go, branch go1.12.9

[release-branch.go1.12] go1.12.9

2019-08-15T18:44:01Z

Change-Id: I70dc0e2accd83d9c974b95075f9e83a82d89563d Reviewed-on: https://go-review.googlesource.com/c/go/+/190407 Run-TryBot: Dmitri Shuralyov TryBot-Result: Gobot Gobot Reviewed-by: Alexander Rakoczy

[release-branch.go1.12] doc: document Go 1.12.9

2019-08-15T17:54:39Z

Change-Id: I88b7e085fc70f9c021788d364099f5bc6b705ba8 Reviewed-on: https://go-review.googlesource.com/c/go/+/190438 Reviewed-by: Filippo Valsorda (cherry picked from commit 0212f0410f845815f5327a7f2e705891a9598f3d) Reviewed-on: https://go-review.googlesource.com/c/go/+/190406 Reviewed-by: Alexander Rakoczy

[release-branch.go1.12] all: merge release-branch.go1.12-security into release-branch.go1.12

2019-08-13T17:14:07Z

Change-Id: I29801b98d975da0bbc092b16dc9771564a39a10a

[release-branch.go1.12-security] go1.12.8

2019-08-13T16:27:09Z

Change-Id: I131f93770f9bc5f2d4ee73f158607c1c9e1550bb Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/527000 Reviewed-by: Filippo Valsorda

[release-branch.go1.12-security] doc: document Go 1.12.8 and Go 1.11.13

2019-08-13T14:47:02Z

Change-Id: I0daab6cd347e1fc0066e516f02c33f1b63e3f1a3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526992 Reviewed-by: Filippo Valsorda (cherry picked from commit 685bfb1adec3d9fcb589f35eb2bc0b99d2f84bf0) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526993

[release-branch.go1.12-security] net/url: make Hostname and Port predictable for invalid Host values

2019-08-12T23:49:46Z

When Host is not valid per RFC 3986, the behavior of Hostname and Port was wildly unpredictable, to the point that Host could have a suffix that didn't appear in neither Hostname nor Port. This is a security issue when applications are applying checks to Host and expecting them to be meaningful for the contents of Hostname. To reduce disruption, this change only aims to guarantee the following two security-relevant invariants. * Host is either Hostname or [Hostname] with Port empty, or Hostname:Port or [Hostname]:Port. * Port is only decimals. The second invariant is the one that's most likely to cause disruption, but I believe it's important, as it's conceivable an application might do a suffix check on Host and expect it to be meaningful for the contents of Hostname (if the suffix is not a valid port). There are three ways to ensure it. 1) Reject invalid ports in Parse. Note that non-numeric ports are already rejected if and only if the host starts with "[". 2) Consider non-numeric ports as part of Hostname, not Port. 3) Allow non-numeric ports, and hope they only flow down to net/http, which will reject them (#14353). This change adopts both 1 and 2. We could do only the latter, but then these invalid hosts would flow past port checks, like in http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully supported anyway, because they were rejected after IPv6 literals, so this restores consistency. We could do only the former, but at this point 2) is free and might help with manually constructed Host values (or if we get something wrong in Parse). Note that net.SplitHostPort and net.Dial explicitly accept service names in place of port numbers, but this is an URL package, and RFC 3986, Section 3.2.3, clearly specifies ports as a number in decimal. net/http uses a mix of net.SplitHostPort and url.Parse that would deserve looking into, but in general it seems that it will still accept service names in Addr fields as they are passed to net.Listen, while rejecting them in URLs, which feels correct. This leaves a number of invalid URLs to reject, which however are not security relevant once the two invariants above hold, so can be done in Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals, hostnames with invalid characters, and more. Tested with 200M executions of go-fuzz and the following Fuzz function. u, err := url.Parse(string(data)) if err != nil { return 0 } h := u.Hostname() p := u.Port() switch u.Host { case h + ":" + p: return 1 case "[" + h + "]:" + p: return 1 case h: fallthrough case "[" + h + "]": if p != "" { panic("unexpected Port()") } return 1 } panic("Host is not a variant of [Hostname]:Port") Fixes CVE-2019-14809 Updates #29098 Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895 Reviewed-on: https://go-review.googlesource.com/c/go/+/189258 Reviewed-by: Ian Lance Taylor (cherry picked from commit 61bb56ad63992a3199acc55b2537c8355ef887b6) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526408 Reviewed-by: Dmitri Shuralyov

[release-branch.go1.12-security] net/http: update bundled http2 to import security fix

2019-08-12T21:44:22Z

Apply the following unpublished golang.org/x/net commit. commit cdfb69ac37fc6fa907650654115ebebb3aae2087 Author: Filippo Valsorda Date: Sun Aug 11 02:12:18 2019 -0400 [release-branch.go1.12] http2: limit number of control frames in server send queue An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 Reviewed-by: Brad Fitzpatrick (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526069 Reviewed-by: Dmitri Shuralyov Fixes CVE-2019-9512 and CVE-2019-9514 Updates #33606 Change-Id: I282b3e0fa22422d9ea0d07f4a3935685ce4a7433 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526071 Reviewed-by: Dmitri Shuralyov

[release-branch.go1.12] cmd/link: increase the function call limit in stkcheck

2019-08-09T21:08:07Z

There is real (albeit generated) code that exceeds the limit. Updates #33555 Fixes #33557 Change-Id: I668e85825d3d2a471970e869abe63f3492213cc1 Reviewed-on: https://go-review.googlesource.com/c/go/+/189697 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Cherry Zhang (cherry picked from commit 951143cf1425189965498cc32fc8dc132bf7c777) Reviewed-on: https://go-review.googlesource.com/c/go/+/189717

[release-branch.go1.12] math/big: fix the bug in assembly implementation of shlVU on arm64

2019-08-02T20:42:53Z

For the case where the addresses of parameter z and x of the function shlVU overlap and the address of z is greater than x, x (input value) can be polluted during the calculation when the high words of x are overlapped with the low words of z (output value). Updates #31084 Fixes #32940 Change-Id: I9bb0266a1d7856b8faa9a9b1975d6f57dece0479 Reviewed-on: https://go-review.googlesource.com/c/go/+/169780 Run-TryBot: Cherry Zhang TryBot-Result: Gobot Gobot Reviewed-by: Cherry Zhang (cherry picked from commit 503e6ccd740c48f21c1d159d904b51da2d9a8ca9) Reviewed-on: https://go-review.googlesource.com/c/go/+/185041 Run-TryBot: Dmitri Shuralyov

[release-branch.go1.12] os: enable the close-on-exec flag for openFdAt

2019-08-02T04:53:33Z

There's a race here with fork/exec, enable the close-on-exec flag for the new file descriptor. Updates #33405 Fixes #33424 Change-Id: Ib1e405c3b48b11c867f183fd13eff8b73d95e3b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/188537 Run-TryBot: Baokun Lee TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor (cherry picked from commit 2d6ee6e89a4b30c7528d2977df4e1aa86651e4e4) Reviewed-on: https://go-review.googlesource.com/c/go/+/188538 Run-TryBot: Ian Lance Taylor