On Fri Mar 6, 2026 at 8:55 PM CET, Eduardo Ferreira via lists.openembedded.org wrote: > From: Eduardo Ferreira <[email protected]> > > Commit 6a1ae4e79252f9a896faa702e4a8b3e27529a474 introduced a patch > backporting a fix for CVE-2025-61726, but this patch also introduced > a bug. > > From Go's source code[1], they say that the 'All' table from 'godebugs' > should be populated alphabetically by Name. And 'Lookup'[2] function uses > binary search to try and find the variable. > > Here's the trace: > Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker > Application Container Engine. > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 > 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb > ugs.All: urlmaxqueryparams > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 > [running]: > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http.(*conn).serve.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http/server.go:1903 +0xb0 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/[email protected]/trace/span.go:383 +0x2c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, > 0x0, 0x40 > 006441c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/[email protected]/trace/span.go:421 +0x898 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug.(*Setting).Value.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug/godebug.go:141 +0xd8 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync.(*Once).doSlow(0x22?, 0x55748a9b60?) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync/once.go:74 +0x100 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync.(*Once).Do(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync/once.go:65 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug.(*Setting).Value(0x5575b21be0) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug/godebug.go:138 +0x50 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.urlParamsWithinMax(0x1) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url/url.go:968 +0x3c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.parseQuery(0x400069a630, {0x0, 0x0}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url/url.go:985 +0xdc > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.ParseQuery(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url/url.go:958 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http.(*Request).ParseForm(0x4000bdab40) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http/request.go:1317 +0x33c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > github.com/docker/docker/api/server/httputils.ParseForm(0x0?) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20 > > The 'Lookup' function was failing due to the wrong ordering and returning > 'nil', > which was not being checked properly and caused this issue. > > The fix was to just reorder the line where 'urlmaxqueryparams' is being > added to respect the alphabetical ordering. And for that the whole CVE > patch was generated again. > > This change was validated with docker-moby (original issue), where a container > run successfully and no traces in the logs. > > Fixes: 6a1ae4e792 ("go 1.22.12: Fix CVE-2025-61726.patch variable ordering") > > [1] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 > [2] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 > > Signed-off-by: Eduardo Ferreira <[email protected]> > ---
Hi Eduardo, I suspect this commit is not for master but for the scarthgap branch, is that right? In such cases, please remember to add the [scarthgap] tag in mail subject, you can find help about it here: https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#submitting-changes-to-stable-release-branches Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232603): https://lists.openembedded.org/g/openembedded-core/message/232603 Mute This Topic: https://lists.openembedded.org/mt/118177490/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
