!374 backport CVE-2024-24787

From: @euleroswander Reviewed-by: @hcnbxx Signed-off-by: @hcnbxx
2024-06-21 08:12:35 +00:00 · 2024-06-21 08:12:35 +00:00 · 74540eecfe
commit 74540eecfe
parent 102789fc72 159f203404
2 changed files with 138 additions and 1 deletions
--- a/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
+++ b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
@ -0,0 +1,133 @@
+From 7edadbad6c5ba7db3c4ab6925369096dedcf8e0b Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 25 Apr 2024 13:09:54 -0700
+Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24787
+Reference: https://go-review.googlesource.com/c/go/+/583796
+
+The darwin linker allows setting the LTO library with the -lto_library
+flag. This wasn't caught by our "safe linker flags" check because it
+was covered by the -lx flag used for linking libraries. This change
+adds a specific check for excluded flags which otherwise satisfy our
+existing checks.
+
+Loading a mallicious LTO library would allow an attacker to cause the
+linker to execute abritrary code when "go build" was called.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #67119
+Fixes #67122
+Fixes CVE-2024-24787
+
+Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/583796
+Reviewed-by: David Chase <drchase@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/cmd/go/internal/work/security.go          | 19 +++++++++++++++----
+ .../script/darwin_lto_library_ldflag.txt      | 17 +++++++++++++++++
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 270a34e9c7..db49eb6488 100644
+--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
+@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{
+ 	"-x",
+ }
+ 
+var invalidLinkerFlags = []*lazyregexp.Regexp{
+	// On macOS this means the linker loads and executes the next argument.
+	// Have to exclude separately because -lfoo is allowed in general.
+	re(`-lto_library`),
+}
+
+ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-F([^@\-].*)`),
+ 	re(`-l([^@\-].*)`),
+@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{
+ 
+ func checkCompilerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ func checkLinkerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ // checkCompilerFlagsForInternalLink returns an error if 'list'
+@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error {
+ // external linker).
+ func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
+ 	checkOverrides := false
+-	if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+	if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+ 		return err
+ 	}
+ 	// Currently the only flag on the allow list that causes problems
+@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error
+ 	return nil
+ }
+ 
+-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+ 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
+ 	var (
+ 		allow    *regexp.Regexp
+@@ -290,6 +296,11 @@ Args:
+ 		if allow != nil && allow.FindString(arg) == arg {
+ 			continue Args
+ 		}
+		for _, re := range invalid {
+			if re.FindString(arg) == arg { // must be complete match
+				goto Bad
+			}
+		}
+ 		for _, re := range valid {
+ 			if re.FindString(arg) == arg { // must be complete match
+ 				continue Args
+diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+new file mode 100644
+index 0000000000..d7acefdbad
+--- /dev/null
+++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+@@ -0,0 +1,17 @@
+[!GOOS:darwin] skip
+[!cgo] skip
+
+! go build
+stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
+
+-- go.mod --
+module ldflag
+
+-- main.go --
+package main
+
+// #cgo CFLAGS: -flto
+// #cgo LDFLAGS: -lto_library bad.dylib
+import "C"
+
+func main() {}
+\ No newline at end of file
+-- 
+2.33.0
+
--- a/golang.spec
+++ b/golang.spec
@ -66,7 +66,7 @@

 Name:           golang
 Version:        1.21.4
-Release:        10
+Release:        11
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -126,6 +126,7 @@ Patch6003:	backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa
 Patch6004:	backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
 Patch6005:	backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch
 Patch6006:	backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
+Patch6007:	backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch

 Patch6008:	backport-0008-release-branch.go1.21-net-netip-check-if-address-is-v6.patch

@ -366,6 +367,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Thu May 23 2024 <314264452@qq.com> - 1.21.4-11
+- fix CVE-2024-24787
+
 * Thu Jun 13 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.21.4-10
 - fix CVE-2024-24790