On Sun, Apr 3, 2022, 6:23 PM Ranjitsinh Rathod < ranjitsinhrathod1...@gmail.com> wrote:
> Hi Steve, > > There is one commented out line present. Is that really needed? > Good catch! I'll remove that prior to the pull request. Steve > Thanks, > Ranjitsinh Rathod > > On Mon, 4 Apr, 2022, 8:01 am Steve Sakoman, <st...@sakoman.com> wrote: > >> From: Davide Gardenal <davidegarde2...@gmail.com> >> >> Patch taken from >> >> https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 >> from the following issue >> https://github.com/golang/go/issues/48797 >> >> Original repo >> https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 >> >> Signed-off-by: Davide Gardenal <davide.garde...@huawei.com> >> Signed-off-by: Steve Sakoman <st...@sakoman.com> >> --- >> meta/recipes-devtools/go/go-1.14.inc | 4 + >> .../go/go-1.14/CVE-2021-38297.patch | 97 +++++++++++++++++++ >> 2 files changed, 101 insertions(+) >> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch >> >> diff --git a/meta/recipes-devtools/go/go-1.14.inc >> b/meta/recipes-devtools/go/go-1.14.inc >> index 9b3c3b30a8..f98757d10d 100644 >> --- a/meta/recipes-devtools/go/go-1.14.inc >> +++ b/meta/recipes-devtools/go/go-1.14.inc >> @@ -19,9 +19,13 @@ SRC_URI += "\ >> file://CVE-2021-34558.patch \ >> file://CVE-2021-33196.patch \ >> file://CVE-2021-33197.patch \ >> + file://CVE-2021-38297.patch \ >> file://CVE-2022-23806.patch \ >> file://CVE-2022-23772.patch \ >> " >> + >> +# file://CVE-2021-38297.patch >> + >> SRC_URI_append_libc-musl = " >> file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" >> SRC_URI[main.sha256sum] = >> "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" >> >> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch >> b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch >> new file mode 100644 >> index 0000000000..24ceabf808 >> --- /dev/null >> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch >> @@ -0,0 +1,97 @@ >> +From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001 >> +From: Michael Knyszek <mknys...@google.com> >> +Date: Thu, 2 Sep 2021 16:51:59 -0400 >> +Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let >> + command line args overwrite global data >> + >> +On Wasm, wasm_exec.js puts command line arguments at the beginning >> +of the linear memory (following the "zero page"). Currently there >> +is no limit for this, and a very long command line can overwrite >> +the program's data section. Prevent this by limiting the command >> +line to 4096 bytes, and in the linker ensuring the data section >> +starts at a high enough address (8192). >> + >> +(Arguably our address assignment on Wasm is a bit confusing. This >> +is the minimum fix I can come up with.) >> + >> +Thanks to Ben Lubar for reporting this issue. >> + >> +Change by Cherry Mui <cherr...@google.com>. >> + >> +For #48797 >> +Fixes #48799 >> +Fixes CVE-2021-38297 >> + >> +Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 >> +Reviewed-on: >> https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 >> +Reviewed-by >> <https://team-review.git.corp.google.com/c/golang/go-private/+/1205933+Reviewed-by>: >> Roland Shoemaker <bracew...@google.com> >> +Reviewed-by: Than McIntosh <th...@google.com> >> +Reviewed-on: https://go-review.googlesource.com/c/go/+/354591 >> +Trust: Michael Knyszek <mknys...@google.com> >> +Reviewed-by: Heschi Kreinick <hes...@google.com> >> + >> +CVE: CVE-2021-38297 >> + >> +Upstream-Status: Backport: >> + >> https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 >> + >> +Inline of ctxt.isWAsm followin this implemetation: >> + >> https://github.com/golang/go/blob/4548fcc8dfd933c237f29bba6f90040a85922564/src/cmd/link/internal/ld/target.go#L127 >> + >> +Signed-off-by: Davide Gardenal <davide.garde...@huawei.com> >> +--- >> + misc/wasm/wasm_exec.js | 7 +++++++ >> + src/cmd/link/internal/ld/data.go | 11 ++++++++++- >> + 2 files changed, 17 insertions(+), 1 deletion(-) >> + >> +diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js >> +index 82041e6bb901..a0a264278b1b 100644 >> +--- a/misc/wasm/wasm_exec.js >> ++++ b/misc/wasm/wasm_exec.js >> +@@ -564,6 +564,13 @@ >> + offset += 8; >> + }); >> + >> ++ // The linker guarantees global data starts from >> at least wasmMinDataAddr. >> ++ // Keep in sync with >> cmd/link/internal/ld/data.go:wasmMinDataAddr. >> ++ const wasmMinDataAddr = 4096 + 4096; >> ++ if (offset >= wasmMinDataAddr) { >> ++ throw new Error("command line too long"); >> ++ } >> ++ >> + this._inst.exports.run(argc, argv); >> + if (this.exited) { >> + this._resolveExitPromise(); >> +diff --git a/src/cmd/link/internal/ld/data.go >> b/src/cmd/link/internal/ld/data.go >> +index 52035e96301c..54a1d188cdb9 100644 >> +--- a/src/cmd/link/internal/ld/data.go >> ++++ b/src/cmd/link/internal/ld/data.go >> +@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, >> n int, s loader.Sym, va uint64 >> + return sect, n, va >> + } >> + >> ++// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for >> wasm_exec.js >> ++// to store command line args. Data sections starts from at least >> address 8192. >> ++// Keep in sync with wasm_exec.js. >> ++const wasmMinDataAddr = 4096 + 4096 >> ++ >> + // address assigns virtual addresses to all segments and sections and >> + // returns all segments in file order. >> + func (ctxt *Link) address() []*sym.Segment { >> +@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment { >> + order = append(order, &Segtext) >> + Segtext.Rwx = 05 >> + Segtext.Vaddr = va >> +- for _, s := range Segtext.Sections { >> ++ for i, s := range Segtext.Sections { >> + va = uint64(Rnd(int64(va), int64(s.Align))) >> + s.Vaddr = va >> + va += s.Length >> ++ >> ++ if ctxt.Arch.Family == sys.Wasm && i == 0 && va < >> wasmMinDataAddr { >> ++ va = wasmMinDataAddr >> ++ } >> + } >> + >> + Segtext.Length = va - uint64(*FlagTextAddr) >> + >> \ No newline at end of file >> -- >> 2.25.1 >> >> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163982): https://lists.openembedded.org/g/openembedded-core/message/163982 Mute This Topic: https://lists.openembedded.org/mt/90233348/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
