cvefix:fix CVE-2023-39323

2023-10-13 15:17:49 +08:00 · 2023-10-13 15:17:49 +08:00 · cc7f90041b
commit cc7f90041b
parent b70d70b379
2 changed files with 185 additions and 1 deletions
--- a/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
+++ b/0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
@ -0,0 +1,177 @@
+From 92f5a51debc3f483bde32ed3b812ec3906e68db1 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 21 Sep 2023 07:16:29 +0800
+Subject: [PATCH] [Backport] cmd/compile: use absolute file name in isCgo check
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39323
+Reference: https://go-review.googlesource.com/c/go/+/533195
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: machangwang m00509938
+
+For #23672
+Updates #63211
+Fixes #63213
+Fixes CVE-2023-39323
+
+Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ misc/cgo/errors/errors_test.go       | 31 +++++++++++++++++++++-------
+ misc/cgo/errors/testdata/err2.go     | 12 +++++------
+ misc/cgo/errors/testdata/err5.go     | 11 ++++++++++
+ src/cmd/compile/internal/gc/noder.go |  8 ++++++-
+ 4 files changed, 47 insertions(+), 15 deletions(-)
+ create mode 100644 misc/cgo/errors/testdata/err5.go
+
+diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
+index 1bdf843451..33ab9d30d9 100644
+--- a/misc/cgo/errors/errors_test.go
+++ b/misc/cgo/errors/errors_test.go
+@@ -21,6 +21,13 @@ func path(file string) string {
+ 	return filepath.Join("testdata", file)
+ }
+ 
+func bytesCut(s, sep []byte) (before, after []byte, found bool) {
+	if i := bytes.Index(s, sep); i >= 0 {
+		return s[:i], s[i+len(sep):], true
+	}
+	return s, nil, false
+}
+
+ func check(t *testing.T, file string) {
+ 	t.Run(file, func(t *testing.T) {
+ 		t.Parallel()
+@@ -37,16 +44,23 @@ func check(t *testing.T, file string) {
+ 				continue
+ 			}
+ 
+-			frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2)
+-			if len(frags) == 1 {
+-				continue
+			if _, frag, ok := bytesCut(line, []byte("ERROR HERE: ")); ok {
+				re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
+				if err != nil {
+					t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
+					continue
+				}
+				errors = append(errors, re)
+ 			}
+-			re, err := regexp.Compile(string(frags[1]))
+-			if err != nil {
+-				t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1])
+-				continue
+
+			if _, frag, ok := bytesCut(line, []byte("ERROR MESSAGE: ")); ok {
+				re, err := regexp.Compile(string(frag))
+				if err != nil {
+					t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
+					continue
+				}
+				errors = append(errors, re)
+ 			}
+-			errors = append(errors, re)
+ 		}
+ 		if len(errors) == 0 {
+ 			t.Fatalf("cannot find ERROR HERE")
+@@ -107,6 +121,7 @@ func TestReportsTypeErrors(t *testing.T) {
+ 	for _, file := range []string{
+ 		"err1.go",
+ 		"err2.go",
+		"err5.go",
+ 		"issue11097a.go",
+ 		"issue11097b.go",
+ 		"issue18452.go",
+diff --git a/misc/cgo/errors/testdata/err2.go b/misc/cgo/errors/testdata/err2.go
+index 1d22401aee..a90598fe35 100644
+--- a/misc/cgo/errors/testdata/err2.go
+++ b/misc/cgo/errors/testdata/err2.go
+@@ -40,15 +40,15 @@ func main() {
+ 	C.foop = x // ERROR HERE
+ 
+ 	// issue 13129: used to output error about C.unsignedshort with CC=clang
+-	var x C.ushort
+-	x = int(0) // ERROR HERE: C\.ushort
+	var x1 C.ushort
+	x1 = int(0) // ERROR HERE: C\.ushort
+ 
+ 	// issue 13423
+ 	_ = C.fopen() // ERROR HERE
+ 
+ 	// issue 13467
+-	var x rune = '✈'
+-	var _ rune = C.transform(x) // ERROR HERE: C\.int
+	var x2 rune = '✈'
+	var _ rune = C.transform(x2) // ERROR HERE: C\.int
+ 
+ 	// issue 13635: used to output error about C.unsignedchar.
+ 	// This test tests all such types.
+@@ -91,10 +91,10 @@ func main() {
+ 
+ 	// issue 26745
+ 	_ = func(i int) int {
+-		return C.i + 1 // ERROR HERE: :13
+		return C.i + 1 // ERROR HERE: 14
+ 	}
+ 	_ = func(i int) {
+-		C.fi(i) // ERROR HERE: :6
+		C.fi(i) // ERROR HERE: 7
+ 	}
+ 
+ 	C.fi = C.fi // ERROR HERE
+diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
+new file mode 100644
+index 0000000000..c12a290d38
+--- /dev/null
+++ b/misc/cgo/errors/testdata/err5.go
+@@ -0,0 +1,11 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+//line /tmp/_cgo_.go:1
+//go:cgo_dynamic_linker "/elf/interp"
+// ERROR MESSAGE: only allowed in cgo-generated code
+
+func main() {}
+diff --git a/src/cmd/compile/internal/gc/noder.go b/src/cmd/compile/internal/gc/noder.go
+index 802aab2268..9e5ee8e572 100644
+--- a/src/cmd/compile/internal/gc/noder.go
+++ b/src/cmd/compile/internal/gc/noder.go
+@@ -1618,8 +1618,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
+// Note that cmd/go ignores files whose names start with underscore,
+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
+// It's easy to bypass this check by calling the compiler directly;
+// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
+	// We need the absolute file, independent of //line directives,
+	// so we call pos.Base().Pos().
+	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
+-- 
+2.28.0
+
--- a/golang.spec
+++ b/golang.spec
@ -58,7 +58,7 @@

 Name:           golang
 Version:        1.15.7
-Release:        34
+Release:        35
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -249,6 +249,7 @@ Patch6104:	0104-Backport-crypto-tls-restrict-RSA-keys-in-certificate.patch
 Patch6105:	0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patch
 Patch6106:	0106-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6107:	0107-Backport-html-template-properly-handle-special-tags-.patch
+Patch6108:	0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch

 Patch9001:  0001-drop-hard-code-cert.patch
 Patch9002:  0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@ -488,6 +489,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35
+- Type:CVE
+- CVE:CVE-2023-39323
+- SUG:NA
+- DESC:fix CVE-2023-39323
+
 * Mon Sep 25 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-34
 - Type:CVE
 - CVE:CVE-2023-39318,CVE-2023-39319