!374 backport CVE-2024-24787

From: @euleroswander Reviewed-by: @hcnbxx Signed-off-by: @hcnbxx
2024-06-21 08:12:35 +00:00 · 2024-06-21 08:12:35 +00:00 · 74540eecfe
commit 74540eecfe
parent 102789fc72 159f203404
2 changed files with 138 additions and 1 deletions
--- a/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
+++ b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
@ -0,0 +1,133 @@
 From 7edadbad6c5ba7db3c4ab6925369096dedcf8e0b Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <bracewell@google.com>
 Date: Thu, 25 Apr 2024 13:09:54 -0700
 Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Offering: Cloud Core Network
 CVE: CVE-2024-24787
 Reference: https://go-review.googlesource.com/c/go/+/583796
 The darwin linker allows setting the LTO library with the -lto_library
 flag. This wasn't caught by our "safe linker flags" check because it
 was covered by the -lx flag used for linking libraries. This change
 adds a specific check for excluded flags which otherwise satisfy our
 existing checks.
 Loading a mallicious LTO library would allow an attacker to cause the
 linker to execute abritrary code when "go build" was called.
 Thanks to Juho Forsén of Mattermost for reporting this issue.
 Fixes #67119
 Fixes #67122
 Fixes CVE-2024-24787
 Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
 Reviewed-by: Russ Cox <rsc@google.com>
 Reviewed-by: Damien Neil <dneil@google.com>
 (cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420
 Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
 Reviewed-on: https://go-review.googlesource.com/c/go/+/583796
 Reviewed-by: David Chase <drchase@google.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Signed-off-by: Ma Chang Wang machangwang@huawei.com
 ---
 src/cmd/go/internal/work/security.go          | 19 +++++++++++++++----
 .../script/darwin_lto_library_ldflag.txt      | 17 +++++++++++++++++
 2 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
 diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
 index 270a34e9c7..db49eb6488 100644
 --- a/src/cmd/go/internal/work/security.go
 +++ b/src/cmd/go/internal/work/security.go
@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{
 	"-x",
 }
 +var invalidLinkerFlags = []*lazyregexp.Regexp{
 +	// On macOS this means the linker loads and executes the next argument.
 +	// Have to exclude separately because -lfoo is allowed in general.
 +	re(`-lto_library`),
 +}
 +
 var validLinkerFlags = []*lazyregexp.Regexp{
 	re(`-F([^@\-].*)`),
 	re(`-l([^@\-].*)`),
@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{
 func checkCompilerFlags(name, source string, list []string) error {
 	checkOverrides := true
 -	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
 +	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
 }
 func checkLinkerFlags(name, source string, list []string) error {
 	checkOverrides := true
 -	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
 +	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
 }
 // checkCompilerFlagsForInternalLink returns an error if 'list'
@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error {
 // external linker).
 func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
 	checkOverrides := false
 -	if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
 +	if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
 		return err
 	}
 	// Currently the only flag on the allow list that causes problems
@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error
 	return nil
 }
 -func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
 +func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
 	var (
 		allow    *regexp.Regexp
@@ -290,6 +296,11 @@ Args:
 		if allow != nil && allow.FindString(arg) == arg {
 			continue Args
 		}
 +		for _, re := range invalid {
 +			if re.FindString(arg) == arg { // must be complete match
 +				goto Bad
 +			}
 +		}
 		for _, re := range valid {
 			if re.FindString(arg) == arg { // must be complete match
 				continue Args
 diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
 new file mode 100644
 index 0000000000..d7acefdbad
 --- /dev/null
 +++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
@@ -0,0 +1,17 @@
 +[!GOOS:darwin] skip
 +[!cgo] skip
 +
 +! go build
 +stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
 +
 +-- go.mod --
 +module ldflag
 +
 +-- main.go --
 +package main
 +
 +// #cgo CFLAGS: -flto
 +// #cgo LDFLAGS: -lto_library bad.dylib
 +import "C"
 +
 +func main() {}
 \ No newline at end of file
 -- 
 2.33.0
--- a/golang.spec
+++ b/golang.spec
@ -66,7 +66,7 @@
 Name:           golang
 Version:        1.21.4
-Release:        10
+Release:        11
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -126,6 +126,7 @@ Patch6003:	backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa
 Patch6004:	backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
 Patch6005:	backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch
 Patch6006:	backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
 Patch6007:	backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
 Patch6008:	backport-0008-release-branch.go1.21-net-netip-check-if-address-is-v6.patch
@ -366,6 +367,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 %changelog
 * Thu May 23 2024 <314264452@qq.com> - 1.21.4-11
 - fix CVE-2024-24787
 * Thu Jun 13 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.21.4-10
 - fix CVE-2024-24790