Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of fix https://go-review.googlesource.com/c/go/+/533215/ to … #162

Closed
wants to merge 1 commit into from
Closed

Backport of fix https://go-review.googlesource.com/c/go/+/533215/ to … #162

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions patches/005-cgo-CVE-2023-39323.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
From b90984afd75f24899b70e6946a60b5c32610cabb Mon Sep 17 00:00:00 2001
From: Archana Ravindar <[email protected]>
Date: Tue, 30 Jan 2024 21:16:01 +0530
Subject: [PATCH] Backport of fix for CVE 2023-39323

---
misc/cgo/errors/errors_test.go | 1 +
misc/cgo/errors/testdata/err5.go | 7 +++++++
src/cmd/compile/internal/noder/noder.go | 8 +++++++-
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 misc/cgo/errors/testdata/err5.go

diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
index 9718b7f9fb..175fa030a4 100644
--- a/misc/cgo/errors/errors_test.go
+++ b/misc/cgo/errors/errors_test.go
@@ -106,6 +106,7 @@ func TestReportsTypeErrors(t *testing.T) {
for _, file := range []string{
"err1.go",
"err2.go",
+ "err5.go",
"issue11097a.go",
"issue11097b.go",
"issue18452.go",
diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
new file mode 100644
index 0000000000..573ebe34da
--- /dev/null
+++ b/misc/cgo/errors/testdata/err5.go
@@ -0,0 +1,7 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package main
+//line /tmp/_cgo_.go:1
+//go:cgo_dynamic_linker "/elf/interp" // ERROR HERE: only allowed in cgo-generated code
+func main() {}
diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
index d0d95451ac..c99c085037 100644
--- a/src/cmd/compile/internal/noder/noder.go
+++ b/src/cmd/compile/internal/noder/noder.go
@@ -359,8 +359,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
// contain cgo directives, and for security reasons
// (primarily misuse of linker flags), other files are not.
// See golang.org/issue/23672.
+// Note that cmd/go ignores files whose names start with underscore,
+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
+// It's easy to bypass this check by calling the compiler directly;
+// we only protect against uses by cmd/go.
func isCgoGeneratedFile(pos syntax.Pos) bool {
- return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_")
+ // We need the absolute file, independent of //line directives,
+ // so we call pos.Base().Pos().
+ return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_")
}

// safeArg reports whether arg is a "safe" command-line argument,
--
2.31.1

Loading