math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow.
Upstream-Status: Backport [https://go.dev/issue/50699] CVE: CVE-2022-23772 Signed-off-by:Minjae Kim <flower...@gmail.com> --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-23772.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index fcb316e09e..9b3c3b30a8 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -20,6 +20,7 @@ SRC_URI += "\ file://CVE-2021-33196.patch \ file://CVE-2021-33197.patch \ file://CVE-2022-23806.patch \ + file://CVE-2022-23772.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch new file mode 100644 index 0000000000..f0daee3624 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch @@ -0,0 +1,50 @@ +From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001 +From: Katie Hockman <ka...@golang.org> +Date: Sat, 26 Feb 2022 20:03:38 +0000 +Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in + (*Rat).SetString + +Credit to rsc@ for the original patch. + +Thanks to the OSS-Fuzz project for discovering this +issue and to Emmanuel Odeke (@odeke_et) for reporting it. + +Updates #50699 +Fixes #50700 +Fixes CVE-2022-23772 +--- + src/math/big/ratconv.go | 5 +++++ + src/math/big/ratconv_test.go | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go +index 941139e..e8cbdbe 100644 +--- a/src/math/big/ratconv.go ++++ b/src/math/big/ratconv.go +@@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + n := exp5 + if n < 0 { + n = -n ++ if n < 0 { ++ // This can occur if -n overflows. -(-1 << 63) would become ++ // -1 << 63, which is still negative. ++ return nil, false ++ } + } + pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs + if exp5 > 0 { +diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go +index ba0d1ba..b820df4 100644 +--- a/src/math/big/ratconv_test.go ++++ b/src/math/big/ratconv_test.go +@@ -104,6 +104,7 @@ var setStringTests = []StringTest{ + {in: "4/3/"}, + {in: "4/3."}, + {in: "4/"}, ++ {in: "13e-9223372036854775808"}, // CVE-2022-23772 + + // valid + {"0", "0", true}, +-- +2.17.1 + -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#162431): https://lists.openembedded.org/g/openembedded-core/message/162431 Mute This Topic: https://lists.openembedded.org/mt/89417665/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
