Skip to content

Commit

Permalink
go: backport patch fix for CVE-2021-38297
Browse files Browse the repository at this point in the history
Patch taken from
golang/go@4548fcc
from the following issue
golang/go#48797

Original repo
https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4

(From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549)

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
  • Loading branch information
Tony3oo3 authored and rpurdie committed Apr 9, 2022
1 parent f80b586 commit 048094b
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 0 deletions.
2 changes: 2 additions & 0 deletions meta/recipes-devtools/go/go-1.14.inc
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,11 @@ SRC_URI += "\
file://CVE-2021-34558.patch \
file://CVE-2021-33196.patch \
file://CVE-2021-33197.patch \
file://CVE-2021-38297.patch \
file://CVE-2022-23806.patch \
file://CVE-2022-23772.patch \
"

SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"

Expand Down
97 changes: 97 additions & 0 deletions meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
From: Michael Knyszek <mknyszek@google.com>
Date: Thu, 2 Sep 2021 16:51:59 -0400
Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
command line args overwrite global data

On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).

(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)

Thanks to Ben Lubar for reporting this issue.

Change by Cherry Mui <cherryyz@google.com>.

For #48797
Fixes #48799
Fixes CVE-2021-38297

Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
Trust: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>

CVE: CVE-2021-38297

Upstream-Status: Backport:
https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564

Inline of ctxt.isWAsm followin this implemetation:
https://github.com/golang/go/blob/4548fcc8dfd933c237f29bba6f90040a85922564/src/cmd/link/internal/ld/target.go#L127

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
misc/wasm/wasm_exec.js | 7 +++++++
src/cmd/link/internal/ld/data.go | 11 ++++++++++-
2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js
index 82041e6bb901..a0a264278b1b 100644
--- a/misc/wasm/wasm_exec.js
+++ b/misc/wasm/wasm_exec.js
@@ -564,6 +564,13 @@
offset += 8;
});

+ // The linker guarantees global data starts from at least wasmMinDataAddr.
+ // Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
+ const wasmMinDataAddr = 4096 + 4096;
+ if (offset >= wasmMinDataAddr) {
+ throw new Error("command line too long");
+ }
+
this._inst.exports.run(argc, argv);
if (this.exited) {
this._resolveExitPromise();
diff --git a/src/cmd/link/internal/ld/data.go b/src/cmd/link/internal/ld/data.go
index 52035e96301c..54a1d188cdb9 100644
--- a/src/cmd/link/internal/ld/data.go
+++ b/src/cmd/link/internal/ld/data.go
@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, n int, s loader.Sym, va uint64
return sect, n, va
}

+// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for wasm_exec.js
+// to store command line args. Data sections starts from at least address 8192.
+// Keep in sync with wasm_exec.js.
+const wasmMinDataAddr = 4096 + 4096
+
// address assigns virtual addresses to all segments and sections and
// returns all segments in file order.
func (ctxt *Link) address() []*sym.Segment {
@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment {
order = append(order, &Segtext)
Segtext.Rwx = 05
Segtext.Vaddr = va
- for _, s := range Segtext.Sections {
+ for i, s := range Segtext.Sections {
va = uint64(Rnd(int64(va), int64(s.Align)))
s.Vaddr = va
va += s.Length
+
+ if ctxt.Arch.Family == sys.Wasm && i == 0 && va < wasmMinDataAddr {
+ va = wasmMinDataAddr
+ }
}

Segtext.Length = va - uint64(*FlagTextAddr)

0 comments on commit 048094b

Please sign in to comment.