From f97af1c646d3ca4436552194e1f9875efcd035d5 Mon Sep 17 00:00:00 2001
From: hanchao <hanchao47@huawei.com>
Date: Mon, 16 May 2022 15:29:26 +0800
Subject: [PATCH 1/2] fix CVE-2021-44717

Conflict: NA
Score: 4.8
Reference: https://go-review.googlesource.com/c/go/+/370534
Reason: fix CVE-2021-44717

Signed-off-by: hanchao <hanchao47@huawei.com>
---
 ...o1.17-syscall-fix-ForkLock-spurious-.patch | 79 +++++++++++++++++++
 golang.spec                                   | 10 ++-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch

diff --git a/0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch b/0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch
new file mode 100644
index 0000000..64aee69
--- /dev/null
+++ b/0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch
@@ -0,0 +1,79 @@
+From e7aab832069d06d77e04a585803dfdb04453253a Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 8 Dec 2021 18:05:11 -0500
+Subject: [PATCH] [release-branch.go1.17] syscall: fix ForkLock spurious
+ close(0) on pipe failure
+
+Pipe (and therefore forkLockPipe) does not make any guarantees
+about the state of p after a failed Pipe(p). Avoid that assumption
+and the too-clever goto, so that we don't accidentally Close a real fd
+if the failed pipe leaves p[0] or p[1] set >= 0.
+
+Updates #50057
+Fixes CVE-2021-44717
+
+Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291270
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370534
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+---
+ src/syscall/exec_unix.go | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/src/syscall/exec_unix.go b/src/syscall/exec_unix.go
+index 54b18dccd7..c9c9d1abf3 100644
+--- a/src/syscall/exec_unix.go
++++ b/src/syscall/exec_unix.go
+@@ -153,9 +153,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 		sys = &zeroSysProcAttr
+ 	}
+ 
+-	p[0] = -1
+-	p[1] = -1
+-
+ 	// Convert args to C form.
+ 	argv0p, err := BytePtrFromString(argv0)
+ 	if err != nil {
+@@ -205,14 +202,17 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 
+ 	// Allocate child status pipe close on exec.
+ 	if err = forkExecPipe(p[:]); err != nil {
+-		goto error
++		ForkLock.Unlock()
++		return 0, err
+ 	}
+ 
+ 	// Kick off child.
+ 	pid, err1 = forkAndExecInChild(argv0p, argvp, envvp, chroot, dir, attr, sys, p[1])
+ 	if err1 != 0 {
+-		err = Errno(err1)
+-		goto error
++		Close(p[0])
++		Close(p[1])
++		ForkLock.Unlock()
++		return 0, Errno(err1)
+ 	}
+ 	ForkLock.Unlock()
+ 
+@@ -244,14 +244,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 
+ 	// Read got EOF, so pipe closed on exec, so exec succeeded.
+ 	return pid, nil
+-
+-error:
+-	if p[0] >= 0 {
+-		Close(p[0])
+-		Close(p[1])
+-	}
+-	ForkLock.Unlock()
+-	return 0, err
+ }
+ 
+ // Combination of fork and exec, careful to be thread safe.
+-- 
+2.30.0
+
diff --git a/golang.spec b/golang.spec
index cb23b1a..2e4a58c 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        2
+Release:        3
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -155,6 +155,7 @@ Requires:       openEuler-rpm-config
 
 Patch6001:      0001-release-branch.go1.17-crypto-elliptic-tolerate-zero-.patch
 Patch6002:      0002-release-branch.go1.17-encoding-pem-fix-stack-overflo.patch
+Patch6003:      0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -389,6 +390,13 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Fri May 6 2022 hanchao <hanchao47@huawei.com> - 1.17.3-2
+- Type:CVE
+- CVE:CVE-2021-44717
+- SUG:NA
+- DESC:fix CVE-2021-44717
+- fix CVE-2021-44717
+
 * Fri May 6 2022 hanchao <hanchao47@huawei.com> - 1.17.3-2
 - Type:CVE
 - CVE:CVE-2022-28327,CVE-2022-24675
-- 
Gitee


From 0f2ac32b69d09d43f6ddfdcf52b368c961eaaea3 Mon Sep 17 00:00:00 2001
From: hc <hanchao47@huawei.com>
Date: Mon, 16 May 2022 07:56:24 +0000
Subject: [PATCH 2/2] update golang.spec.

---
 golang.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/golang.spec b/golang.spec
index 2e4a58c..597c7e6 100644
--- a/golang.spec
+++ b/golang.spec
@@ -390,7 +390,7 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
-* Fri May 6 2022 hanchao <hanchao47@huawei.com> - 1.17.3-2
+* Fri May 6 2022 hanchao <hanchao47@huawei.com> - 1.17.3-3
 - Type:CVE
 - CVE:CVE-2021-44717
 - SUG:NA
-- 
Gitee