mirror of
https://git.yoctoproject.org/poky
synced 2026-04-30 12:32:12 +02:00
go: backport patch fix for CVE-2021-38297
Patch taken from
4548fcc8df
from the following issue
https://github.com/golang/go/issues/48797
Original repo
https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4
(From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Davide Gardenal
committed by
Richard Purdie
Richard Purdie
parent
f80b5868fa
commit
048094bcf9
@@ -19,9 +19,11 @@ SRC_URI += "\
|
||||
file://CVE-2021-34558.patch \
|
||||
file://CVE-2021-33196.patch \
|
||||
file://CVE-2021-33197.patch \
|
||||
file://CVE-2021-38297.patch \
|
||||
file://CVE-2022-23806.patch \
|
||||
file://CVE-2022-23772.patch \
|
||||
"
|
||||
|
||||
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
|
||||
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
|
||||
|
||||
|
||||
97
meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
Normal file
97
meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
Normal file
@@ -0,0 +1,97 @@
|
||||
From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Knyszek <mknyszek@google.com>
|
||||
Date: Thu, 2 Sep 2021 16:51:59 -0400
|
||||
Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
|
||||
command line args overwrite global data
|
||||
|
||||
On Wasm, wasm_exec.js puts command line arguments at the beginning
|
||||
of the linear memory (following the "zero page"). Currently there
|
||||
is no limit for this, and a very long command line can overwrite
|
||||
the program's data section. Prevent this by limiting the command
|
||||
line to 4096 bytes, and in the linker ensuring the data section
|
||||
starts at a high enough address (8192).
|
||||
|
||||
(Arguably our address assignment on Wasm is a bit confusing. This
|
||||
is the minimum fix I can come up with.)
|
||||
|
||||
Thanks to Ben Lubar for reporting this issue.
|
||||
|
||||
Change by Cherry Mui <cherryyz@google.com>.
|
||||
|
||||
For #48797
|
||||
Fixes #48799
|
||||
Fixes CVE-2021-38297
|
||||
|
||||
Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
|
||||
Trust: Michael Knyszek <mknyszek@google.com>
|
||||
Reviewed-by: Heschi Kreinick <heschi@google.com>
|
||||
|
||||
CVE: CVE-2021-38297
|
||||
|
||||
Upstream-Status: Backport:
|
||||
https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564
|
||||
|
||||
Inline of ctxt.isWAsm followin this implemetation:
|
||||
https://github.com/golang/go/blob/4548fcc8dfd933c237f29bba6f90040a85922564/src/cmd/link/internal/ld/target.go#L127
|
||||
|
||||
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
|
||||
---
|
||||
misc/wasm/wasm_exec.js | 7 +++++++
|
||||
src/cmd/link/internal/ld/data.go | 11 ++++++++++-
|
||||
2 files changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js
|
||||
index 82041e6bb901..a0a264278b1b 100644
|
||||
--- a/misc/wasm/wasm_exec.js
|
||||
+++ b/misc/wasm/wasm_exec.js
|
||||
@@ -564,6 +564,13 @@
|
||||
offset += 8;
|
||||
});
|
||||
|
||||
+ // The linker guarantees global data starts from at least wasmMinDataAddr.
|
||||
+ // Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
|
||||
+ const wasmMinDataAddr = 4096 + 4096;
|
||||
+ if (offset >= wasmMinDataAddr) {
|
||||
+ throw new Error("command line too long");
|
||||
+ }
|
||||
+
|
||||
this._inst.exports.run(argc, argv);
|
||||
if (this.exited) {
|
||||
this._resolveExitPromise();
|
||||
diff --git a/src/cmd/link/internal/ld/data.go b/src/cmd/link/internal/ld/data.go
|
||||
index 52035e96301c..54a1d188cdb9 100644
|
||||
--- a/src/cmd/link/internal/ld/data.go
|
||||
+++ b/src/cmd/link/internal/ld/data.go
|
||||
@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, n int, s loader.Sym, va uint64
|
||||
return sect, n, va
|
||||
}
|
||||
|
||||
+// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for wasm_exec.js
|
||||
+// to store command line args. Data sections starts from at least address 8192.
|
||||
+// Keep in sync with wasm_exec.js.
|
||||
+const wasmMinDataAddr = 4096 + 4096
|
||||
+
|
||||
// address assigns virtual addresses to all segments and sections and
|
||||
// returns all segments in file order.
|
||||
func (ctxt *Link) address() []*sym.Segment {
|
||||
@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment {
|
||||
order = append(order, &Segtext)
|
||||
Segtext.Rwx = 05
|
||||
Segtext.Vaddr = va
|
||||
- for _, s := range Segtext.Sections {
|
||||
+ for i, s := range Segtext.Sections {
|
||||
va = uint64(Rnd(int64(va), int64(s.Align)))
|
||||
s.Vaddr = va
|
||||
va += s.Length
|
||||
+
|
||||
+ if ctxt.Arch.Family == sys.Wasm && i == 0 && va < wasmMinDataAddr {
|
||||
+ va = wasmMinDataAddr
|
||||
+ }
|
||||
}
|
||||
|
||||
Segtext.Length = va - uint64(*FlagTextAddr)
|
||||
|
||||
Reference in New Issue
Block a user