golang: fix CVE-2022-32189

Score: 6.5 Reference: https://go-review.googlesource.com/c/go/+/419814 Conflict: NA Reason: fix CVE-2022-32189
2022-08-08 17:26:39 +08:00 · 2022-08-08 17:26:39 +08:00 · 6dd57444d5
commit 6dd57444d5
parent 40c91388a1
2 changed files with 133 additions and 1 deletions
--- a/0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch
+++ b/0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch
@ -0,0 +1,125 @@
+From dc903a8196a831d23e9b6504239e09a9e6bcd98a Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Fri, 15 Jul 2022 10:43:44 -0700
+Subject: [PATCH] [release-branch.go1.17] math/big: check buffer lengths in
+ GobDecode
+
+In Float.GobDecode and Rat.GobDecode, check buffer sizes before
+indexing slices.
+
+Updates #53871
+Fixes #54094
+
+Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Tatiana Bradley <tatiana@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 055113ef364337607e3e72ed7d48df67fde6fc66)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+---
+ src/math/big/floatmarsh.go      |  7 +++++++
+ src/math/big/floatmarsh_test.go | 12 ++++++++++++
+ src/math/big/ratmarsh.go        |  6 ++++++
+ src/math/big/ratmarsh_test.go   | 12 ++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
+index d1c1dab069..990e085abe 100644
+--- a/src/math/big/floatmarsh.go
+++ b/src/math/big/floatmarsh.go
+@@ -8,6 +8,7 @@ package big
+ 
+ import (
+ 	"encoding/binary"
+	"errors"
+ 	"fmt"
+ )
+ 
+@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 		*z = Float{}
+ 		return nil
+ 	}
+	if len(buf) < 6 {
+		return errors.New("Float.GobDecode: buffer too small")
+	}
+ 
+ 	if buf[0] != floatGobVersion {
+ 		return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
+@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 	z.prec = binary.BigEndian.Uint32(buf[2:])
+ 
+ 	if z.form == finite {
+		if len(buf) < 10 {
+			return errors.New("Float.GobDecode: buffer too small for finite form float")
+		}
+ 		z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
+ 		z.mant = z.mant.setBytes(buf[10:])
+ 	}
+diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
+index c056d78b80..401f45a51f 100644
+--- a/src/math/big/floatmarsh_test.go
+++ b/src/math/big/floatmarsh_test.go
+@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
+
+func TestFloatGobDecodeShortBuffer(t *testing.T) {
+	for _, tc := range [][]byte{
+		[]byte{0x1, 0x0, 0x0, 0x0},
+		[]byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
+	} {
+		err := NewFloat(0).GobDecode(tc)
+		if err == nil {
+			t.Error("expected GobDecode to return error for malformed input")
+		}
+	}
+}
+diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
+index fbc7b6002d..56102e845b 100644
+--- a/src/math/big/ratmarsh.go
+++ b/src/math/big/ratmarsh.go
+@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
+ 		*z = Rat{}
+ 		return nil
+ 	}
+	if len(buf) < 5 {
+		return errors.New("Rat.GobDecode: buffer too small")
+	}
+ 	b := buf[0]
+ 	if b>>1 != ratGobVersion {
+ 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
+ 	}
+ 	const j = 1 + 4
+ 	i := j + binary.BigEndian.Uint32(buf[j-4:j])
+	if len(buf) < int(i) {
+		return errors.New("Rat.GobDecode: buffer too small")
+	}
+ 	z.a.neg = b&1 != 0
+ 	z.a.abs = z.a.abs.setBytes(buf[j:i])
+ 	z.b.abs = z.b.abs.setBytes(buf[i:])
+diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
+index 351d109f8d..55a9878bb8 100644
+--- a/src/math/big/ratmarsh_test.go
+++ b/src/math/big/ratmarsh_test.go
+@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
+
+func TestRatGobDecodeShortBuffer(t *testing.T) {
+	for _, tc := range [][]byte{
+		[]byte{0x2},
+		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
+	} {
+		err := NewRat(1, 2).GobDecode(tc)
+		if err == nil {
+			t.Error("expected GobDecode to return error for malformed input")
+		}
+	}
+}
+-- 
+2.30.2
+
--- a/golang.spec
+++ b/golang.spec
@ -66,7 +66,7 @@

 Name:           golang
 Version:        1.17.3
-Release:        5
+Release:        6
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -168,6 +168,7 @@ Patch6012:	0012-release-branch.go1.17-encoding-xml-use-iterative-Ski.patch
 Patch6013:	0013-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch
 Patch6014:	0014-release-branch.go1.17-crypto-tls-randomly-generate-t.patch
 Patch6015:	0015-release-branch.go1.17-crypto-rand-properly-handle-la.patch
+Patch6016:	0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch

 ExclusiveArch:  %{golang_arches}

@ -402,6 +403,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Mon Aug 8 2022 hanchao <hanchao47@huawei.com> - 1.17.3-6
+- Type:CVE
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-32189
+
 * Tue Jul 26 2022 hanchao <hanchao47@huawei.com> - 1.17.3-5
 - Type:CVE
 - CVE:NA