[OE-core] [kirkstone][PATCH 0/1] go: Fix CVE-2023-39323

Wed, 17 Dec 2025 23:19:13 -0800 

From: Libo Chen <[email protected]>

Test steps:
1. git clone https://git.yoctoproject.org/poky

2. go to kirkstone branch and set up environment
cd poky
git checkout kirkstone
source oe-init-build-env

3. backport the patch

4. add the followings to conf/local.conf:
IMAGE_INSTALL:append = " go"
IMAGE_FEATURES += "dev-pkgs tools-sdk"

5. bitbake core-image-full-cmdline

6. start Qemu target
runqemu qemux86-64 kvm nographic qemuparams="-m 8196"

7. at Qemu target
7.1 go build test_cgo_error.go
7.2 go build test_cgo.go 

Expected behaviors:
7.1 command shall fail due to "only allowed in cgo-generated code"
7.2 command shall pass

Test logs:

Poky (Yocto Project Reference Distro) 4.0.32 qemux86-64 ttyS0

qemux86-64 login: root
root@qemux86-64:~# which go
/usr/bin/go
root@qemux86-64:~# ls -l
total 8
-rw-r--r-- 1 root root 106 Dec 18 06:14 test_cgo.go
-rw-r--r-- 1 root root 304 Dec 18 06:14 test_cgo_error.go
root@qemux86-64:~# cat test_go_error.go
cat: test_go_error.go: No such file or directory
root@qemux86-64:~# cat test_cgo_error.go
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

//line /tmp/_cgo_.go:1
//go:cgo_dynamic_linker "/elf/interp"
// ERROR MESSAGE: only allowed in cgo-generated code

func main() {}
root@qemux86-64:~# cat test_cgo.go
package main

import "fmt"

//this is main entry
func main() {
    fmt.Println("Hello from custom Go!")
}
root@qemux86-64:~# go build test_cgo_error.go
# command-line-arguments
/tmp/_cgo_.go:1: //go:cgo_dynamic_linker "/elf/interp" only allowed in 
cgo-generated code
root@qemux86-64:~# echo $?
2
root@qemux86-64:~# go build test_cgo.go
root@qemux86-64:~# ls -l test_cgo
-rwxr-xr-x 1 root root 1772006 Dec 18 06:15 test_cgo
root@qemux86-64:~# ./test_cgo
Hello from custom Go!
root@qemux86-64:~# 

Libo Chen (1):
  go: Fix CVE-2023-39323

 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2023-39323.patch           | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#228090): 
https://lists.openembedded.org/g/openembedded-core/message/228090
Mute This Topic: https://lists.openembedded.org/mt/116839161/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • [OE-core] [kirkstone][PATCH 0/1... Chen, Libo (CN) via lists.openembedded.org

Reply via email to