[OE-core][dunfell 05/14] golang: CVE-2022-32189 a denial of service

Mon, 29 Aug 2022 14:03:01 -0700 

From: Hitendra Prajapati <hprajap...@mvista.com>

Source: https://github.com/golang/go
MR: 120634
Type: Security Fix
Disposition: Backport from 
https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102
ChangeID: 3ade323dd52a6b654358f6738a0b3411ccc6d3f8
Description:
        CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types 
can panic if the encoded message is too short, potentially allowing a denial of 
service.

Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   1 +
 .../go/go-1.14/CVE-2022-32189.patch           | 113 ++++++++++++++++++
 2 files changed, 114 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 7c32246012..1458a11b3f 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -31,6 +31,7 @@ SRC_URI += "\
     file://CVE-2022-30633.patch \
     file://CVE-2022-30635.patch \
     file://CVE-2022-32148.patch \
+    file://CVE-2022-32189.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
new file mode 100644
index 0000000000..15fda7de1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
@@ -0,0 +1,113 @@
+From 027e7e1578d3d7614f7586eff3894b83d9709e14 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajap...@mvista.com>
+Date: Mon, 29 Aug 2022 10:08:34 +0530
+Subject: [PATCH] CVE-2022-32189
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102]
+CVE: CVE-2022-32189
+Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com>
+---
+ src/math/big/floatmarsh.go      |  7 +++++++
+ src/math/big/floatmarsh_test.go | 12 ++++++++++++
+ src/math/big/ratmarsh.go        |  6 ++++++
+ src/math/big/ratmarsh_test.go   | 12 ++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
+index d1c1dab..990e085 100644
+--- a/src/math/big/floatmarsh.go
++++ b/src/math/big/floatmarsh.go
+@@ -8,6 +8,7 @@ package big
+ 
+ import (
+       "encoding/binary"
++      "errors"
+       "fmt"
+ )
+ 
+@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
+               *z = Float{}
+               return nil
+       }
++      if len(buf) < 6 {
++              return errors.New("Float.GobDecode: buffer too small")
++      }
+ 
+       if buf[0] != floatGobVersion {
+               return fmt.Errorf("Float.GobDecode: encoding version %d not 
supported", buf[0])
+@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
+       z.prec = binary.BigEndian.Uint32(buf[2:])
+ 
+       if z.form == finite {
++              if len(buf) < 10 {
++                      return errors.New("Float.GobDecode: buffer too small 
for finite form float")
++              }
+               z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
+               z.mant = z.mant.setBytes(buf[10:])
+       }
+diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
+index c056d78..401f45a 100644
+--- a/src/math/big/floatmarsh_test.go
++++ b/src/math/big/floatmarsh_test.go
+@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
+               }
+       }
+ }
++
++func TestFloatGobDecodeShortBuffer(t *testing.T) {
++      for _, tc := range [][]byte{
++              []byte{0x1, 0x0, 0x0, 0x0},
++              []byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
++      } {
++              err := NewFloat(0).GobDecode(tc)
++              if err == nil {
++                      t.Error("expected GobDecode to return error for 
malformed input")
++              }
++      }
++}
+diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
+index fbc7b60..56102e8 100644
+--- a/src/math/big/ratmarsh.go
++++ b/src/math/big/ratmarsh.go
+@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
+               *z = Rat{}
+               return nil
+       }
++      if len(buf) < 5 {
++              return errors.New("Rat.GobDecode: buffer too small")
++      }
+       b := buf[0]
+       if b>>1 != ratGobVersion {
+               return fmt.Errorf("Rat.GobDecode: encoding version %d not 
supported", b>>1)
+       }
+       const j = 1 + 4
+       i := j + binary.BigEndian.Uint32(buf[j-4:j])
++      if len(buf) < int(i) {
++              return errors.New("Rat.GobDecode: buffer too small")
++      }
+       z.a.neg = b&1 != 0
+       z.a.abs = z.a.abs.setBytes(buf[j:i])
+       z.b.abs = z.b.abs.setBytes(buf[i:])
+diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
+index 351d109..55a9878 100644
+--- a/src/math/big/ratmarsh_test.go
++++ b/src/math/big/ratmarsh_test.go
+@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
+               }
+       }
+ }
++
++func TestRatGobDecodeShortBuffer(t *testing.T) {
++      for _, tc := range [][]byte{
++              []byte{0x2},
++              []byte{0x2, 0x0, 0x0, 0x0, 0xff},
++      } {
++              err := NewRat(1, 2).GobDecode(tc)
++              if err == nil {
++                      t.Error("expected GobDecode to return error for 
malformed input")
++              }
++      }
++}
+-- 
+2.25.1
+
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170030): 
https://lists.openembedded.org/g/openembedded-core/message/170030
Mute This Topic: https://lists.openembedded.org/mt/93336004/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to