!435 fix CVE-2024-34155,CVE-2024-34156,CVE-2024-34158

From: @hcnbxx Reviewed-by: @fuowang Signed-off-by: @fuowang
2024-10-30 03:45:55 +00:00 · 2024-10-30 03:45:55 +00:00 · 0e85a0bca2
commit 0e85a0bca2
parent 5fac4acb73 3421150f01
4 changed files with 449 additions and 1 deletions
--- a/0068-Backport-go-parser-track-depth-in-nested-element-lis.patch
+++ b/0068-Backport-go-parser-track-depth-in-nested-element-lis.patch
@ -0,0 +1,71 @@
+From e7581d44ab3029f863b732f624ba44b1495a2936 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 10 Jun 2024 15:34:12 -0700
+Subject: [PATCH] [Backport] go/parser: track depth in nested element lists
+
+CVE: CVE-2024-34155
+Reference: https://go-review.googlesource.com/c/go/+/611238
+
+Prevents stack exhaustion with extremely deeply nested literal values,
+i.e. field values in structs.
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: qinlonglong q00508429
+
+Fixes #69138
+Fixes CVE-2024-34155
+
+Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
+Reviewed-by: Robert Griesemer gri@google.com
+Reviewed-by: Damien Neil dneil@google.com
+Reviewed-by: Russ Cox rsc@google.com
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611238
+LUCI-TryBot-Result: Go LUCI golang-scoped@luci-project-accounts.iam.gserviceaccount.com
+Reviewed-by: Roland Shoemaker roland@golang.org
+Reviewed-by: Dmitri Shuralyov dmitshur@google.com
+Auto-Submit: Dmitri Shuralyov dmitshur@golang.org
+Signed-off-by: QinLongLong qinlonglong@huawei.com
+---
+ src/go/parser/parser.go      | 2 ++
+ src/go/parser/parser_test.go | 9 +++++----
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
+index 2c42b9f8cc..a728d9a68a 100644
+--- a/src/go/parser/parser.go
+++ b/src/go/parser/parser.go
+@@ -1481,6 +1481,8 @@ func (p *parser) parseElementList() (list []ast.Expr) {
+ }
+ 
+ func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr {
+	defer decNestLev(incNestLev(p))
+
+ 	if p.trace {
+ 		defer un(trace(p, "LiteralValue"))
+ 	}
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 993df6315f..b2cd501a44 100644
+--- a/src/go/parser/parser_test.go
+++ b/src/go/parser/parser_test.go
+@@ -607,10 +607,11 @@ var parseDepthTests = []struct {
+ 	{name: "chan2", format: "package main; var x «<-chan »int"},
+ 	{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
+ 	{name: "map", format: "package main; var x «map[int]»int"},
+-	{name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2},             // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2},         // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2},    // Parser nodes: CompositeLit, KeyValueExpr
+	{name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3},      // Parser nodes: UnaryExpr, CompositeLit
+	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3},         // Parser nodes: UnaryExpr, CompositeLit
+	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
+	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3},    // Parser nodes: CompositeLit, KeyValueExpr
+	{name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
+ 	{name: "dot", format: "package main; var x = «x.»x"},
+ 	{name: "index", format: "package main; var x = x«[1]»"},
+ 	{name: "slice", format: "package main; var x = x«[1:2]»"},
+-- 
+2.33.0
+
--- a/0069-Backport-encoding-gob-cover-missed-cases-when-checki.patch
+++ b/0069-Backport-encoding-gob-cover-missed-cases-when-checki.patch
@ -0,0 +1,152 @@
+From 51e3300f77cc696da324ba69fc442c9e3a57c0d8 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 3 May 2024 09:21:39 -0400
+Subject: [PATCH 1/2] [Backport] encoding/gob: cover missed cases when checking
+ ignore depth
+
+Offering: Cloud Core Network
+CVE: CVE-2024-34156
+Reference: https://go-review.googlesource.com/c/go/+/611239
+
+This change makes sure that we are properly checking the ignored field
+recursion depth in decIgnoreOpFor consistently. This prevents stack
+exhaustion when attempting to decode a message that contains an
+extremely deeply nested struct which is ignored.
+
+Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
+for reporting this issue.
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: zhaoshengwei z00581105
+
+Fixes #69139
+Fixes CVE-2024-34156
+
+Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611239
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
+---
+ src/encoding/gob/decode.go         | 19 +++++++++++--------
+ src/encoding/gob/decoder.go        |  2 ++
+ src/encoding/gob/gobencdec_test.go | 14 ++++++++++++++
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
+index 0e0ec75ccc..92d64cb07f 100644
+--- a/src/encoding/gob/decode.go
+++ b/src/encoding/gob/decode.go
+@@ -874,8 +874,11 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg
+ var maxIgnoreNestingDepth = 10000
+ 
+ // decIgnoreOpFor returns the decoding op for a field that has no destination.
+-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp {
+-	if depth > maxIgnoreNestingDepth {
+func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp {
+	// Track how deep we've recursed trying to skip nested ignored fields.
+	dec.ignoreDepth++
+	defer func() { dec.ignoreDepth-- }()
+	if dec.ignoreDepth > maxIgnoreNestingDepth {
+ 		error_(errors.New("invalid nesting depth"))
+ 	}
+ 	// If this type is already in progress, it's a recursive type (e.g. map[string]*T).
+@@ -901,7 +904,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+ 			errorf("bad data: undefined type %s", wireId.string())
+ 		case wire.ArrayT != nil:
+ 			elemId := wire.ArrayT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len)
+ 			}
+@@ -909,15 +912,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+ 		case wire.MapT != nil:
+ 			keyId := dec.wireType[wireId].MapT.Key
+ 			elemId := dec.wireType[wireId].MapT.Elem
+-			keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1)
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+			keyOp := dec.decIgnoreOpFor(keyId, inProgress)
+			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreMap(state, *keyOp, *elemOp)
+ 			}
+ 
+ 		case wire.SliceT != nil:
+ 			elemId := wire.SliceT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreSlice(state, *elemOp)
+ 			}
+@@ -1078,7 +1081,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de
+ func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine {
+ 	engine := new(decEngine)
+ 	engine.instr = make([]decInstr, 1) // one item
+-	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0)
+	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp))
+ 	ovfl := overflow(dec.typeString(remoteId))
+ 	engine.instr[0] = decInstr{*op, 0, nil, ovfl}
+ 	engine.numInstr = 1
+@@ -1123,7 +1126,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn
+ 		localField, present := srt.FieldByName(wireField.Name)
+ 		// TODO(r): anonymous names
+ 		if !present || !isExported(wireField.Name) {
+-			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0)
+			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp))
+ 			engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl}
+ 			continue
+ 		}
+diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go
+index b476aaac93..2486c4b30a 100644
+--- a/src/encoding/gob/decoder.go
+++ b/src/encoding/gob/decoder.go
+@@ -34,6 +34,8 @@ type Decoder struct {
+ 	freeList     *decoderState                           // list of free decoderStates; avoids reallocation
+ 	countBuf     []byte                                  // used for decoding integers while parsing messages
+ 	err          error
+	// ignoreDepth tracks the depth of recursively parsed ignored fields
+	ignoreDepth int
+ }
+ 
+ // NewDecoder returns a new decoder that reads from the io.Reader.
+diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go
+index 1b52ecc6c8..2b5f2a8e88 100644
+--- a/src/encoding/gob/gobencdec_test.go
+++ b/src/encoding/gob/gobencdec_test.go
+@@ -806,6 +806,8 @@ func TestIngoreDepthLimit(t *testing.T) {
+ 	defer func() { maxIgnoreNestingDepth = oldNestingDepth }()
+ 	b := new(bytes.Buffer)
+ 	enc := NewEncoder(b)
+
+	// Nested slice
+ 	typ := reflect.TypeOf(int(0))
+ 	nested := reflect.ArrayOf(1, typ)
+ 	for i := 0; i < 100; i++ {
+@@ -819,4 +821,16 @@ func TestIngoreDepthLimit(t *testing.T) {
+ 	if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
+ 		t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
+ 	}
+
+	// Nested struct
+	nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: typ}})
+	for i := 0; i < 100; i++ {
+		nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}})
+	}
+	badStruct = reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}))
+	enc.Encode(badStruct.Interface())
+	dec = NewDecoder(b)
+	if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
+		t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
+	}
+ }
+-- 
+2.33.0
+
--- a/0070-Backport-go-build-constraint-add-parsing-limits.patch
+++ b/0070-Backport-go-build-constraint-add-parsing-limits.patch
@ -0,0 +1,210 @@
+From 328c8da3dfa27bb5dad18a4bb4d90997abd6b44b Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 20 Jun 2024 10:45:30 -0700
+Subject: [PATCH 2/2] [Backport] go/build/constraint: add parsing limits
+
+Offering: Cloud Core Network
+CVE: CVE-2024-34158
+Reference: https://go-review.googlesource.com/c/go/+/611183
+
+Limit the size of build constraints that we will parse. This prevents a
+number of stack exhaustions that can be hit when parsing overly complex
+constraints. The imposed limits are unlikely to ever be hit in real
+world usage.
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: qinlonglong q00508429
+
+Updates #69141
+Fixes #69148
+Fixes CVE-2024-34158
+
+Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Signed-off-by: QinLongLong qinlonglong@huawei.com
+---
+ src/go/build/constraint/expr.go      | 28 ++++++++++--
+ src/go/build/constraint/expr_test.go | 65 +++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/build/constraint/expr.go b/src/go/build/constraint/expr.go
+index 957eb9b527..85897e2435 100644
+--- a/src/go/build/constraint/expr.go
+++ b/src/go/build/constraint/expr.go
+@@ -18,6 +18,10 @@ import (
+ 	"unicode/utf8"
+ )
+ 
+// maxSize is a limit used to control the complexity of expressions, in order
+// to prevent stack exhaustion issues due to recursion.
+const maxSize = 1000
+
+ // An Expr is a build tag constraint expression.
+ // The underlying concrete type is *AndExpr, *OrExpr, *NotExpr, or *TagExpr.
+ type Expr interface {
+@@ -153,7 +157,7 @@ func Parse(line string) (Expr, error) {
+ 		return parseExpr(text)
+ 	}
+ 	if text, ok := splitPlusBuild(line); ok {
+-		return parsePlusBuildExpr(text), nil
+		return parsePlusBuildExpr(text)
+ 	}
+ 	return nil, errNotConstraint
+ }
+@@ -203,6 +207,8 @@ type exprParser struct {
+ 	tok   string // last token read
+ 	isTag bool
+ 	pos   int // position (start) of last token
+
+	size int
+ }
+ 
+ // parseExpr parses a boolean build tag expression.
+@@ -251,6 +257,10 @@ func (p *exprParser) and() Expr {
+ // On entry, the next input token has not yet been lexed.
+ // On exit, the next input token has been lexed and is in p.tok.
+ func (p *exprParser) not() Expr {
+	p.size++
+	if p.size > maxSize {
+		panic(&SyntaxError{Offset: p.pos, Err: "build expression too large"})
+	}
+ 	p.lex()
+ 	if p.tok == "!" {
+ 		p.lex()
+@@ -391,7 +401,13 @@ func splitPlusBuild(line string) (expr string, ok bool) {
+ }
+ 
+ // parsePlusBuildExpr parses a legacy build tag expression (as used with “// +build”).
+-func parsePlusBuildExpr(text string) Expr {
+func parsePlusBuildExpr(text string) (Expr, error) {
+	// Only allow up to 100 AND/OR operators for "old" syntax.
+	// This is much less than the limit for "new" syntax,
+	// but uses of old syntax were always very simple.
+	const maxOldSize = 100
+	size := 0
+
+ 	var x Expr
+ 	for _, clause := range strings.Fields(text) {
+ 		var y Expr
+@@ -417,19 +433,25 @@ func parsePlusBuildExpr(text string) Expr {
+ 			if y == nil {
+ 				y = z
+ 			} else {
+				if size++; size > maxOldSize {
+					return nil, errComplex
+				}
+ 				y = and(y, z)
+ 			}
+ 		}
+ 		if x == nil {
+ 			x = y
+ 		} else {
+			if size++; size > maxOldSize {
+				return nil, errComplex
+			}
+ 			x = or(x, y)
+ 		}
+ 	}
+ 	if x == nil {
+ 		x = tag("ignore")
+ 	}
+-	return x
+	return x, nil
+ }
+ 
+ // isValidTag reports whether the word is a valid build tag.
+diff --git a/src/go/build/constraint/expr_test.go b/src/go/build/constraint/expr_test.go
+index 15d189012e..ac38ba6929 100644
+--- a/src/go/build/constraint/expr_test.go
+++ b/src/go/build/constraint/expr_test.go
+@@ -222,7 +222,7 @@ var parsePlusBuildExprTests = []struct {
+ func TestParsePlusBuildExpr(t *testing.T) {
+ 	for i, tt := range parsePlusBuildExprTests {
+ 		t.Run(fmt.Sprint(i), func(t *testing.T) {
+-			x := parsePlusBuildExpr(tt.in)
+			x, _ := parsePlusBuildExpr(tt.in)
+ 			if x.String() != tt.x.String() {
+ 				t.Errorf("parsePlusBuildExpr(%q):\nhave %v\nwant %v", tt.in, x, tt.x)
+ 			}
+@@ -319,3 +319,66 @@ func TestPlusBuildLines(t *testing.T) {
+ 		})
+ 	}
+ }
+
+func TestSizeLimits(t *testing.T) {
+	for _, tc := range []struct {
+		name string
+		expr string
+	}{
+		{
+			name: "go:build or limit",
+			expr: "//go:build " + strings.Repeat("a || ", maxSize+2),
+		},
+		{
+			name: "go:build and limit",
+			expr: "//go:build " + strings.Repeat("a && ", maxSize+2),
+		},
+		{
+			name: "go:build and depth limit",
+			expr: "//go:build " + strings.Repeat("(a &&", maxSize+2),
+		},
+		{
+			name: "go:build or depth limit",
+			expr: "//go:build " + strings.Repeat("(a ||", maxSize+2),
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := Parse(tc.expr)
+			if err == nil {
+				t.Error("expression did not trigger limit")
+			} else if syntaxErr, ok := err.(*SyntaxError); !ok || syntaxErr.Err != "build expression too large" {
+				if !ok {
+					t.Errorf("unexpected error: %v", err)
+				} else {
+					t.Errorf("unexpected syntax error: %s", syntaxErr.Err)
+				}
+			}
+		})
+	}
+}
+
+func TestPlusSizeLimits(t *testing.T) {
+	maxOldSize := 100
+	for _, tc := range []struct {
+		name string
+		expr string
+	}{
+		{
+			name: "+build or limit",
+			expr: "// +build " + strings.Repeat("a ", maxOldSize+2),
+		},
+		{
+			name: "+build and limit",
+			expr: "// +build " + strings.Repeat("a,", maxOldSize+2),
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := Parse(tc.expr)
+			if err == nil {
+				t.Error("expression did not trigger limit")
+			} else if err != errComplex {
+				t.Errorf("unexpected error: got %q, want %q", err, errComplex)
+			}
+		})
+	}
+}
+-- 
+2.33.0
+
--- a/golang.spec
+++ b/golang.spec
@ -63,7 +63,7 @@

 Name:           golang
 Version:        1.17.3
-Release:        35
+Release:        37
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -217,6 +217,9 @@ Patch6064:	0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
 Patch6065:	0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
 Patch6066:	0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
 Patch6067:	0067-Backport-net-http-send-body-or-close-connection-on-e.patch
+Patch6068:	0068-Backport-go-parser-track-depth-in-nested-element-lis.patch
+Patch6069:	0069-Backport-encoding-gob-cover-missed-cases-when-checki.patch
+Patch6070:	0070-Backport-go-build-constraint-add-parsing-limits.patch

 ExclusiveArch:  %{golang_arches}

@ -455,6 +458,18 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Tue Oct 22 2024 hanchao <hanchao63@huawei.com> - 1.17.3-37
+- Type:CVE
+- CVE:CVE-2024-34156,CVE-2024-34158
+- SUG:NA
+- DESC:fix CVE-2024-34156,CVE-2024-34158
+
+* Wed Oct 16 2024 hanchao <hanchao63@huawei.com> - 1.17.3-36
+- Type:CVE
+- CVE:CVE-2024-34155
+- SUG:NA
+- DESC:fix CVE-2024-34155
+
 * Tue Aug 06 2024 hanchao <hanchao63@huawei.com> - 1.17.3-35
 - Type:CVE
 - CVE:CVE-2024-24791