mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4] [1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc [2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3 [3] https://security-tracker.debian.org/tracker/CVE-2026-27143 [4] https://security-tracker.debian.org/tracker/CVE-2026-27144 (From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
2abc87a006
commit
1e7d50296e
@@ -43,6 +43,8 @@ SRC_URI += "\
|
||||
file://CVE-2025-68121_p3.patch \
|
||||
file://CVE-2026-27140.patch \
|
||||
file://CVE-2026-27142.patch \
|
||||
file://CVE-2026-27143.patch \
|
||||
file://CVE-2026-27144.patch \
|
||||
file://CVE-2026-32280.patch \
|
||||
file://CVE-2026-32283.patch \
|
||||
file://CVE-2026-32289.patch \
|
||||
|
||||
@@ -0,0 +1,165 @@
|
||||
From 7d2dd3488cdfbddda14c18c455d3263df75a46fc Mon Sep 17 00:00:00 2001
|
||||
From: Junyang Shao <shaojunyang@google.com>
|
||||
Date: Fri, 6 Mar 2026 00:03:45 +0000
|
||||
Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix loopbce overflow
|
||||
check logic
|
||||
|
||||
addWillOverflow and subWillOverflow has an implicit assumption that y is
|
||||
positive, using it outside of addU and subU is really incorrect. This CL
|
||||
fixes those incorrect usage to use the correct logic in place.
|
||||
|
||||
Thanks to Jakub Ciolek for reporting this issue.
|
||||
|
||||
Fixes #78333
|
||||
Fixes CVE-2026-27143
|
||||
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Neal Patel <nealpatel@google.com>
|
||||
Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987
|
||||
Commit-Queue: Damien Neil <dneil@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/763553
|
||||
Reviewed-by: David Chase <drchase@google.com>
|
||||
Auto-Submit: Gopher Robot <gobot@golang.org>
|
||||
TryBot-Bypass: Gopher Robot <gobot@golang.org>
|
||||
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
||||
|
||||
CVE: CVE-2026-27143
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc]
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
src/cmd/compile/internal/ssa/loopbce.go | 36 +++++++++++++++++--------
|
||||
test/loopbce.go | 28 +++++++++++++++++++
|
||||
2 files changed, 53 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/cmd/compile/internal/ssa/loopbce.go b/src/cmd/compile/internal/ssa/loopbce.go
|
||||
index dd1f39d..1b3e567 100644
|
||||
--- a/src/cmd/compile/internal/ssa/loopbce.go
|
||||
+++ b/src/cmd/compile/internal/ssa/loopbce.go
|
||||
@@ -204,9 +204,11 @@ func findIndVar(f *Func) []indVar {
|
||||
if init.AuxInt > v {
|
||||
return false
|
||||
}
|
||||
+ // TODO(1.27): investigate passing a smaller-magnitude overflow limit to addU
|
||||
+ // for addWillOverflow.
|
||||
v = addU(init.AuxInt, diff(v, init.AuxInt)/uint64(step)*uint64(step))
|
||||
}
|
||||
- if addWillOverflow(v, step) {
|
||||
+ if addWillOverflow(v, step, maxSignedValue(ind.Type)) {
|
||||
return false
|
||||
}
|
||||
if inclusive && v != limit.AuxInt || !inclusive && v+1 != limit.AuxInt {
|
||||
@@ -235,7 +237,7 @@ func findIndVar(f *Func) []indVar {
|
||||
// ind < knn - k cannot overflow if step is at most k+1
|
||||
return step <= k+1 && k != maxSignedValue(limit.Type)
|
||||
} else { // step < 0
|
||||
- if limit.Op == OpConst64 {
|
||||
+ if limit.isGenericIntConst() {
|
||||
// Figure out the actual smallest value.
|
||||
v := limit.AuxInt
|
||||
if !inclusive {
|
||||
@@ -249,9 +251,11 @@ func findIndVar(f *Func) []indVar {
|
||||
if init.AuxInt < v {
|
||||
return false
|
||||
}
|
||||
+ // TODO(1.27): investigate passing a smaller-magnitude underflow limit to subU
|
||||
+ // for subWillUnderflow.
|
||||
v = subU(init.AuxInt, diff(init.AuxInt, v)/uint64(-step)*uint64(-step))
|
||||
}
|
||||
- if subWillUnderflow(v, -step) {
|
||||
+ if subWillUnderflow(v, -step, minSignedValue(ind.Type)) {
|
||||
return false
|
||||
}
|
||||
if inclusive && v != limit.AuxInt || !inclusive && v-1 != limit.AuxInt {
|
||||
@@ -313,14 +317,22 @@ func findIndVar(f *Func) []indVar {
|
||||
return iv
|
||||
}
|
||||
|
||||
-// addWillOverflow reports whether x+y would result in a value more than maxint.
|
||||
-func addWillOverflow(x, y int64) bool {
|
||||
- return x+y < x
|
||||
+// subWillUnderflow checks if x - y underflows the min value.
|
||||
+// y must be positive.
|
||||
+func subWillUnderflow(x, y int64, min int64) bool {
|
||||
+ if y < 0 {
|
||||
+ base.Fatalf("expecting positive value")
|
||||
+ }
|
||||
+ return x < min+y
|
||||
}
|
||||
|
||||
-// subWillUnderflow reports whether x-y would result in a value less than minint.
|
||||
-func subWillUnderflow(x, y int64) bool {
|
||||
- return x-y > x
|
||||
+// addWillOverflow checks if x + y overflows the max value.
|
||||
+// y must be positive.
|
||||
+func addWillOverflow(x, y int64, max int64) bool {
|
||||
+ if y < 0 {
|
||||
+ base.Fatalf("expecting positive value")
|
||||
+ }
|
||||
+ return x > max-y
|
||||
}
|
||||
|
||||
// diff returns x-y as a uint64. Requires x>=y.
|
||||
@@ -341,7 +353,8 @@ func addU(x int64, y uint64) int64 {
|
||||
x += 1
|
||||
y -= 1 << 63
|
||||
}
|
||||
- if addWillOverflow(x, int64(y)) {
|
||||
+ // TODO(1.27): investigate passing a smaller-magnitude overflow limit in here.
|
||||
+ if addWillOverflow(x, int64(y), maxSignedValue(types.Types[types.TINT64])) {
|
||||
base.Fatalf("addU overflowed %d + %d", x, y)
|
||||
}
|
||||
return x + int64(y)
|
||||
@@ -357,7 +370,8 @@ func subU(x int64, y uint64) int64 {
|
||||
x -= 1
|
||||
y -= 1 << 63
|
||||
}
|
||||
- if subWillUnderflow(x, int64(y)) {
|
||||
+ // TODO(1.27): investigate passing a smaller-magnitude underflow limit in here.
|
||||
+ if subWillUnderflow(x, int64(y), minSignedValue(types.Types[types.TINT64])) {
|
||||
base.Fatalf("subU underflowed %d - %d", x, y)
|
||||
}
|
||||
return x - int64(y)
|
||||
diff --git a/test/loopbce.go b/test/loopbce.go
|
||||
index 04c186b..a4b101b 100644
|
||||
--- a/test/loopbce.go
|
||||
+++ b/test/loopbce.go
|
||||
@@ -466,6 +466,34 @@ func stride2(x *[7]int) int {
|
||||
return s
|
||||
}
|
||||
|
||||
+// This loop should not be proved anything.
|
||||
+func smallIntUp(arr *[128]int) {
|
||||
+ for i := int8(0); i <= int8(120); i += int8(10) {
|
||||
+ arr[i] = int(i)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// This loop should not be proved anything.
|
||||
+func smallIntDown(arr *[128]int) {
|
||||
+ for i := int8(0); i >= int8(-120); i -= int8(10) {
|
||||
+ arr[127+i] = int(i)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// This loop should not be proved anything.
|
||||
+func smallUintUp(arr *[128]int) {
|
||||
+ for i := uint8(0); i <= uint8(250); i += uint8(10) {
|
||||
+ arr[i] = int(i)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// This loop should not be proved anything.
|
||||
+func smallUintDown(arr *[128]int) {
|
||||
+ for i := uint8(255); i >= uint8(0); i -= uint8(10) {
|
||||
+ arr[127+i] = int(i)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
//go:noinline
|
||||
func useString(a string) {
|
||||
}
|
||||
--
|
||||
2.50.1
|
||||
|
||||
@@ -0,0 +1,125 @@
|
||||
From 72cc33629a3b26e68f6e6e5564618a1d763896f3 Mon Sep 17 00:00:00 2001
|
||||
From: Junyang Shao <shaojunyang@google.com>
|
||||
Date: Thu, 12 Mar 2026 21:36:33 +0000
|
||||
Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix mem access overlap
|
||||
detection
|
||||
|
||||
When a no-op interface conversion is wrapped around the rhs of an
|
||||
assignment, the memory overlap detection logic in the compiler failed to
|
||||
peel down conversion to see the actual pointer, causing an incorrect
|
||||
no-overlapping determination.
|
||||
|
||||
Thanks to Jakub Ciolek for reporting this issue.
|
||||
|
||||
|
||||
Fixes #78371
|
||||
Fixes CVE-2026-27144
|
||||
|
||||
Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Neal Patel <nealpatel@google.com>
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4002
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/763552
|
||||
Auto-Submit: Gopher Robot <gobot@golang.org>
|
||||
TryBot-Bypass: Gopher Robot <gobot@golang.org>
|
||||
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
||||
Reviewed-by: David Chase <drchase@google.com>
|
||||
|
||||
CVE: CVE-2026-27144
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3]
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
src/cmd/compile/internal/ssagen/ssa.go | 20 ++++++---
|
||||
.../compile/internal/test/memoverlap_test.go | 41 +++++++++++++++++++
|
||||
2 files changed, 55 insertions(+), 6 deletions(-)
|
||||
create mode 100644 src/cmd/compile/internal/test/memoverlap_test.go
|
||||
|
||||
diff --git a/src/cmd/compile/internal/ssagen/ssa.go b/src/cmd/compile/internal/ssagen/ssa.go
|
||||
index c794d6f..0214621 100644
|
||||
--- a/src/cmd/compile/internal/ssagen/ssa.go
|
||||
+++ b/src/cmd/compile/internal/ssagen/ssa.go
|
||||
@@ -1427,6 +1427,16 @@ func (s *state) stmtList(l ir.Nodes) {
|
||||
}
|
||||
}
|
||||
|
||||
+func peelConvNop(n ir.Node) ir.Node {
|
||||
+ if n == nil {
|
||||
+ return n
|
||||
+ }
|
||||
+ for n.Op() == ir.OCONVNOP {
|
||||
+ n = n.(*ir.ConvExpr).X
|
||||
+ }
|
||||
+ return n
|
||||
+}
|
||||
+
|
||||
// stmt converts the statement n to SSA and adds it to s.
|
||||
func (s *state) stmt(n ir.Node) {
|
||||
s.pushLine(n.Pos())
|
||||
@@ -1598,12 +1608,10 @@ func (s *state) stmt(n ir.Node) {
|
||||
// arrays referenced are strictly smaller parts of the same base array.
|
||||
// If one side of the assignment is a full array, then partial overlap
|
||||
// can't happen. (The arrays are either disjoint or identical.)
|
||||
- mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && n.Y.Op() == ir.ODEREF)
|
||||
- if n.Y != nil && n.Y.Op() == ir.ODEREF {
|
||||
- p := n.Y.(*ir.StarExpr).X
|
||||
- for p.Op() == ir.OCONVNOP {
|
||||
- p = p.(*ir.ConvExpr).X
|
||||
- }
|
||||
+ ny := peelConvNop(n.Y)
|
||||
+ mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && ny.Op() == ir.ODEREF)
|
||||
+ if ny != nil && ny.Op() == ir.ODEREF {
|
||||
+ p := peelConvNop(ny.(*ir.StarExpr).X)
|
||||
if p.Op() == ir.OSPTR && p.(*ir.UnaryExpr).X.Type().IsString() {
|
||||
// Pointer fields of strings point to unmodifiable memory.
|
||||
// That memory can't overlap with the memory being written.
|
||||
diff --git a/src/cmd/compile/internal/test/memoverlap_test.go b/src/cmd/compile/internal/test/memoverlap_test.go
|
||||
new file mode 100644
|
||||
index 0000000..c53288e
|
||||
--- /dev/null
|
||||
+++ b/src/cmd/compile/internal/test/memoverlap_test.go
|
||||
@@ -0,0 +1,41 @@
|
||||
+// Copyright 2026 The Go Authors. All rights reserved.
|
||||
+// Use of this source code is governed by a BSD-style
|
||||
+// license that can be found in the LICENSE file.
|
||||
+
|
||||
+package test
|
||||
+
|
||||
+import "testing"
|
||||
+
|
||||
+const arrFooSize = 96
|
||||
+
|
||||
+type arrFoo [arrFooSize]int
|
||||
+
|
||||
+//go:noinline
|
||||
+func badCopy(dst, src []int) {
|
||||
+ p := (*[arrFooSize]int)(dst[:arrFooSize])
|
||||
+ q := (*[arrFooSize]int)(src[:arrFooSize])
|
||||
+ *p = arrFoo(*q)
|
||||
+}
|
||||
+
|
||||
+//go:noinline
|
||||
+func goodCopy(dst, src []int) {
|
||||
+ p := (*[arrFooSize]int)(dst[:arrFooSize])
|
||||
+ q := (*[arrFooSize]int)(src[:arrFooSize])
|
||||
+ *p = *q
|
||||
+}
|
||||
+
|
||||
+func TestOverlapedMoveWithNoopIConv(t *testing.T) {
|
||||
+ h1 := make([]int, arrFooSize+1)
|
||||
+ h2 := make([]int, arrFooSize+1)
|
||||
+ for i := range arrFooSize + 1 {
|
||||
+ h1[i] = i
|
||||
+ h2[i] = i
|
||||
+ }
|
||||
+ badCopy(h1[1:], h1[:arrFooSize])
|
||||
+ goodCopy(h2[1:], h2[:arrFooSize])
|
||||
+ for i := range arrFooSize + 1 {
|
||||
+ if h1[i] != h2[i] {
|
||||
+ t.Errorf("h1 and h2 differ at index %d, expect them to be the same", i)
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
--
|
||||
2.50.1
|
||||
|
||||
Reference in New Issue
Block a user