From a89e55c040338c22152eeb61a0923ca0829f6c3a Mon Sep 17 00:00:00 2001 From: Archana Ravindar Date: Tue, 30 Jan 2024 21:17:57 +0530 Subject: [PATCH] Backport of fix https://go-review.googlesource.com/c/go/+/533215/ to Go1.19 (CVE 2023-39323 --- patches/005-cgo-CVE-2023-39323.patch | 60 ++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 patches/005-cgo-CVE-2023-39323.patch diff --git a/patches/005-cgo-CVE-2023-39323.patch b/patches/005-cgo-CVE-2023-39323.patch new file mode 100644 index 0000000000..5473ccbaba --- /dev/null +++ b/patches/005-cgo-CVE-2023-39323.patch @@ -0,0 +1,60 @@ +From b90984afd75f24899b70e6946a60b5c32610cabb Mon Sep 17 00:00:00 2001 +From: Archana Ravindar +Date: Tue, 30 Jan 2024 21:16:01 +0530 +Subject: [PATCH] Backport of fix for CVE 2023-39323 + +--- + misc/cgo/errors/errors_test.go | 1 + + misc/cgo/errors/testdata/err5.go | 7 +++++++ + src/cmd/compile/internal/noder/noder.go | 8 +++++++- + 3 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 misc/cgo/errors/testdata/err5.go + +diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go +index 9718b7f9fb..175fa030a4 100644 +--- a/misc/cgo/errors/errors_test.go ++++ b/misc/cgo/errors/errors_test.go +@@ -106,6 +106,7 @@ func TestReportsTypeErrors(t *testing.T) { + for _, file := range []string{ + "err1.go", + "err2.go", ++ "err5.go", + "issue11097a.go", + "issue11097b.go", + "issue18452.go", +diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go +new file mode 100644 +index 0000000000..573ebe34da +--- /dev/null ++++ b/misc/cgo/errors/testdata/err5.go +@@ -0,0 +1,7 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++package main ++//line /tmp/_cgo_.go:1 ++//go:cgo_dynamic_linker "/elf/interp" // ERROR HERE: only allowed in cgo-generated code ++func main() {} +diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go +index d0d95451ac..c99c085037 100644 +--- a/src/cmd/compile/internal/noder/noder.go ++++ b/src/cmd/compile/internal/noder/noder.go +@@ -359,8 +359,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P + // contain cgo directives, and for security reasons + // (primarily misuse of linker flags), other files are not. + // See golang.org/issue/23672. ++// Note that cmd/go ignores files whose names start with underscore, ++// so the only _cgo_ files we will see from cmd/go are generated by cgo. ++// It's easy to bypass this check by calling the compiler directly; ++// we only protect against uses by cmd/go. + func isCgoGeneratedFile(pos syntax.Pos) bool { +- return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_") ++ // We need the absolute file, independent of //line directives, ++ // so we call pos.Base().Pos(). ++ return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_") + } + + // safeArg reports whether arg is a "safe" command-line argument, +-- +2.31.1 +