go, branch go1.14.13

[release-branch.go1.14] go1.14.13

2020-12-03T17:27:26Z

Change-Id: Ifdfd9cd7edb8c3afd785cf75e818e3d301cd8dae Reviewed-on: https://go-review.googlesource.com/c/go/+/275133 Run-TryBot: Carlos Amedee TryBot-Result: Go Bot Reviewed-by: Dmitri Shuralyov Trust: Carlos Amedee

[release-branch.go1.14] cmd/compile: sign extend constant folding properly

2020-12-03T13:58:36Z

MOVLconst must have a properly sign-extended auxint constant. The bit operations in these rules don't enforce that invariant. Fixes #42755 Change-Id: I729afcad18752d9b7739e49709020e3be7b3653e Reviewed-on: https://go-review.googlesource.com/c/go/+/272030 Trust: Keith Randall Run-TryBot: Keith Randall TryBot-Result: Go Bot Reviewed-by: David Chase

[release-branch.go1.14] runtime: block signals in needm before allocating M

2020-11-20T20:38:22Z

Otherwise, if a signal occurs just after we allocated the M, we can deadlock if the signal handler needs to allocate an M itself. For #42207 Fixes #42635 Change-Id: I76f44547f419e8b1c14cbf49bf602c6e645d8c14 Reviewed-on: https://go-review.googlesource.com/c/go/+/265759 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills (cherry picked from commit 368c40116434532dc0b53b72fa04788ca6742898) Reviewed-on: https://go-review.googlesource.com/c/go/+/271848

[release-branch.go1.14] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

2020-11-16T14:56:54Z

For #42565 Fixes #42566 Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed Reviewed-on: https://go-review.googlesource.com/c/go/+/269818 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Jay Conrod (cherry picked from commit 782cf560db4c919790fdb476d1bbe18e5ddf5ffd) Reviewed-on: https://go-review.googlesource.com/c/go/+/270080

[release-branch.go1.14] all: merge release-branch.go1.14-security into release-branch.go1.14

2020-11-12T20:45:42Z

Change-Id: I87a2c27ce88913c2867ef355d589debfbb522167

[release-branch.go1.14-security] go1.14.12

2020-11-12T16:47:42Z

Change-Id: I8ce7093f7e119216d3a5d8941968788b70b6afaf Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901408 Reviewed-by: Katie Hockman

[release-branch.go1.14-security] math/big: fix shift for recursive division

2020-11-12T14:40:27Z

The previous s value could cause a crash for certain inputs. Will check in tests and documentation improvements later. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. Fixes CVE-2020-28362 Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974 Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda (cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901064

[release-branch.go1.14-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

2020-11-12T14:40:27Z

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits. When using -Wp, prohibit commas in -D values. Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this. Fixes CVE-2020-28367 Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492 Reviewed-on: https://go-review.googlesource.com/c/go/+/267277 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923 Reviewed-by: Filippo Valsorda

[release-branch.go1.14-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

2020-11-12T14:40:16Z

A hand-edited object file can have a symbol name that uses newline and other normally invalid characters. The cgo tool will generate Go files containing symbol names, unquoted. That can permit those symbol names to inject Go code into a cgo-generated file. If that Go code uses the //go:cgo_ldflag pragma, it can cause the C linker to run arbitrary code when building a package. If you build an imported package we permit arbitrary code at run time, but we don't want to permit it at package build time. This CL prevents this in two ways. In cgo, reject invalid symbols that contain non-printable or space characters, or that contain anything that looks like a Go comment. In the go tool, double check all //go:cgo_ldflag directives in generated code, to make sure they follow the existing LDFLAG restrictions. Thanks to Chris Brown and Tempus Ex for reporting this. Fixes CVE-2020-28366 Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832 Reviewed-by: Than McIntosh Reviewed-by: Cherry Zhang (cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901055 Reviewed-by: Filippo Valsorda Reviewed-by: Roland Shoemaker

[release-branch.go1.14] go1.14.11

2020-11-05T21:21:19Z

Change-Id: I1b4231179d0825113f2cbb6e84e92b3453e2ee45 Reviewed-on: https://go-review.googlesource.com/c/go/+/267878 Run-TryBot: Alexander Rakoczy TryBot-Result: Go Bot Reviewed-by: Dmitri Shuralyov Trust: Alexander Rakoczy