1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

go 1.22.12: fix CVE-2026-27143, CVE-2026-27144

Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc
[2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144

(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-05-12 12:51:06 +05:30
committed by Paul Barker
parent 2abc87a006
commit 1e7d50296e
3 changed files with 292 additions and 0 deletions
+2
View File
@@ -43,6 +43,8 @@ SRC_URI += "\
file://CVE-2025-68121_p3.patch \
file://CVE-2026-27140.patch \
file://CVE-2026-27142.patch \
file://CVE-2026-27143.patch \
file://CVE-2026-27144.patch \
file://CVE-2026-32280.patch \
file://CVE-2026-32283.patch \
file://CVE-2026-32289.patch \
@@ -0,0 +1,165 @@
From 7d2dd3488cdfbddda14c18c455d3263df75a46fc Mon Sep 17 00:00:00 2001
From: Junyang Shao <shaojunyang@google.com>
Date: Fri, 6 Mar 2026 00:03:45 +0000
Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix loopbce overflow
check logic
addWillOverflow and subWillOverflow has an implicit assumption that y is
positive, using it outside of addU and subU is really incorrect. This CL
fixes those incorrect usage to use the correct logic in place.
Thanks to Jakub Ciolek for reporting this issue.
Fixes #78333
Fixes CVE-2026-27143
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763553
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
CVE: CVE-2026-27143
Upstream-Status: Backport [https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/cmd/compile/internal/ssa/loopbce.go | 36 +++++++++++++++++--------
test/loopbce.go | 28 +++++++++++++++++++
2 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/src/cmd/compile/internal/ssa/loopbce.go b/src/cmd/compile/internal/ssa/loopbce.go
index dd1f39d..1b3e567 100644
--- a/src/cmd/compile/internal/ssa/loopbce.go
+++ b/src/cmd/compile/internal/ssa/loopbce.go
@@ -204,9 +204,11 @@ func findIndVar(f *Func) []indVar {
if init.AuxInt > v {
return false
}
+ // TODO(1.27): investigate passing a smaller-magnitude overflow limit to addU
+ // for addWillOverflow.
v = addU(init.AuxInt, diff(v, init.AuxInt)/uint64(step)*uint64(step))
}
- if addWillOverflow(v, step) {
+ if addWillOverflow(v, step, maxSignedValue(ind.Type)) {
return false
}
if inclusive && v != limit.AuxInt || !inclusive && v+1 != limit.AuxInt {
@@ -235,7 +237,7 @@ func findIndVar(f *Func) []indVar {
// ind < knn - k cannot overflow if step is at most k+1
return step <= k+1 && k != maxSignedValue(limit.Type)
} else { // step < 0
- if limit.Op == OpConst64 {
+ if limit.isGenericIntConst() {
// Figure out the actual smallest value.
v := limit.AuxInt
if !inclusive {
@@ -249,9 +251,11 @@ func findIndVar(f *Func) []indVar {
if init.AuxInt < v {
return false
}
+ // TODO(1.27): investigate passing a smaller-magnitude underflow limit to subU
+ // for subWillUnderflow.
v = subU(init.AuxInt, diff(init.AuxInt, v)/uint64(-step)*uint64(-step))
}
- if subWillUnderflow(v, -step) {
+ if subWillUnderflow(v, -step, minSignedValue(ind.Type)) {
return false
}
if inclusive && v != limit.AuxInt || !inclusive && v-1 != limit.AuxInt {
@@ -313,14 +317,22 @@ func findIndVar(f *Func) []indVar {
return iv
}
-// addWillOverflow reports whether x+y would result in a value more than maxint.
-func addWillOverflow(x, y int64) bool {
- return x+y < x
+// subWillUnderflow checks if x - y underflows the min value.
+// y must be positive.
+func subWillUnderflow(x, y int64, min int64) bool {
+ if y < 0 {
+ base.Fatalf("expecting positive value")
+ }
+ return x < min+y
}
-// subWillUnderflow reports whether x-y would result in a value less than minint.
-func subWillUnderflow(x, y int64) bool {
- return x-y > x
+// addWillOverflow checks if x + y overflows the max value.
+// y must be positive.
+func addWillOverflow(x, y int64, max int64) bool {
+ if y < 0 {
+ base.Fatalf("expecting positive value")
+ }
+ return x > max-y
}
// diff returns x-y as a uint64. Requires x>=y.
@@ -341,7 +353,8 @@ func addU(x int64, y uint64) int64 {
x += 1
y -= 1 << 63
}
- if addWillOverflow(x, int64(y)) {
+ // TODO(1.27): investigate passing a smaller-magnitude overflow limit in here.
+ if addWillOverflow(x, int64(y), maxSignedValue(types.Types[types.TINT64])) {
base.Fatalf("addU overflowed %d + %d", x, y)
}
return x + int64(y)
@@ -357,7 +370,8 @@ func subU(x int64, y uint64) int64 {
x -= 1
y -= 1 << 63
}
- if subWillUnderflow(x, int64(y)) {
+ // TODO(1.27): investigate passing a smaller-magnitude underflow limit in here.
+ if subWillUnderflow(x, int64(y), minSignedValue(types.Types[types.TINT64])) {
base.Fatalf("subU underflowed %d - %d", x, y)
}
return x - int64(y)
diff --git a/test/loopbce.go b/test/loopbce.go
index 04c186b..a4b101b 100644
--- a/test/loopbce.go
+++ b/test/loopbce.go
@@ -466,6 +466,34 @@ func stride2(x *[7]int) int {
return s
}
+// This loop should not be proved anything.
+func smallIntUp(arr *[128]int) {
+ for i := int8(0); i <= int8(120); i += int8(10) {
+ arr[i] = int(i)
+ }
+}
+
+// This loop should not be proved anything.
+func smallIntDown(arr *[128]int) {
+ for i := int8(0); i >= int8(-120); i -= int8(10) {
+ arr[127+i] = int(i)
+ }
+}
+
+// This loop should not be proved anything.
+func smallUintUp(arr *[128]int) {
+ for i := uint8(0); i <= uint8(250); i += uint8(10) {
+ arr[i] = int(i)
+ }
+}
+
+// This loop should not be proved anything.
+func smallUintDown(arr *[128]int) {
+ for i := uint8(255); i >= uint8(0); i -= uint8(10) {
+ arr[127+i] = int(i)
+ }
+}
+
//go:noinline
func useString(a string) {
}
--
2.50.1
@@ -0,0 +1,125 @@
From 72cc33629a3b26e68f6e6e5564618a1d763896f3 Mon Sep 17 00:00:00 2001
From: Junyang Shao <shaojunyang@google.com>
Date: Thu, 12 Mar 2026 21:36:33 +0000
Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix mem access overlap
detection
When a no-op interface conversion is wrapped around the rhs of an
assignment, the memory overlap detection logic in the compiler failed to
peel down conversion to see the actual pointer, causing an incorrect
no-overlapping determination.
Thanks to Jakub Ciolek for reporting this issue.
Fixes #78371
Fixes CVE-2026-27144
Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4002
Reviewed-on: https://go-review.googlesource.com/c/go/+/763552
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: David Chase <drchase@google.com>
CVE: CVE-2026-27144
Upstream-Status: Backport [https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/cmd/compile/internal/ssagen/ssa.go | 20 ++++++---
.../compile/internal/test/memoverlap_test.go | 41 +++++++++++++++++++
2 files changed, 55 insertions(+), 6 deletions(-)
create mode 100644 src/cmd/compile/internal/test/memoverlap_test.go
diff --git a/src/cmd/compile/internal/ssagen/ssa.go b/src/cmd/compile/internal/ssagen/ssa.go
index c794d6f..0214621 100644
--- a/src/cmd/compile/internal/ssagen/ssa.go
+++ b/src/cmd/compile/internal/ssagen/ssa.go
@@ -1427,6 +1427,16 @@ func (s *state) stmtList(l ir.Nodes) {
}
}
+func peelConvNop(n ir.Node) ir.Node {
+ if n == nil {
+ return n
+ }
+ for n.Op() == ir.OCONVNOP {
+ n = n.(*ir.ConvExpr).X
+ }
+ return n
+}
+
// stmt converts the statement n to SSA and adds it to s.
func (s *state) stmt(n ir.Node) {
s.pushLine(n.Pos())
@@ -1598,12 +1608,10 @@ func (s *state) stmt(n ir.Node) {
// arrays referenced are strictly smaller parts of the same base array.
// If one side of the assignment is a full array, then partial overlap
// can't happen. (The arrays are either disjoint or identical.)
- mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && n.Y.Op() == ir.ODEREF)
- if n.Y != nil && n.Y.Op() == ir.ODEREF {
- p := n.Y.(*ir.StarExpr).X
- for p.Op() == ir.OCONVNOP {
- p = p.(*ir.ConvExpr).X
- }
+ ny := peelConvNop(n.Y)
+ mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && ny.Op() == ir.ODEREF)
+ if ny != nil && ny.Op() == ir.ODEREF {
+ p := peelConvNop(ny.(*ir.StarExpr).X)
if p.Op() == ir.OSPTR && p.(*ir.UnaryExpr).X.Type().IsString() {
// Pointer fields of strings point to unmodifiable memory.
// That memory can't overlap with the memory being written.
diff --git a/src/cmd/compile/internal/test/memoverlap_test.go b/src/cmd/compile/internal/test/memoverlap_test.go
new file mode 100644
index 0000000..c53288e
--- /dev/null
+++ b/src/cmd/compile/internal/test/memoverlap_test.go
@@ -0,0 +1,41 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package test
+
+import "testing"
+
+const arrFooSize = 96
+
+type arrFoo [arrFooSize]int
+
+//go:noinline
+func badCopy(dst, src []int) {
+ p := (*[arrFooSize]int)(dst[:arrFooSize])
+ q := (*[arrFooSize]int)(src[:arrFooSize])
+ *p = arrFoo(*q)
+}
+
+//go:noinline
+func goodCopy(dst, src []int) {
+ p := (*[arrFooSize]int)(dst[:arrFooSize])
+ q := (*[arrFooSize]int)(src[:arrFooSize])
+ *p = *q
+}
+
+func TestOverlapedMoveWithNoopIConv(t *testing.T) {
+ h1 := make([]int, arrFooSize+1)
+ h2 := make([]int, arrFooSize+1)
+ for i := range arrFooSize + 1 {
+ h1[i] = i
+ h2[i] = i
+ }
+ badCopy(h1[1:], h1[:arrFooSize])
+ goodCopy(h2[1:], h2[:arrFooSize])
+ for i := range arrFooSize + 1 {
+ if h1[i] != h2[i] {
+ t.Errorf("h1 and h2 differ at index %d, expect them to be the same", i)
+ }
+ }
+}
--
2.50.1