packages/golang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!431 [Backport]golang:fix CVE-2024-34155

Browse Source 
From: @Vanient 
Reviewed-by: @hcnbxx 
Signed-off-by: @hcnbxx
This commit is contained in:
openeuler-ci-bot 2024-10-12 06:55:20 +00:00 committed by Gitee
commit fd2c1b66ce
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
0124-CVE-2024-34155-track-depth-in-nested-element-lists.patch Normal file
View File

@ -0,0 +1,60 @@
commit b232596139dbe96a62edbe3a2a203e856bf556eb
Author: Roland Shoemaker <bracewell@google.com>
Date: Mon Jun 10 15:34:12 2024 -0700
[release-branch.go1.22] go/parser: track depth in nested element lists
Prevents stack exhaustion with extremely deeply nested literal values,
i.e. field values in structs.
Updates #69138
Fixes #69142
Fixes CVE-2024-34155
Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
Reviewed-by: Robert Griesemer <gri@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611181
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
index 17808b366f..f268dea1a6 100644
--- a/src/go/parser/parser.go
+++ b/src/go/parser/parser.go
@@ -1676,6 +1676,8 @@ func (p *parser) parseElementList() (list []ast.Expr) {
}
func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr {
+ defer decNestLev(incNestLev(p))
+
if p.trace {
defer un(trace(p, "LiteralValue"))
}
diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
index 43b3416b27..c6dca66760 100644
--- a/src/go/parser/parser_test.go
+++ b/src/go/parser/parser_test.go
@@ -598,10 +598,11 @@ var parseDepthTests = []struct {
{name: "chan2", format: "package main; var x «<-chan »int"},
{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
{name: "map", format: "package main; var x «map[int]»int"},
- {name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
- {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
- {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
- {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2}, // Parser nodes: CompositeLit, KeyValueExpr
+ {name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
+ {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
+ {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
+ {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3}, // Parser nodes: CompositeLit, KeyValueExpr
+ {name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
{name: "dot", format: "package main; var x = «x.»x"},
{name: "index", format: "package main; var x = x«[1]»"},
{name: "slice", format: "package main; var x = x«[1:2]»"},

6
golang.spec
View File

@ -66,7 +66,7 @@
Name: golang
Version: 1.21.4
Release: 22
Release: 23
Summary: The Go Programming Language
License: BSD and Public Domain
URL: https://golang.org/
@ -141,6 +141,7 @@ Patch6017: backport-0017-release-branch.go1.21-runtime-call-enableMetadataHug.pa
Patch6018: backport-0018-release-branch.go1.21-cmd-compile-fix-findIndVar-so-.patch
Patch6019: backport-0019-release-branch.go1.21-cmd-compile-fix-escape-analysi.patch
Patch6020: backport-0020-release-branch.go1.21-runtime-pprof-fix-generics-fun.patch
Patch6021: 0124-CVE-2024-34155-track-depth-in-nested-element-lists.patch
ExclusiveArch: %{golang_arches}
@ -379,6 +380,9 @@ fi
%files devel -f go-tests.list -f go-misc.list -f go-src.list
%changelog
* Sat Oct 5 2024 Yu Peng <yupeng@kylinos.cn> - 1.21.4-23
- fix CVE-2024-34155
* Wed Oct 09 2024 EulerOSWander <314264452@qq.com> - 1.21.4-22
- runtime/pprof:fix generics function names