gostls13.git log

commit 156bf3dd36a9264f721dc98749c8899c559cca43 [browse]
Author: Gopher Robot
Date: 2022-11-01 16:16:42 Z

[release-branch.go1.18] go1.18.8

Change-Id: I89e791f1d6ae0984ba62bccef05886acbb10b2dd
Reviewed-on: https://go-review.googlesource.com/c/go/+/446957
Run-TryBot: Gopher Robot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>

commit aba57b07721cac39b4b7cf70f8dfbf9e2e299187 [browse]
Author: Damien Neil
Date: 2022-10-17 17:38:29 -07:00

[release-branch.go1.18] syscall, os/exec: reject environment variables containing NULs

Check for and reject environment variables containing NULs.

The conventions for passing environment variables to subprocesses
cause most or all systems to interpret a NUL as a separator. The
syscall package rejects environment variables containing a NUL
on most systems, but erroneously did not do so on Windows. This
causes an environment variable such as "FOO=a\x00BAR=b" to be
interpreted as "FOO=a", "BAR=b".

Check for and reject NULs in environment variables passed to
syscall.StartProcess on Windows.

Add a redundant check to os/exec as extra insurance.

Updates #56284
Fixes #56327
Fixes CVE-2022-41716

Change-Id: I2950e2b0cb14ebd26e5629be1521858f66a7d4ae
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1609434
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
(cherry picked from commit 845accdebb2772c5344ed0c96df9910f3b02d741)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1617552
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/446915
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>

commit 2c2952aea8fb041a78689c4c5f917fd166f8310b [browse]
Author: Michael Pratt
Date: 2022-10-18 12:01:18 -04:00

[release-branch.go1.18] runtime: always keep global reference to mp until mexit completes

Ms are allocated via standard heap allocation (`new(m)`), which means we
must keep them alive (i.e., reachable by the GC) until we are completely
done using them.

Ms are primarily reachable through runtime.allm. However, runtime.mexit
drops the M from allm fairly early, long before it is done using the M
structure. If that was the last reference to the M, it is now at risk of
being freed by the GC and used for some other allocation, leading to
memory corruption.

Ms with a Go-allocated stack coincidentally already keep a reference to
the M in sched.freem, so that the stack can be freed lazily. This
reference has the side effect of keeping this Ms reachable. However, Ms
with an OS stack skip this and are at risk of corruption.

Fix this lifetime by extending sched.freem use to all Ms, with the value
of mp.freeWait determining whether the stack needs to be freed or not.

For #56243.
Fixes #56308.

Change-Id: Ic0c01684775f5646970df507111c9abaac0ba52e
Reviewed-on: https://go-review.googlesource.com/c/go/+/443716
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
(cherry picked from commit e252dcf9d38ce9192bccacb7e33867cbfbd22b6c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/443816
Reviewed-by: Austin Clements <austin@google.com>

commit 828be9a74319a08e9098b8a0e60119435bd87adb [browse]
Author: Bryan C. Mills
Date: 2022-10-20 10:22:10 -04:00

[release-branch.go1.18] cmd/go/internal/modload: update TestQueryImport to pass with tagged versions of x/net

For #48523.

Change-Id: Ied35d15462cbae1002e1db1e6e119a6c9f8323da
Reviewed-on: https://go-review.googlesource.com/c/go/+/444156
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit 3e6ca3a506fc89f19277b3c19b751847b3864185)
Reviewed-on: https://go-review.googlesource.com/c/go/+/444436
Reviewed-by: Heschi Kreinick <heschi@google.com>

commit 947091d31ccda14b0a362adff37b6e037f0f59f3 [browse]
Author: Gopher Robot
Date: 2022-10-04 17:10:23 Z

[release-branch.go1.18] go1.18.7

Change-Id: I0636d7335381c25ce39fd44c8cf758fb84737551
Reviewed-on: https://go-review.googlesource.com/c/go/+/438597
Reviewed-by: Carlos Amedee <carlos@golang.org>
Run-TryBot: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

clone the repository to get more history