qbit/go - go - Tape:neT

qbit/go

Fork 0

mirror of https://github.com/golang/go synced 2024-11-08 02:46:16 -07:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Bryan C. Mills	3c4c10ea8c	misc/cgo: fix aliasing bugs in parallel tests that append to shared slices These tests use a slice to represent the base C compiler command (with flags). Appending to that slice can cause subtle aliasing bugs, such as commands that silently corrupt the arguments of other concurrent commands in parallel tests. In this change, we explicitly reduce the capacity of the command slice to force appends to it to always allocate unique new slices. Fixes #49693 Change-Id: Ide466bf65f12cb6cead3dcba69f513cccb60a160 Reviewed-on: https://go-review.googlesource.com/c/go/+/383754 Trust: Bryan Mills <bcmills@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>	2022-02-07 17:51:57 +00:00
KimMachineGun	a040ebeb98	all: update references to symbols moved from io/ioutil to io Update references missed in CL 263142. For #41190 Change-Id: I778760a6a69bd0440fec0848bdef539c9ccb4ee1 GitHub-Last-Rev: `dda42b09ff` GitHub-Pull-Request: golang/go#42874 Reviewed-on: https://go-review.googlesource.com/c/go/+/273946 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Trust: Cherry Zhang <cherryyz@google.com>	2021-04-05 17:51:15 +00:00
Ian Lance Taylor	062e0e5ce6	cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag A hand-edited object file can have a symbol name that uses newline and other normally invalid characters. The cgo tool will generate Go files containing symbol names, unquoted. That can permit those symbol names to inject Go code into a cgo-generated file. If that Go code uses the //go:cgo_ldflag pragma, it can cause the C linker to run arbitrary code when building a package. If you build an imported package we permit arbitrary code at run time, but we don't want to permit it at package build time. This CL prevents this in two ways. In cgo, reject invalid symbols that contain non-printable or space characters, or that contain anything that looks like a Go comment. In the go tool, double check all //go:cgo_ldflag directives in generated code, to make sure they follow the existing LDFLAG restrictions. Thanks to Imre Rad / https://www.linkedin.com/in/imre-rad-2358749b for reporting this. Fixes CVE-2020-28367 Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832 Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Cherry Zhang <cherryyz@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/269658 Trust: Katie Hockman <katie@golang.org> Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>	2020-11-12 20:58:06 +00:00

Bryan C. Mills

3c4c10ea8c

misc/cgo: fix aliasing bugs in parallel tests that append to shared slices

These tests use a slice to represent the base C compiler command (with
flags). Appending to that slice can cause subtle aliasing bugs, such
as commands that silently corrupt the arguments of other concurrent
commands in parallel tests.

In this change, we explicitly reduce the capacity of the command slice
to force appends to it to always allocate unique new slices.

Fixes #49693

Change-Id: Ide466bf65f12cb6cead3dcba69f513cccb60a160
Reviewed-on: https://go-review.googlesource.com/c/go/+/383754
Trust: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

2022-02-07 17:51:57 +00:00

KimMachineGun

a040ebeb98

all: update references to symbols moved from io/ioutil to io

Update references missed in CL 263142.

For #41190

Change-Id: I778760a6a69bd0440fec0848bdef539c9ccb4ee1
GitHub-Last-Rev: dda42b09ff
GitHub-Pull-Request: golang/go#42874
Reviewed-on: https://go-review.googlesource.com/c/go/+/273946
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Cherry Zhang <cherryyz@google.com>

2021-04-05 17:51:15 +00:00

Ian Lance Taylor

062e0e5ce6

cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

A hand-edited object file can have a symbol name that uses newline and
other normally invalid characters. The cgo tool will generate Go files
containing symbol names, unquoted. That can permit those symbol names
to inject Go code into a cgo-generated file. If that Go code uses the
//go:cgo_ldflag pragma, it can cause the C linker to run arbitrary
code when building a package. If you build an imported package we
permit arbitrary code at run time, but we don't want to permit it at
package build time. This CL prevents this in two ways.

In cgo, reject invalid symbols that contain non-printable or space
characters, or that contain anything that looks like a Go comment.

In the go tool, double check all //go:cgo_ldflag directives in
generated code, to make sure they follow the existing LDFLAG restrictions.

Thanks to Imre Rad / https://www.linkedin.com/in/imre-rad-2358749b for
reporting this.

Fixes CVE-2020-28367

Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/269658
Trust: Katie Hockman <katie@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

2020-11-12 20:58:06 +00:00

3 Commits