From b4a2af26baa7e0eb28dd0fd88147f2c87604696e Mon Sep 17 00:00:00 2001 From: Cherry Zhang Date: Tue, 15 Dec 2020 18:31:21 -0500 Subject: [release-branch.go1.15] cmd/link: pass arch-specific flags to external linker when testing supported flag When testing if a flag (e.g. "-no-pie") is supported by the external linker, pass arch-specific flags (like "-marm"). In particular, on the ARM builder, if CGO_LDFLAGS=-march=armv6 is set, the C toolchain fails to build if -marm is not passed. # cc -march=armv6 1.c 1.c: In function 'main': 1.c:3:1: sorry, unimplemented: Thumb-1 hard-float VFP ABI int main() { ^~~ This makes the Go linker think "-no-pie" is not supported when it actually is. Passing -marm makes it work. Fixes #46684. Change-Id: I4e8b71f08818993cbbcb2494b310c68d812d6b50 Reviewed-on: https://go-review.googlesource.com/c/go/+/278592 Trust: Cherry Zhang Run-TryBot: Cherry Zhang TryBot-Result: Go Bot Reviewed-by: Than McIntosh (cherry picked from commit a318d56c1e6e89996a3852a780f45c792d860d64) Reviewed-on: https://go-review.googlesource.com/c/go/+/326711 Run-TryBot: Carlos Amedee Reviewed-by: Dmitri Shuralyov Reviewed-by: Ian Lance Taylor Trust: Dmitri Shuralyov --- src/cmd/link/internal/ld/lib.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go index d03fb6cf91b..5fb1776e8c6 100644 --- a/src/cmd/link/internal/ld/lib.go +++ b/src/cmd/link/internal/ld/lib.go @@ -1555,7 +1555,7 @@ func (ctxt *Link) hostlink() { } const compressDWARF = "-Wl,--compress-debug-sections=zlib-gnu" - if ctxt.compressDWARF && linkerFlagSupported(argv[0], altLinker, compressDWARF) { + if ctxt.compressDWARF && linkerFlagSupported(ctxt.Arch, argv[0], altLinker, compressDWARF) { argv = append(argv, compressDWARF) } @@ -1645,7 +1645,7 @@ func (ctxt *Link) hostlink() { if ctxt.BuildMode == BuildModeExe && !ctxt.linkShared { // GCC uses -no-pie, clang uses -nopie. for _, nopie := range []string{"-no-pie", "-nopie"} { - if linkerFlagSupported(argv[0], altLinker, nopie) { + if linkerFlagSupported(ctxt.Arch, argv[0], altLinker, nopie) { argv = append(argv, nopie) break } @@ -1746,7 +1746,7 @@ func (ctxt *Link) hostlink() { var createTrivialCOnce sync.Once -func linkerFlagSupported(linker, altLinker, flag string) bool { +func linkerFlagSupported(arch *sys.Arch, linker, altLinker, flag string) bool { createTrivialCOnce.Do(func() { src := filepath.Join(*flagTmpdir, "trivial.c") if err := ioutil.WriteFile(src, []byte("int main() { return 0; }"), 0666); err != nil { @@ -1780,7 +1780,7 @@ func linkerFlagSupported(linker, altLinker, flag string) bool { "-target", } - var flags []string + flags := hostlinkArchArgs(arch) keep := false skip := false extldflags := strings.Fields(*flagExtldflags) -- cgit v1.2.3-54-g00ecf From 0e7012ef8662b31e9da05cf39b2ec01301620810 Mon Sep 17 00:00:00 2001 From: Rahul Bajaj Date: Tue, 15 Jun 2021 11:32:13 +0000 Subject: [release-branch.go1.15] syscall: fix TestGroupCleanupUserNamespace test failure on Fedora For #46752 Fixes #46768 Change-Id: I2eaa9d15fac4e859e18191fcf1372e5be94899df GitHub-Last-Rev: f533c37ff9d259e307b200a01e3606bfaff10464 GitHub-Pull-Request: golang/go#46753 Reviewed-on: https://go-review.googlesource.com/c/go/+/328069 Reviewed-by: Ian Lance Taylor Reviewed-by: Tobias Klauser Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor --- src/syscall/exec_linux_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go index b79dee75255..df4ed62630c 100644 --- a/src/syscall/exec_linux_test.go +++ b/src/syscall/exec_linux_test.go @@ -318,6 +318,7 @@ func TestGroupCleanupUserNamespace(t *testing.T) { "uid=0(root) gid=0(root) groups=0(root),65534", "uid=0(root) gid=0(root) groups=0(root),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody)", // Alpine; see https://golang.org/issue/19938 "uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", // CentOS with SELinux context, see https://golang.org/issue/34547 + "uid=0(root) gid=0(root) groups=0(root),65534(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", // Fedora with SElinux context, see https://golang.org/issue/46752 } for _, e := range expected { if strOut == e { -- cgit v1.2.3-54-g00ecf From b51bf4febc32dfa6bb3c1cf467f1513a1d6d8b75 Mon Sep 17 00:00:00 2001 From: Than McIntosh Date: Tue, 8 Jun 2021 20:09:49 -0400 Subject: [release-branch.go1.15] cmd/link: fix handling of dupok mapzero syms The compiler machinery that generates "map.zero" symbols marks them as RODATA and DUPOK, which is problematic when a given application has multiple map zero symbols (from different packages) with varying sizes: the dupok path in the loader assumes that if two symbols have the same name, it is safe to pick any of the versions. In the case of map.zero, the link needs to select the largest symbol, not an arbitrary sym. This patch changes the linker's dupok symbol loading path to detect this problem, and in situations where we're loading a dupok symbol whose name is the same as an existing symbol but whose size is large, select the new dup over the old. Note: this fix differs from the one used in 1.16/1.17, which uses content-addressable symbols instead. Fixes #46656. Change-Id: Iabd2feef01d448670ba795c7eaddc48c191ea276 Reviewed-on: https://go-review.googlesource.com/c/go/+/326211 Trust: Than McIntosh Run-TryBot: Than McIntosh TryBot-Result: Go Bot Reviewed-by: Cherry Mui (cherry picked from commit aa5540cd82170f82c6fe11511e12de96aa58cbc1) Reviewed-on: https://go-review.googlesource.com/c/go/+/326213 --- src/cmd/link/internal/loader/loader.go | 12 +++++- test/fixedbugs/issue46653.dir/bad/bad.go | 64 ++++++++++++++++++++++++++++++++ test/fixedbugs/issue46653.dir/main.go | 27 ++++++++++++++ test/fixedbugs/issue46653.go | 10 +++++ 4 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 test/fixedbugs/issue46653.dir/bad/bad.go create mode 100644 test/fixedbugs/issue46653.dir/main.go create mode 100644 test/fixedbugs/issue46653.go diff --git a/src/cmd/link/internal/loader/loader.go b/src/cmd/link/internal/loader/loader.go index 32c342e5456..3df84c5c945 100644 --- a/src/cmd/link/internal/loader/loader.go +++ b/src/cmd/link/internal/loader/loader.go @@ -434,7 +434,17 @@ func (l *Loader) AddSym(name string, ver int, r *oReader, li int, kind int, dupo if l.flags&FlagStrictDups != 0 { l.checkdup(name, r, li, oldi) } - return oldi, false + // Fix for issue #46656 -- given two dupok symbols with + // different sizes, favor symbol with larger size. + szdup := l.SymSize(oldi) + sz := int64(r.Sym(li).Siz()) + if szdup >= sz { + return oldi, false + } else { + // new symbol overwrites old symbol. + l.objSyms[oldi] = objSym{r, li} + return oldi, true + } } oldr, oldli := l.toLocal(oldi) oldsym := oldr.Sym(oldli) diff --git a/test/fixedbugs/issue46653.dir/bad/bad.go b/test/fixedbugs/issue46653.dir/bad/bad.go new file mode 100644 index 00000000000..c1611b8347a --- /dev/null +++ b/test/fixedbugs/issue46653.dir/bad/bad.go @@ -0,0 +1,64 @@ +// Copyright 2021 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package a + +func Bad() { + m := make(map[int64]A) + a := m[0] + if len(a.B.C1.D2.E2.F1) != 0 || + len(a.B.C1.D2.E2.F2) != 0 || + len(a.B.C1.D2.E2.F3) != 0 || + len(a.B.C1.D2.E2.F4) != 0 || + len(a.B.C1.D2.E2.F5) != 0 || + len(a.B.C1.D2.E2.F6) != 0 || + len(a.B.C1.D2.E2.F7) != 0 || + len(a.B.C1.D2.E2.F8) != 0 || + len(a.B.C1.D2.E2.F9) != 0 || + len(a.B.C1.D2.E2.F10) != 0 || + len(a.B.C1.D2.E2.F11) != 0 || + len(a.B.C1.D2.E2.F16) != 0 { + panic("bad") + } +} + +type A struct { + B +} + +type B struct { + C1 C + C2 C +} + +type C struct { + D1 D + D2 D +} + +type D struct { + E1 E + E2 E + E3 E + E4 E +} + +type E struct { + F1 string + F2 string + F3 string + F4 string + F5 string + F6 string + F7 string + F8 string + F9 string + F10 string + F11 string + F12 string + F13 string + F14 string + F15 string + F16 string +} diff --git a/test/fixedbugs/issue46653.dir/main.go b/test/fixedbugs/issue46653.dir/main.go new file mode 100644 index 00000000000..e2a96e54ec5 --- /dev/null +++ b/test/fixedbugs/issue46653.dir/main.go @@ -0,0 +1,27 @@ +// Copyright 2021 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package main + +import ( + bad "issue46653.dir/bad" +) + +func main() { + bad.Bad() +} + +func neverCalled() L { + m := make(map[string]L) + return m[""] +} + +type L struct { + A Data + B Data +} + +type Data struct { + F1 [22][]string +} diff --git a/test/fixedbugs/issue46653.go b/test/fixedbugs/issue46653.go new file mode 100644 index 00000000000..e6283b1de50 --- /dev/null +++ b/test/fixedbugs/issue46653.go @@ -0,0 +1,10 @@ +// runindir + +// Copyright 2021 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Test to verify compiler and linker handling of multiple +// competing map.zero symbol definitions. + +package ignored -- cgit v1.2.3-54-g00ecf From 0579cf14060179a51300c157f3952528a6d25997 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 30 Jun 2021 14:28:18 -0700 Subject: [release-branch.go1.15] net: don't reject null mx records Bypass hostname validity checking when a null mx record is returned as, defined in RFC 7505. Updates #46979 Updates #47012 Change-Id: Ibe683bd6b47333a8ff30909fb2680ec8e10696ef Reviewed-on: https://go-review.googlesource.com/c/go/+/332094 Trust: Roland Shoemaker Trust: Katie Hockman Run-TryBot: Roland Shoemaker TryBot-Result: Go Bot Reviewed-by: Katie Hockman (cherry picked from commit 03761ede028d811dd7d7cf8a2690d4bfa2771d85) Reviewed-on: https://go-review.googlesource.com/c/go/+/332372 Run-TryBot: Katie Hockman --- src/net/dnsclient_unix_test.go | 40 ++++++++++++++++++++++++++++++++++++++++ src/net/lookup.go | 4 +++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go index f646629912a..f0f6e577ad1 100644 --- a/src/net/dnsclient_unix_test.go +++ b/src/net/dnsclient_unix_test.go @@ -1957,3 +1957,43 @@ func TestCVE202133195(t *testing.T) { t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err, expected) } } + +func TestNullMX(t *testing.T) { + fake := fakeDNSServer{ + rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) { + r := dnsmessage.Message{ + Header: dnsmessage.Header{ + ID: q.Header.ID, + Response: true, + RCode: dnsmessage.RCodeSuccess, + }, + Questions: q.Questions, + Answers: []dnsmessage.Resource{ + { + Header: dnsmessage.ResourceHeader{ + Name: q.Questions[0].Name, + Type: dnsmessage.TypeMX, + Class: dnsmessage.ClassINET, + }, + Body: &dnsmessage.MXResource{ + MX: dnsmessage.MustNewName("."), + }, + }, + }, + } + return r, nil + }, + } + r := Resolver{PreferGo: true, Dial: fake.DialContext} + rrset, err := r.LookupMX(context.Background(), "golang.org") + if err != nil { + t.Fatalf("LookupMX: %v", err) + } + if want := []*MX{&MX{Host: "."}}; !reflect.DeepEqual(rrset, want) { + records := []string{} + for _, rr := range rrset { + records = append(records, fmt.Sprintf("%v", rr)) + } + t.Errorf("records = [%v]; want [%v]", strings.Join(records, " "), want[0]) + } +} diff --git a/src/net/lookup.go b/src/net/lookup.go index 0660268249b..01c81dbaaf5 100644 --- a/src/net/lookup.go +++ b/src/net/lookup.go @@ -488,7 +488,9 @@ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { if mx == nil { continue } - if !isDomainName(mx.Host) { + // Bypass the hostname validity check for targets which contain only a dot, + // as this is used to represent a 'Null' MX record. + if mx.Host != "." && !isDomainName(mx.Host) { return nil, &DNSError{Err: "MX target is invalid", Name: name} } } -- cgit v1.2.3-54-g00ecf From 3d1d0664a58f376c21ec586bb73a8f451fdfde85 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Fri, 2 Jul 2021 10:25:49 -0700 Subject: [release-branch.go1.15] net: filter bad names from Lookup functions instead of hard failing Instead of hard failing on a single bad record, filter the bad records and return anything valid. This only applies to the methods which can return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr. When bad results are filtered out, also return an error, indicating that this filtering has happened. Updates #46241 Updates #46979 Fixes #47012 Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171 Reviewed-on: https://go-review.googlesource.com/c/go/+/332549 Trust: Roland Shoemaker Reviewed-by: Filippo Valsorda (cherry picked from commit 296ddf2a936a30866303a64d49bc0e3e034730a8) Reviewed-on: https://go-review.googlesource.com/c/go/+/333331 Run-TryBot: Roland Shoemaker --- src/net/dnsclient_unix_test.go | 223 ++++++++++++++++++++++++++++++++--------- src/net/lookup.go | 80 +++++++++++---- 2 files changed, 235 insertions(+), 68 deletions(-) diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go index f0f6e577ad1..9958a133a82 100644 --- a/src/net/dnsclient_unix_test.go +++ b/src/net/dnsclient_unix_test.go @@ -1846,6 +1846,17 @@ func TestCVE202133195(t *testing.T) { Target: dnsmessage.MustNewName(".golang.org."), }, }, + dnsmessage.Resource{ + Header: dnsmessage.ResourceHeader{ + Name: n, + Type: dnsmessage.TypeSRV, + Class: dnsmessage.ClassINET, + Length: 4, + }, + Body: &dnsmessage.SRVResource{ + Target: dnsmessage.MustNewName("good.golang.org."), + }, + }, ) case dnsmessage.TypeMX: r.Answers = append(r.Answers, @@ -1860,6 +1871,17 @@ func TestCVE202133195(t *testing.T) { MX: dnsmessage.MustNewName(".golang.org."), }, }, + dnsmessage.Resource{ + Header: dnsmessage.ResourceHeader{ + Name: dnsmessage.MustNewName("good.golang.org."), + Type: dnsmessage.TypeMX, + Class: dnsmessage.ClassINET, + Length: 4, + }, + Body: &dnsmessage.MXResource{ + MX: dnsmessage.MustNewName("good.golang.org."), + }, + }, ) case dnsmessage.TypeNS: r.Answers = append(r.Answers, @@ -1874,6 +1896,17 @@ func TestCVE202133195(t *testing.T) { NS: dnsmessage.MustNewName(".golang.org."), }, }, + dnsmessage.Resource{ + Header: dnsmessage.ResourceHeader{ + Name: dnsmessage.MustNewName("good.golang.org."), + Type: dnsmessage.TypeNS, + Class: dnsmessage.ClassINET, + Length: 4, + }, + Body: &dnsmessage.NSResource{ + NS: dnsmessage.MustNewName("good.golang.org."), + }, + }, ) case dnsmessage.TypePTR: r.Answers = append(r.Answers, @@ -1888,6 +1921,17 @@ func TestCVE202133195(t *testing.T) { PTR: dnsmessage.MustNewName(".golang.org."), }, }, + dnsmessage.Resource{ + Header: dnsmessage.ResourceHeader{ + Name: dnsmessage.MustNewName("good.golang.org."), + Type: dnsmessage.TypePTR, + Class: dnsmessage.ClassINET, + Length: 4, + }, + Body: &dnsmessage.PTRResource{ + PTR: dnsmessage.MustNewName("good.golang.org."), + }, + }, ) } return r, nil @@ -1903,58 +1947,137 @@ func TestCVE202133195(t *testing.T) { defer func(orig string) { testHookHostsPath = orig }(testHookHostsPath) testHookHostsPath = "testdata/hosts" - _, err := r.LookupCNAME(context.Background(), "golang.org") - if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err, expected) - } - _, err = LookupCNAME("golang.org") - if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err, expected) - } - - _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org") - if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected) - } - _, _, err = LookupSRV("target", "tcp", "golang.org") - if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected) - } - - _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org") - if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected) - } - _, _, err = LookupSRV("hdr", "tcp", "golang.org") - if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected) - } - - _, err = r.LookupMX(context.Background(), "golang.org") - if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err, expected) - } - _, err = LookupMX("golang.org") - if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupMX returned unexpected error, got %q, want %q", err, expected) - } - - _, err = r.LookupNS(context.Background(), "golang.org") - if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err, expected) - } - _, err = LookupNS("golang.org") - if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupNS returned unexpected error, got %q, want %q", err, expected) + tests := []struct { + name string + f func(*testing.T) + }{ + { + name: "CNAME", + f: func(t *testing.T) { + expectedErr := &DNSError{Err: errMalformedDNSRecordsDetail, Name: "golang.org"} + _, err := r.LookupCNAME(context.Background(), "golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + _, err = LookupCNAME("golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + }, + }, + { + name: "SRV (bad record)", + f: func(t *testing.T) { + expected := []*SRV{ + { + Target: "good.golang.org.", + }, + } + expectedErr := &DNSError{Err: errMalformedDNSRecordsDetail, Name: "golang.org"} + _, records, err := r.LookupSRV(context.Background(), "target", "tcp", "golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + _, records, err = LookupSRV("target", "tcp", "golang.org") + if err.Error() != expectedErr.Error() { + t.Errorf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + }, + }, + { + name: "SRV (bad header)", + f: func(t *testing.T) { + _, _, err := r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org.") + if expected := "lookup golang.org.: SRV header name is invalid"; err == nil || err.Error() != expected { + t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + _, _, err = LookupSRV("hdr", "tcp", "golang.org.") + if expected := "lookup golang.org.: SRV header name is invalid"; err == nil || err.Error() != expected { + t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + }, + }, + { + name: "MX", + f: func(t *testing.T) { + expected := []*MX{ + { + Host: "good.golang.org.", + }, + } + expectedErr := &DNSError{Err: errMalformedDNSRecordsDetail, Name: "golang.org"} + records, err := r.LookupMX(context.Background(), "golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + records, err = LookupMX("golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + }, + }, + { + name: "NS", + f: func(t *testing.T) { + expected := []*NS{ + { + Host: "good.golang.org.", + }, + } + expectedErr := &DNSError{Err: errMalformedDNSRecordsDetail, Name: "golang.org"} + records, err := r.LookupNS(context.Background(), "golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + records, err = LookupNS("golang.org") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + }, + }, + { + name: "Addr", + f: func(t *testing.T) { + expected := []string{"good.golang.org."} + expectedErr := &DNSError{Err: errMalformedDNSRecordsDetail, Name: "192.0.2.42"} + records, err := r.LookupAddr(context.Background(), "192.0.2.42") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + records, err = LookupAddr("192.0.2.42") + if err.Error() != expectedErr.Error() { + t.Fatalf("unexpected error: %s", err) + } + if !reflect.DeepEqual(records, expected) { + t.Error("Unexpected record set") + } + }, + }, } - _, err = r.LookupAddr(context.Background(), "192.0.2.42") - if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected { - t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err, expected) - } - _, err = LookupAddr("192.0.2.42") - if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected { - t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err, expected) + for _, tc := range tests { + t.Run(tc.name, tc.f) } } diff --git a/src/net/lookup.go b/src/net/lookup.go index 01c81dbaaf5..4135122d60d 100644 --- a/src/net/lookup.go +++ b/src/net/lookup.go @@ -415,7 +415,7 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) return "", err } if !isDomainName(cname) { - return "", &DNSError{Err: "CNAME target is invalid", Name: host} + return "", &DNSError{Err: errMalformedDNSRecordsDetail, Name: host} } return cname, nil } @@ -431,7 +431,9 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) // and proto are empty strings, LookupSRV looks up name directly. // // The returned service names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) { return DefaultResolver.LookupSRV(context.Background(), service, proto, name) } @@ -447,7 +449,9 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err // and proto are empty strings, LookupSRV looks up name directly. // // The returned service names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) { cname, addrs, err := r.lookupSRV(ctx, service, proto, name) if err != nil { @@ -456,21 +460,31 @@ func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) ( if cname != "" && !isDomainName(cname) { return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name} } + filteredAddrs := make([]*SRV, 0, len(addrs)) for _, addr := range addrs { if addr == nil { continue } if !isDomainName(addr.Target) { - return "", nil, &DNSError{Err: "SRV target is invalid", Name: name} + continue } + filteredAddrs = append(filteredAddrs, addr) + } + if len(addrs) != len(filteredAddrs) { + return cname, filteredAddrs, &DNSError{Err: errMalformedDNSRecordsDetail, Name: name} } - return cname, addrs, nil + return cname, filteredAddrs, nil } // LookupMX returns the DNS MX records for the given domain name sorted by preference. // // The returned mail server names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. +// +// LookupMX uses context.Background internally; to specify the context, use +// Resolver.LookupMX. func LookupMX(name string) ([]*MX, error) { return DefaultResolver.LookupMX(context.Background(), name) } @@ -478,12 +492,15 @@ func LookupMX(name string) ([]*MX, error) { // LookupMX returns the DNS MX records for the given domain name sorted by preference. // // The returned mail server names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { records, err := r.lookupMX(ctx, name) if err != nil { return nil, err } + filteredMX := make([]*MX, 0, len(records)) for _, mx := range records { if mx == nil { continue @@ -491,16 +508,25 @@ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { // Bypass the hostname validity check for targets which contain only a dot, // as this is used to represent a 'Null' MX record. if mx.Host != "." && !isDomainName(mx.Host) { - return nil, &DNSError{Err: "MX target is invalid", Name: name} + continue } + filteredMX = append(filteredMX, mx) + } + if len(records) != len(filteredMX) { + return filteredMX, &DNSError{Err: errMalformedDNSRecordsDetail, Name: name} } - return records, nil + return filteredMX, nil } // LookupNS returns the DNS NS records for the given domain name. // // The returned name server names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. +// +// LookupNS uses context.Background internally; to specify the context, use +// Resolver.LookupNS. func LookupNS(name string) ([]*NS, error) { return DefaultResolver.LookupNS(context.Background(), name) } @@ -508,21 +534,28 @@ func LookupNS(name string) ([]*NS, error) { // LookupNS returns the DNS NS records for the given domain name. // // The returned name server names are validated to be properly -// formatted presentation-format domain names. +// formatted presentation-format domain names. If the response contains +// invalid names, those records are filtered out and an error +// will be returned alongside the the remaining results, if any. func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) { records, err := r.lookupNS(ctx, name) if err != nil { return nil, err } + filteredNS := make([]*NS, 0, len(records)) for _, ns := range records { if ns == nil { continue } if !isDomainName(ns.Host) { - return nil, &DNSError{Err: "NS target is invalid", Name: name} + continue } + filteredNS = append(filteredNS, ns) + } + if len(records) != len(filteredNS) { + return filteredNS, &DNSError{Err: errMalformedDNSRecordsDetail, Name: name} } - return records, nil + return filteredNS, nil } // LookupTXT returns the DNS TXT records for the given domain name. @@ -539,7 +572,8 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error) // of names mapping to that address. // // The returned names are validated to be properly formatted presentation-format -// domain names. +// domain names. If the response contains invalid names, those records are filtered +// out and an error will be returned alongside the the remaining results, if any. // // When using the host C library resolver, at most one result will be // returned. To bypass the host resolver, use a custom Resolver. @@ -551,16 +585,26 @@ func LookupAddr(addr string) (names []string, err error) { // of names mapping to that address. // // The returned names are validated to be properly formatted presentation-format -// domain names. +// domain names. If the response contains invalid names, those records are filtered +// out and an error will be returned alongside the the remaining results, if any. func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) { names, err := r.lookupAddr(ctx, addr) if err != nil { return nil, err } + filteredNames := make([]string, 0, len(names)) for _, name := range names { - if !isDomainName(name) { - return nil, &DNSError{Err: "PTR target is invalid", Name: addr} + if isDomainName(name) { + filteredNames = append(filteredNames, name) } } - return names, nil + if len(names) != len(filteredNames) { + return filteredNames, &DNSError{Err: errMalformedDNSRecordsDetail, Name: addr} + } + return filteredNames, nil } + +// errMalformedDNSRecordsDetail is the DNSError detail which is returned when a Resolver.Lookup... +// method recieves DNS records which contain invalid DNS names. This may be returned alongside +// results which have had the malformed records filtered out. +var errMalformedDNSRecordsDetail = "DNS response contained records which contain invalid names" -- cgit v1.2.3-54-g00ecf From c77980bc077f3774276ab2deba78d8e6bfe4b3bd Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 9 Jun 2021 11:31:27 -0700 Subject: [release-branch.go1.15] crypto/tls: test key type when casting When casting the certificate public key in generateClientKeyExchange, check the type is appropriate. This prevents a panic when a server agrees to a RSA based key exchange, but then sends an ECDSA (or other) certificate. Updates #47143 Fixes #47144 Fixes CVE-2021-34558 Thanks to Imre Rad for reporting this issue. Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723 Reviewed-by: Filippo Valsorda Reviewed-by: Katie Hockman Reviewed-on: https://go-review.googlesource.com/c/go/+/334030 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda Reviewed-by: Dmitri Shuralyov --- src/crypto/tls/key_agreement.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go index 7e6534bd465..22f1b2e1f24 100644 --- a/src/crypto/tls/key_agreement.go +++ b/src/crypto/tls/key_agreement.go @@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello return nil, nil, err } - encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret) + rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite") + } + encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret) if err != nil { return nil, nil, err } -- cgit v1.2.3-54-g00ecf From c6d89dbf9954b101589e2db8e170b84167782109 Mon Sep 17 00:00:00 2001 From: Dmitri Shuralyov Date: Mon, 12 Jul 2021 14:57:25 -0400 Subject: [release-branch.go1.15] go1.15.14 Change-Id: Id56b45b4911db7f659d53b8797daebe954964c34 Reviewed-on: https://go-review.googlesource.com/c/go/+/334090 Run-TryBot: Dmitri Shuralyov Trust: Dmitri Shuralyov Reviewed-by: Filippo Valsorda --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index b818ff589c9..cda321dacc0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.15.13 \ No newline at end of file +go1.15.14 \ No newline at end of file -- cgit v1.2.3-54-g00ecf