From 857976252e795a6e78e6ef7e265919eaa8ee0f3b Mon Sep 17 00:00:00 2001 From: Archana Ravindar Date: Tue, 30 Jan 2024 22:07:23 +0530 Subject: [PATCH 1/2] Backport of fix https://go-review.googlesource.com/c/go/+/533215/ to Go1.18 (CVE-2023-39323) --- misc/cgo/errors/errors_test.go | 1 + misc/cgo/errors/testdata/err5.go | 7 +++++++ src/cmd/compile/internal/noder/noder.go | 8 +++++++- 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 misc/cgo/errors/testdata/err5.go diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go index e90ed1e058d..c1a57ecf390 100644 --- a/misc/cgo/errors/errors_test.go +++ b/misc/cgo/errors/errors_test.go @@ -106,6 +106,7 @@ func TestReportsTypeErrors(t *testing.T) { for _, file := range []string{ "err1.go", "err2.go", + "err5.go", "issue11097a.go", "issue11097b.go", "issue18452.go", diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go new file mode 100644 index 00000000000..573ebe34da7 --- /dev/null +++ b/misc/cgo/errors/testdata/err5.go @@ -0,0 +1,7 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +package main +//line /tmp/_cgo_.go:1 +//go:cgo_dynamic_linker "/elf/interp" // ERROR HERE: only allowed in cgo-generated code +func main() {} diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go index 17ec87788a6..433ecf1218a 100644 --- a/src/cmd/compile/internal/noder/noder.go +++ b/src/cmd/compile/internal/noder/noder.go @@ -1735,8 +1735,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P // contain cgo directives, and for security reasons // (primarily misuse of linker flags), other files are not. // See golang.org/issue/23672. +// Note that cmd/go ignores files whose names start with underscore, +// so the only _cgo_ files we will see from cmd/go are generated by cgo. +// It's easy to bypass this check by calling the compiler directly; +// we only protect against uses by cmd/go. func isCgoGeneratedFile(pos syntax.Pos) bool { - return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_") + // We need the absolute file, independent of //line directives, + // so we call pos.Base().Pos(). + return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_") } // safeArg reports whether arg is a "safe" command-line argument, From e4385abd244d214cf35a95f900c3254df6df68e4 Mon Sep 17 00:00:00 2001 From: Archana Ravindar Date: Tue, 6 Feb 2024 15:43:41 +0530 Subject: [PATCH 2/2] skip overlong message test to avoid CI failures --- src/crypto/rsa/pkcs1v15_test.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go index a4f2e2dbbe4..4ba6504d3c7 100644 --- a/src/crypto/rsa/pkcs1v15_test.go +++ b/src/crypto/rsa/pkcs1v15_test.go @@ -188,7 +188,7 @@ type signPKCS1v15Test struct { // Test vector for testRSA2048PrivateKey // generated with `openssl pkeyutl -rawin -digest sha256 -sign -inkey ` - var signPKCS1v15Tests = []signPKCS1v15Test{ +var signPKCS1v15Tests = []signPKCS1v15Test{ {"Test.\n", "467c3c8f16223ba09aecfe44488d6b34b3f91f11379949b1d8af31636ee8b3aa51eebb96ee11678323cb1f909af17c9d0fe4b6012078af8120474474efd1bb51765e1647369ddba6525c6608113857bb0e2aaed9ad01fe041b476b162f7d4db55bb31fa957046616ce463cecb2a66f38fa62c594d07afcc870582d545853b31fa705ab8565e4085804c32e73459720bf4e08f097843b0845116d4376231fa2472abc89b1e42462002bf70f9a1df31db6d2ab6dc52c8223798a4f57c40d6a9123b80739846d779044eac28d8c783e8ce73919f1d4a6efe8fb601b8d36c5c9b61654d6f8717d1fb9fcafa19669200900899dd08ce921a1745312eb06040a405903"}, } @@ -237,6 +237,10 @@ func TestHashVerifyPKCS1v15(t *testing.T) { } func TestOverlongMessagePKCS1v15(t *testing.T) { + // OpenSSL now returns a random string instead of an error + if boring.Enabled() { + t.Skip("Not relevant in boring mode") + } ciphertext := decodeBase64("fjOVdirUzFoLlukv80dBllMLjXythIf22feqPrNo0YoIjzyzyoMFiLjAc/Y4krkeZ11XFThIrEvw\nkRiZcCq5ng==") _, err := DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext) if err == nil {