[AUTO-CHERRYPICK] Patch golang-1.18 for CVE-2024-34158 [HIGH] - branch main (#13494)

CBL-Mariner-Bot · kgodara912 · web-flow · commit 4ef16b439f88 · 2025-04-21T15:36:21.000-04:00
Co-authored-by: kgodara912 &lt;kshigodara@outlook.com&gt;
diff --git a/SPECS/golang/CVE-2024-34158.patch b/SPECS/golang/CVE-2024-34158.patch
@@ -0,0 +1,198 @@
+From d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 20 Jun 2024 10:45:30 -0700
+Subject: [PATCH] [release-branch.go1.22] go/build/constraint: add parsing
+ limits
+
+Limit the size of build constraints that we will parse. This prevents a
+number of stack exhaustions that can be hit when parsing overly complex
+constraints. The imposed limits are unlikely to ever be hit in real
+world usage.
+
+Updates #69141
+Fixes #69148
+Fixes CVE-2024-34158
+
+Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+---
+ src/go/build/constraint/expr.go      | 28 ++++++++++--
+ src/go/build/constraint/expr_test.go | 65 +++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/build/constraint/expr.go b/src/go/build/constraint/expr.go
+index e59012361bef6d..0f05f8db6a48cb 100644
+--- a/src/go/build/constraint/expr.go
++++ b/src/go/build/constraint/expr.go
+@@ -16,6 +16,10 @@ import (
+ 	"unicode/utf8"
+ )
+ 
++// maxSize is a limit used to control the complexity of expressions, in order
++// to prevent stack exhaustion issues due to recursion.
++const maxSize = 1000
++
+ // An Expr is a build tag constraint expression.
+ // The underlying concrete type is *[AndExpr], *[OrExpr], *[NotExpr], or *[TagExpr].
+ type Expr interface {
+@@ -151,7 +155,7 @@ func Parse(line string) (Expr, error) {
+ 		return parseExpr(text)
+ 	}
+ 	if text, ok := splitPlusBuild(line); ok {
+-		return parsePlusBuildExpr(text), nil
++		return parsePlusBuildExpr(text)
+ 	}
+ 	return nil, errNotConstraint
+ }
+@@ -201,6 +205,8 @@ type exprParser struct {
+ 	tok   string // last token read
+ 	isTag bool
+ 	pos   int // position (start) of last token
++
++	size int
+ }
+ 
+ // parseExpr parses a boolean build tag expression.
+@@ -249,6 +255,10 @@ func (p *exprParser) and() Expr {
+ // On entry, the next input token has not yet been lexed.
+ // On exit, the next input token has been lexed and is in p.tok.
+ func (p *exprParser) not() Expr {
++	p.size++
++	if p.size > maxSize {
++		panic(&SyntaxError{Offset: p.pos, Err: "build expression too large"})
++	}
+ 	p.lex()
+ 	if p.tok == "!" {
+ 		p.lex()
+@@ -388,7 +398,13 @@ func splitPlusBuild(line string) (expr string, ok bool) {
+ }
+ 
+ // parsePlusBuildExpr parses a legacy build tag expression (as used with “// +build”).
+-func parsePlusBuildExpr(text string) Expr {
++func parsePlusBuildExpr(text string) (Expr, error) {
++	// Only allow up to 100 AND/OR operators for "old" syntax.
++	// This is much less than the limit for "new" syntax,
++	// but uses of old syntax were always very simple.
++	const maxOldSize = 100
++	size := 0
++
+ 	var x Expr
+ 	for _, clause := range strings.Fields(text) {
+ 		var y Expr
+@@ -414,19 +430,25 @@ func parsePlusBuildExpr(text string) Expr {
+ 			if y == nil {
+ 				y = z
+ 			} else {
++				if size++; size > maxOldSize {
++					return nil, errComplex
++				}
+ 				y = and(y, z)
+ 			}
+ 		}
+ 		if x == nil {
+ 			x = y
+ 		} else {
++			if size++; size > maxOldSize {
++				return nil, errComplex
++			}
+ 			x = or(x, y)
+ 		}
+ 	}
+ 	if x == nil {
+ 		x = tag("ignore")
+ 	}
+-	return x
++	return x, nil
+ }
+ 
+ // isValidTag reports whether the word is a valid build tag.
+diff --git a/src/go/build/constraint/expr_test.go b/src/go/build/constraint/expr_test.go
+index 15d189012efb7d..ac38ba69294930 100644
+--- a/src/go/build/constraint/expr_test.go
++++ b/src/go/build/constraint/expr_test.go
+@@ -222,7 +222,7 @@ var parsePlusBuildExprTests = []struct {
+ func TestParsePlusBuildExpr(t *testing.T) {
+ 	for i, tt := range parsePlusBuildExprTests {
+ 		t.Run(fmt.Sprint(i), func(t *testing.T) {
+-			x := parsePlusBuildExpr(tt.in)
++			x, _ := parsePlusBuildExpr(tt.in)
+ 			if x.String() != tt.x.String() {
+ 				t.Errorf("parsePlusBuildExpr(%q):\nhave %v\nwant %v", tt.in, x, tt.x)
+ 			}
+@@ -319,3 +319,66 @@ func TestPlusBuildLines(t *testing.T) {
+ 		})
+ 	}
+ }
++
++func TestSizeLimits(t *testing.T) {
++	for _, tc := range []struct {
++		name string
++		expr string
++	}{
++		{
++			name: "go:build or limit",
++			expr: "//go:build " + strings.Repeat("a || ", maxSize+2),
++		},
++		{
++			name: "go:build and limit",
++			expr: "//go:build " + strings.Repeat("a && ", maxSize+2),
++		},
++		{
++			name: "go:build and depth limit",
++			expr: "//go:build " + strings.Repeat("(a &&", maxSize+2),
++		},
++		{
++			name: "go:build or depth limit",
++			expr: "//go:build " + strings.Repeat("(a ||", maxSize+2),
++		},
++	} {
++		t.Run(tc.name, func(t *testing.T) {
++			_, err := Parse(tc.expr)
++			if err == nil {
++				t.Error("expression did not trigger limit")
++			} else if syntaxErr, ok := err.(*SyntaxError); !ok || syntaxErr.Err != "build expression too large" {
++				if !ok {
++					t.Errorf("unexpected error: %v", err)
++				} else {
++					t.Errorf("unexpected syntax error: %s", syntaxErr.Err)
++				}
++			}
++		})
++	}
++}
++
++func TestPlusSizeLimits(t *testing.T) {
++	maxOldSize := 100
++	for _, tc := range []struct {
++		name string
++		expr string
++	}{
++		{
++			name: "+build or limit",
++			expr: "// +build " + strings.Repeat("a ", maxOldSize+2),
++		},
++		{
++			name: "+build and limit",
++			expr: "// +build " + strings.Repeat("a,", maxOldSize+2),
++		},
++	} {
++		t.Run(tc.name, func(t *testing.T) {
++			_, err := Parse(tc.expr)
++			if err == nil {
++				t.Error("expression did not trigger limit")
++			} else if err != errComplex {
++				t.Errorf("unexpected error: got %q, want %q", err, errComplex)
++			}
++		})
++	}
++}
diff --git a/SPECS/golang/golang-1.18.spec b/SPECS/golang/golang-1.18.spec
@@ -13,7 +13,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.18.8
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -27,6 +27,7 @@ Patch1:         CVE-2022-41717.patch
 # CVE-2024-24790 is fixed in 1.18.8
 Patch2:         CVE-2024-24790.patch
 Patch3:         CVE-2024-45341.patch
+Patch4:         CVE-2024-34158.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -46,6 +47,8 @@ mv -v go go-bootstrap
 patch -Np1 --ignore-whitespace < %{PATCH1}
 patch -Np1 --ignore-whitespace < %{PATCH2}
 patch -Np1 --ignore-whitespace < %{PATCH3}
+patch -Np1 --ignore-whitespace < %{PATCH4}
+
 %build
 # Build go 1.4 bootstrap
 pushd %{_topdir}/BUILD/go-bootstrap/src
@@ -125,6 +128,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Fri Apr 18 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.18.8-6
+- Address CVE-2024-34158 using an upstream patch.
+
 * Tue Feb 04 2025 Kanishk bansal <kanbansal@microsoft.com> - 1.18.8-5
 - Address CVE-2024-45341 using an upstream patch.
 
