVE-2020-29511.patch Patch6023: 0023-fix-CVE-2020-29510.patch Patch6024: 0024-crypto-elliptic-fix-P-224-field-reduction.patch Patch6025: 0025-fix-CVE-2021-27918.patch +Patch6026: 0026-net-http-fix-hijack-hang-at-abortPendingRead.patch +Patch6027: 0027-release-branch.go1.15-std-update-golang.org-x-net-to.patch +Patch6028: 0028-release-branch.go1.15-net-verify-results-from-Lookup.patch +Patch6029: 0029-archive-zip-remove-unused-special-case.patch +Patch6030: 0030-release-branch.go1.15-archive-zip-only-preallocate-F.patch +Patch6031: 0031-release-branch.go1.15-net-http-httputil-always-remov.patch +Patch6032: 0032-release-branch.go1.15-math-big-check-for-excessive-e.patch +Patch6033: 0033-release-branch.go1.15-crypto-tls-test-key-type-when-.patch +Patch6034: 0034-net-reject-leading-zeros-in-IP-address-parsers.patch +Patch6035: 0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch +Patch6036: 0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch ExclusiveArch: %{golang_arches} @@ -397,6 +408,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Nov 2 2021 chenjiankun - 1.13.15-6 +- fix hijack, CVE-2021-31525,CVE-2021-33195,CVE-2021-33196,CVE-2021-33197,CVE-2021-33198,CVE-2021-34558,CVE-2021-29923,CVE-2021-38297,CVE-2021-36221 + * Thu Apr 17 2021 chenjiankun - 1.13.15-5 - fix CVE-2021-27918