go, branch go1.20.1

[release-branch.go1.20] go1.20.1

2023-02-14T18:12:19Z

Change-Id: I6a40cdd44d7bc7e4bf95a5169ecad16757eb41d3 Reviewed-on: https://go-review.googlesource.com/c/go/+/468238 Auto-Submit: Gopher Robot Reviewed-by: Michael Pratt Run-TryBot: Gopher Robot Reviewed-by: Than McIntosh TryBot-Result: Gopher Robot

[release-branch.go1.20] net/http: update bundled golang.org/x/net/http2

2023-02-14T17:25:55Z

Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-41723 Fixes #58356 Updates #57855 Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940 Reviewed-by: Damien Neil Reviewed-by: Julie Qiu TryBot-Result: Security TryBots Reviewed-by: Tatiana Bradley Run-TryBot: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/468122 Auto-Submit: Michael Pratt TryBot-Result: Gopher Robot Run-TryBot: Michael Pratt Reviewed-by: Than McIntosh

[release-branch.go1.20] crypto/tls: replace all usages of BytesOrPanic

2023-02-14T17:25:50Z

Message marshalling makes use of BytesOrPanic a lot, under the assumption that it will never panic. This assumption was incorrect, and specifically crafted handshakes could trigger panics. Rather than just surgically replacing the usages of BytesOrPanic in paths that could panic, replace all usages of it with proper error returns in case there are other ways of triggering panics which we didn't find. In one specific case, the tree routed by expandLabel, we replace the usage of BytesOrPanic, but retain a panic. This function already explicitly panicked elsewhere, and returning an error from it becomes rather painful because it requires changing a large number of APIs. The marshalling is unlikely to ever panic, as the inputs are all either fixed length, or already limited to the sizes required. If it were to panic, it'd likely only be during development. A close inspection shows no paths for a user to cause a panic currently. This patches ends up being rather large, since it requires routing errors back through functions which previously had no error returns. Where possible I've tried to use helpers that reduce the verbosity of frequently repeated stanzas, and to make the diffs as minimal as possible. Thanks to Marten Seemann for reporting this issue. Updates #58001 Fixes #58359 Fixes CVE-2022-41724 Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436 Reviewed-by: Julie Qiu TryBot-Result: Security TryBots Run-TryBot: Roland Shoemaker Reviewed-by: Damien Neil (cherry picked from commit 1d4e6ca9454f6cf81d30c5361146fb5988f1b5f6) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728205 Reviewed-by: Tatiana Bradley Reviewed-on: https://go-review.googlesource.com/c/go/+/468121 Reviewed-by: Than McIntosh Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt Run-TryBot: Michael Pratt

[release-branch.go1.20] mime/multipart: limit memory/inode consumption of ReadForm

2023-02-14T16:58:51Z

Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB" in memory. Parsed forms can consume substantially more memory than this limit, since ReadForm does not account for map entry overhead and MIME headers. In addition, while the amount of disk memory consumed by ReadForm can be constrained by limiting the size of the parsed input, ReadForm will create one temporary file per form part stored on disk, potentially consuming a large number of inodes. Update ReadForm's memory accounting to include part names, MIME headers, and map entry overhead. Update ReadForm to store all on-disk file parts in a single temporary file. Files returned by FileHeader.Open are documented as having a concrete type of *os.File when a file is stored on disk. The change to use a single temporary file for all parts means that this is no longer the case when a form contains more than a single file part stored on disk. The previous behavior of storing each file part in a separate disk file may be reenabled with GODEBUG=multipartfiles=distinct. Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap on the size of MIME headers. Thanks to Jakob Ackermann (@das7pad) for reporting this issue. Updates #58006 Fixes #58363 Fixes CVE-2022-41725 Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276 Reviewed-by: Julie Qiu TryBot-Result: Security TryBots Reviewed-by: Roland Shoemaker Run-TryBot: Damien Neil (cherry picked from commit 7d0da0029bfbe3228cc5216ced8c7b3184eb517d) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728950 Reviewed-by: Damien Neil Run-TryBot: Roland Shoemaker Reviewed-by: Tatiana Bradley Reviewed-on: https://go-review.googlesource.com/c/go/+/468120 Auto-Submit: Michael Pratt Run-TryBot: Michael Pratt Reviewed-by: Than McIntosh TryBot-Result: Gopher Robot

[release-branch.go1.20] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

2023-02-14T16:58:49Z

Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Updates #57274 Fixes #57276 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker Run-TryBot: Damien Neil Reviewed-by: Julie Qiu TryBot-Result: Security TryBots (cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944 Run-TryBot: Roland Shoemaker Reviewed-by: Tatiana Bradley Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/468119 Reviewed-by: Than McIntosh Run-TryBot: Michael Pratt TryBot-Result: Gopher Robot Auto-Submit: Michael Pratt

[release-branch.go1.20] cmd/compile/internal/pgo: fix hard-coded PGO sample data position

2023-02-10T19:24:45Z

This patch detects at which index position profiling samples that have the value-type samples count are, instead of the previously hard-coded position of index 1. Runtime generated profiles always generate CPU profiling data with the 0 index being CPU nanoseconds, and samples count at index 1, which is why this previously hasn't come up. This is a redo of CL 465135, now allowing empty profiles. Note that preprocessProfileGraph will already cause pgo.New to return nil for empty profiles. For #58292 For #58309 Change-Id: Ia6c94f0793f6ca9b0882b5e2c4d34f38e600c1e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/467375 Run-TryBot: Michael Pratt TryBot-Result: Gopher Robot Reviewed-by: Austin Clements

[release-branch.go1.20] cmd/go/internal/script: retry ETXTBSY errors in scripts

2023-02-10T17:48:14Z

Fixes #58431. Updates #58019. Change-Id: Ib25d668bfede6e87a3786f44bdc0db1027e3ebec Reviewed-on: https://go-review.googlesource.com/c/go/+/463748 TryBot-Result: Gopher Robot Auto-Submit: Bryan Mills Run-TryBot: Bryan Mills Reviewed-by: Ian Lance Taylor (cherry picked from commit 23c0121e4eb259cc1087d0f79a0803cbc71f500b) Reviewed-on: https://go-review.googlesource.com/c/go/+/466856 Reviewed-by: David Chase

[release-branch.go1.20] cmd/go/internal/test: refresh flagdefs.go and fix test

2023-02-10T17:41:09Z

The tests for cmd/go/internal/test were not running at all due to a missed call to m.Run in TestMain. That masked a missing vet analyzer ("timeformat") and a missed update to the generator script in CL 355452. Fixes #58421. Updates #58415. Change-Id: I7b0315952967ca07a866cdaa5903478b2873eb7a Reviewed-on: https://go-review.googlesource.com/c/go/+/466635 TryBot-Result: Gopher Robot Reviewed-by: Ian Lance Taylor Auto-Submit: Bryan Mills Run-TryBot: Bryan Mills (cherry picked from commit 910f041ff0cdf90dbcd3bd22a272b9b7205a5add) Reviewed-on: https://go-review.googlesource.com/c/go/+/466855

[release-branch.go1.20] cmd/go: remove tests that assume lack of new versions of external modules

2023-02-10T17:29:40Z

In general it seems ok to assume that an open-source module that did exist will continue to do so — after all, users of open-source modules already do that all the time. However, we should not assume that those modules do not publish new versions — that's really up to their maintainers to decide. Two existing tests did make that assumption for the module gopkg.in/natefinch/lumberjack.v2. Let's remove those two tests. If we need to replace them at some point, we can replace them with hermetic test-only modules (#54503) or perhaps modules owned by the Go project. Updates #58445. Fixes #58450. Change-Id: Ica8fe587d86fc41f3d8445a4cd2b8820455ae45f Reviewed-on: https://go-review.googlesource.com/c/go/+/466861 TryBot-Result: Gopher Robot Run-TryBot: Bryan Mills Reviewed-by: David Chase

[release-branch.go1.20] runtime: skip darwin osinit_hack on ios

2023-02-10T17:19:24Z

Darwin needs the osinit_hack call to fix some bugs in the Apple libc that surface when Go programs call exec. On iOS, the functions that osinit_hack uses are not available, so signing fails. But on iOS exec is also unavailable, so the hack is not needed. Disable it there, which makes signing work again. Fixes #58323. Fixes #58419. Change-Id: I3f1472f852bb36c06854fe1f14aa27ad450c5945 Reviewed-on: https://go-review.googlesource.com/c/go/+/466516 Run-TryBot: Russ Cox Reviewed-by: Dave Anderson Reviewed-by: Michael Knyszek TryBot-Result: Gopher Robot Auto-Submit: Russ Cox Reviewed-by: Bryan Mills Reviewed-by: Than McIntosh Reviewed-on: https://go-review.googlesource.com/c/go/+/467316