[scarthgap] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144

Message ID	20260512072106.82626-1-hprajapati@mvista.com
State	New
Headers	show Return-Path: <hprajapati@mvista.com> ip: 74.125.82.47, mailfrom: hprajapati@mvista.com) From: Hitendra Prajapati <hprajapati@mvista.com> To: openembedded-core@lists.openembedded.org Cc: Hitendra Prajapati <hprajapati@mvista.com> Subject: [scarthgap][PATCH] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144 Date: Tue, 12 May 2026 12:51:06 +0530 Message-ID: <20260512072106.82626-1-hprajapati@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144 \| expand [scarthgap] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 7ece9095ff..03437f0358 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -42,6 +42,8 @@ SRC_URI += "\ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27140.patch \ + file://CVE-2026-27143.patch \ + file://CVE-2026-27144.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27143.patch b/meta/recipes-devtools/go/go/CVE-2026-27143.patch new file mode 100644 index 0000000000..99e7f7639e --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27143.patch @@ -0,0 +1,165 @@ +From 7d2dd3488cdfbddda14c18c455d3263df75a46fc Mon Sep 17 00:00:00 2001 +From: Junyang Shao <shaojunyang@google.com> +Date: Fri, 6 Mar 2026 00:03:45 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix loopbce overflow + check logic + +addWillOverflow and subWillOverflow has an implicit assumption that y is +positive, using it outside of addU and subU is really incorrect. This CL +fixes those incorrect usage to use the correct logic in place. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78333 +Fixes CVE-2026-27143 + +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987 +Commit-Queue: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763553 +Reviewed-by: David Chase <drchase@google.com> +Auto-Submit: Gopher Robot <gobot@golang.org> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> + +CVE: CVE-2026-27143 +Upstream-Status: Backport [https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/compile/internal/ssa/loopbce.go | 36 +++++++++++++++++-------- + test/loopbce.go | 28 +++++++++++++++++++ + 2 files changed, 53 insertions(+), 11 deletions(-) + +diff --git a/src/cmd/compile/internal/ssa/loopbce.go b/src/cmd/compile/internal/ssa/loopbce.go +index dd1f39d..1b3e567 100644 +--- a/src/cmd/compile/internal/ssa/loopbce.go ++++ b/src/cmd/compile/internal/ssa/loopbce.go +@@ -204,9 +204,11 @@ func findIndVar(f *Func) []indVar { + if init.AuxInt > v { + return false + } ++ // TODO(1.27): investigate passing a smaller-magnitude overflow limit to addU ++ // for addWillOverflow. + v = addU(init.AuxInt, diff(v, init.AuxInt)/uint64(step)*uint64(step)) + } +- if addWillOverflow(v, step) { ++ if addWillOverflow(v, step, maxSignedValue(ind.Type)) { + return false + } + if inclusive && v != limit.AuxInt || !inclusive && v+1 != limit.AuxInt { +@@ -235,7 +237,7 @@ func findIndVar(f *Func) []indVar { + // ind < knn - k cannot overflow if step is at most k+1 + return step <= k+1 && k != maxSignedValue(limit.Type) + } else { // step < 0 +- if limit.Op == OpConst64 { ++ if limit.isGenericIntConst() { + // Figure out the actual smallest value. + v := limit.AuxInt + if !inclusive { +@@ -249,9 +251,11 @@ func findIndVar(f *Func) []indVar { + if init.AuxInt < v { + return false + } ++ // TODO(1.27): investigate passing a smaller-magnitude underflow limit to subU ++ // for subWillUnderflow. + v = subU(init.AuxInt, diff(init.AuxInt, v)/uint64(-step)*uint64(-step)) + } +- if subWillUnderflow(v, -step) { ++ if subWillUnderflow(v, -step, minSignedValue(ind.Type)) { + return false + } + if inclusive && v != limit.AuxInt || !inclusive && v-1 != limit.AuxInt { +@@ -313,14 +317,22 @@ func findIndVar(f *Func) []indVar { + return iv + } + +-// addWillOverflow reports whether x+y would result in a value more than maxint. +-func addWillOverflow(x, y int64) bool { +- return x+y < x ++// subWillUnderflow checks if x - y underflows the min value. ++// y must be positive. ++func subWillUnderflow(x, y int64, min int64) bool { ++ if y < 0 { ++ base.Fatalf("expecting positive value") ++ } ++ return x < min+y + } + +-// subWillUnderflow reports whether x-y would result in a value less than minint. +-func subWillUnderflow(x, y int64) bool { +- return x-y > x ++// addWillOverflow checks if x + y overflows the max value. ++// y must be positive. ++func addWillOverflow(x, y int64, max int64) bool { ++ if y < 0 { ++ base.Fatalf("expecting positive value") ++ } ++ return x > max-y + } + + // diff returns x-y as a uint64. Requires x>=y. +@@ -341,7 +353,8 @@ func addU(x int64, y uint64) int64 { + x += 1 + y -= 1 << 63 + } +- if addWillOverflow(x, int64(y)) { ++ // TODO(1.27): investigate passing a smaller-magnitude overflow limit in here. ++ if addWillOverflow(x, int64(y), maxSignedValue(types.Types[types.TINT64])) { + base.Fatalf("addU overflowed %d + %d", x, y) + } + return x + int64(y) +@@ -357,7 +370,8 @@ func subU(x int64, y uint64) int64 { + x -= 1 + y -= 1 << 63 + } +- if subWillUnderflow(x, int64(y)) { ++ // TODO(1.27): investigate passing a smaller-magnitude underflow limit in here. ++ if subWillUnderflow(x, int64(y), minSignedValue(types.Types[types.TINT64])) { + base.Fatalf("subU underflowed %d - %d", x, y) + } + return x - int64(y) +diff --git a/test/loopbce.go b/test/loopbce.go +index 04c186b..a4b101b 100644 +--- a/test/loopbce.go ++++ b/test/loopbce.go +@@ -466,6 +466,34 @@ func stride2(x *[7]int) int { + return s + } + ++// This loop should not be proved anything. ++func smallIntUp(arr *[128]int) { ++ for i := int8(0); i <= int8(120); i += int8(10) { ++ arr[i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallIntDown(arr *[128]int) { ++ for i := int8(0); i >= int8(-120); i -= int8(10) { ++ arr[127+i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallUintUp(arr *[128]int) { ++ for i := uint8(0); i <= uint8(250); i += uint8(10) { ++ arr[i] = int(i) ++ } ++} ++ ++// This loop should not be proved anything. ++func smallUintDown(arr *[128]int) { ++ for i := uint8(255); i >= uint8(0); i -= uint8(10) { ++ arr[127+i] = int(i) ++ } ++} ++ + //go:noinline + func useString(a string) { + } +-- +2.50.1 + diff --git a/meta/recipes-devtools/go/go/CVE-2026-27144.patch b/meta/recipes-devtools/go/go/CVE-2026-27144.patch new file mode 100644 index 0000000000..3f791ea491 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27144.patch @@ -0,0 +1,125 @@ +From 72cc33629a3b26e68f6e6e5564618a1d763896f3 Mon Sep 17 00:00:00 2001 +From: Junyang Shao <shaojunyang@google.com> +Date: Thu, 12 Mar 2026 21:36:33 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/compile: fix mem access overlap + detection + +When a no-op interface conversion is wrapped around the rhs of an +assignment, the memory overlap detection logic in the compiler failed to +peel down conversion to see the actual pointer, causing an incorrect +no-overlapping determination. + +Thanks to Jakub Ciolek for reporting this issue. + + +Fixes #78371 +Fixes CVE-2026-27144 + +Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4002 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763552 +Auto-Submit: Gopher Robot <gobot@golang.org> +TryBot-Bypass: Gopher Robot <gobot@golang.org> +Reviewed-by: Junyang Shao <shaojunyang@google.com> +Reviewed-by: David Chase <drchase@google.com> + +CVE: CVE-2026-27144 +Upstream-Status: Backport [https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/compile/internal/ssagen/ssa.go | 20 ++++++--- + .../compile/internal/test/memoverlap_test.go | 41 +++++++++++++++++++ + 2 files changed, 55 insertions(+), 6 deletions(-) + create mode 100644 src/cmd/compile/internal/test/memoverlap_test.go + +diff --git a/src/cmd/compile/internal/ssagen/ssa.go b/src/cmd/compile/internal/ssagen/ssa.go +index c794d6f..0214621 100644 +--- a/src/cmd/compile/internal/ssagen/ssa.go ++++ b/src/cmd/compile/internal/ssagen/ssa.go +@@ -1427,6 +1427,16 @@ func (s *state) stmtList(l ir.Nodes) { + } + } + ++func peelConvNop(n ir.Node) ir.Node { ++ if n == nil { ++ return n ++ } ++ for n.Op() == ir.OCONVNOP { ++ n = n.(*ir.ConvExpr).X ++ } ++ return n ++} ++ + // stmt converts the statement n to SSA and adds it to s. + func (s *state) stmt(n ir.Node) { + s.pushLine(n.Pos()) +@@ -1598,12 +1608,10 @@ func (s *state) stmt(n ir.Node) { + // arrays referenced are strictly smaller parts of the same base array. + // If one side of the assignment is a full array, then partial overlap + // can't happen. (The arrays are either disjoint or identical.) +- mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && n.Y.Op() == ir.ODEREF) +- if n.Y != nil && n.Y.Op() == ir.ODEREF { +- p := n.Y.(*ir.StarExpr).X +- for p.Op() == ir.OCONVNOP { +- p = p.(*ir.ConvExpr).X +- } ++ ny := peelConvNop(n.Y) ++ mayOverlap := n.X.Op() == ir.ODEREF && (n.Y != nil && ny.Op() == ir.ODEREF) ++ if ny != nil && ny.Op() == ir.ODEREF { ++ p := peelConvNop(ny.(*ir.StarExpr).X) + if p.Op() == ir.OSPTR && p.(*ir.UnaryExpr).X.Type().IsString() { + // Pointer fields of strings point to unmodifiable memory. + // That memory can't overlap with the memory being written. +diff --git a/src/cmd/compile/internal/test/memoverlap_test.go b/src/cmd/compile/internal/test/memoverlap_test.go +new file mode 100644 +index 0000000..c53288e +--- /dev/null ++++ b/src/cmd/compile/internal/test/memoverlap_test.go +@@ -0,0 +1,41 @@ ++// Copyright 2026 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package test ++ ++import "testing" ++ ++const arrFooSize = 96 ++ ++type arrFoo [arrFooSize]int ++ ++//go:noinline ++func badCopy(dst, src []int) { ++ p := (*[arrFooSize]int)(dst[:arrFooSize]) ++ q := (*[arrFooSize]int)(src[:arrFooSize]) ++ *p = arrFoo(*q) ++} ++ ++//go:noinline ++func goodCopy(dst, src []int) { ++ p := (*[arrFooSize]int)(dst[:arrFooSize]) ++ q := (*[arrFooSize]int)(src[:arrFooSize]) ++ *p = *q ++} ++ ++func TestOverlapedMoveWithNoopIConv(t *testing.T) { ++ h1 := make([]int, arrFooSize+1) ++ h2 := make([]int, arrFooSize+1) ++ for i := range arrFooSize + 1 { ++ h1[i] = i ++ h2[i] = i ++ } ++ badCopy(h1[1:], h1[:arrFooSize]) ++ goodCopy(h2[1:], h2[:arrFooSize]) ++ for i := range arrFooSize + 1 { ++ if h1[i] != h2[i] { ++ t.Errorf("h1 and h2 differ at index %d, expect them to be the same", i) ++ } ++ } ++} +-- +2.50.1 +

[scarthgap] go 1.22.12: fix CVE-2026-27143, CVE-2026-27144

Commit Message

Patch