automatic import of golangopeneuler24.03_LTSopeneuler22.03_LTS_SP4openeuler22.03_LTS_SP3openeuler20.03

1 files changed, 133 insertions, 0 deletions

diff --git a/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
new file mode 100644
index 0000000..b1c16a5
--- /dev/null
+++ b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
@@ -0,0 +1,133 @@
+From 7edadbad6c5ba7db3c4ab6925369096dedcf8e0b Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 25 Apr 2024 13:09:54 -0700
+Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24787
+Reference: https://go-review.googlesource.com/c/go/+/583796
+
+The darwin linker allows setting the LTO library with the -lto_library
+flag. This wasn't caught by our "safe linker flags" check because it
+was covered by the -lx flag used for linking libraries. This change
+adds a specific check for excluded flags which otherwise satisfy our
+existing checks.
+
+Loading a mallicious LTO library would allow an attacker to cause the
+linker to execute abritrary code when "go build" was called.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #67119
+Fixes #67122
+Fixes CVE-2024-24787
+
+Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/583796
+Reviewed-by: David Chase <drchase@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/cmd/go/internal/work/security.go          | 19 +++++++++++++++----
+ .../script/darwin_lto_library_ldflag.txt      | 17 +++++++++++++++++
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 270a34e9c7..db49eb6488 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{
+ 	"-x",
+ }
+ 
++var invalidLinkerFlags = []*lazyregexp.Regexp{
++	// On macOS this means the linker loads and executes the next argument.
++	// Have to exclude separately because -lfoo is allowed in general.
++	re(`-lto_library`),
++}
++
+ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-F([^@\-].*)`),
+ 	re(`-l([^@\-].*)`),
+@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{
+ 
+ func checkCompilerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
++	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ func checkLinkerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
++	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ // checkCompilerFlagsForInternalLink returns an error if 'list'
+@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error {
+ // external linker).
+ func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
+ 	checkOverrides := false
+-	if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
++	if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+ 		return err
+ 	}
+ 	// Currently the only flag on the allow list that causes problems
+@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error
+ 	return nil
+ }
+ 
+-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+ 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
+ 	var (
+ 		allow    *regexp.Regexp
+@@ -290,6 +296,11 @@ Args:
+ 		if allow != nil && allow.FindString(arg) == arg {
+ 			continue Args
+ 		}
++		for _, re := range invalid {
++			if re.FindString(arg) == arg { // must be complete match
++				goto Bad
++			}
++		}
+ 		for _, re := range valid {
+ 			if re.FindString(arg) == arg { // must be complete match
+ 				continue Args
+diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+new file mode 100644
+index 0000000000..d7acefdbad
+--- /dev/null
++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+@@ -0,0 +1,17 @@
++[!GOOS:darwin] skip
++[!cgo] skip
++
++! go build
++stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
++
++-- go.mod --
++module ldflag
++
++-- main.go --
++package main
++
++// #cgo CFLAGS: -flto
++// #cgo LDFLAGS: -lto_library bad.dylib
++import "C"
++
++func main() {}
+\ No newline at end of file
+-- 
+2.33.0
+