Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.24.12 2026-01-15T18:28:38Z 2026-01-15T18:28:38Z Gopher Robot gobot@golang.org 2026-01-15T18:23:44Z urn:sha1:63a1b82d1e68ddd87652467303901593efe0ff11 Change-Id: I10f61b9036c64c5cbd760cc9f8db67344d373686 Reviewed-on: https://go-review.googlesource.com/c/go/+/736762 Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-01-15T18:14:26Z Damien Neil dneil@google.com 2025-11-05T01:00:33Z urn:sha1:3235ef3db85c2d7e797b976822a7addaf6d5ca2a Constructing the zip index (which is done once when first opening a file in an archive) can consume large amounts of CPU when processing deeply-nested directory paths. Switch to a less inefficient algorithm. Thanks to Jakub Ciolek for reporting this issue. goos: darwin goarch: arm64 pkg: archive/zip cpu: Apple M4 Pro │ /tmp/bench.0 │ /tmp/bench.1 │ │ sec/op │ sec/op vs base │ ReaderOneDeepDir-14 25983.62m ± 2% 46.01m ± 2% -99.82% (p=0.000 n=8) ReaderManyDeepDirs-14 16.221 ± 1% 2.763 ± 6% -82.96% (p=0.000 n=8) ReaderManyShallowFiles-14 130.3m ± 1% 128.8m ± 2% -1.20% (p=0.003 n=8) geomean 3.801 253.9m -93.32% Fixes #77102 Fixes CVE-2025-61728 Change-Id: I2c9c864be01b2a2769eb67fbab1b250aeb8f6c42 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3060 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3328 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736703 TryBot-Bypass: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-01-15T18:14:22Z Damien Neil dneil@google.com 2025-11-03T22:28:47Z urn:sha1:85c794ddce26a092b0ea68d0fca79028b5069d5a net/url does not currently limit the number of query parameters parsed by url.ParseQuery or URL.Query. When parsing a application/x-www-form-urlencoded form, net/http.Request.ParseForm will parse up to 10 MB of query parameters. An input consisting of a large number of small, unique parameters can cause excessive memory consumption. We now limit the number of query parameters parsed to 10000 by default. The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=<n>. Setting urlmaxqueryparams to 0 disables the limit. Thanks to jub0bs for reporting this issue. Fixes #77101 Fixes CVE-2025-61726 Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3326 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736702 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> 2026-01-15T18:14:19Z Neal Patel nealpatel@google.com 2025-12-04T17:30:39Z urn:sha1:00b7309387a171bcba37382e7ed96b473df04917 The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3344 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736701 Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-01-15T18:10:59Z Roland Shoemaker bracewell@google.com 2026-01-06T22:36:01Z urn:sha1:d0754e6242e70e171a888b6c5e0336bbf014e538 Once a tls.Config is used, it is not safe to mutate. We provide the Clone method in order to allow users to copy and modify a Config that is in use. If Config.SessionTicketKey is not populated, and if Config.SetSessionTicketKeys has not been called, we automatically populate and rotate session ticket keys. Clone was previously copying these keys into the new Config, meaning that two Configs could share the same auto-rotated session ticket keys. This could allow sessions to be resumed across different Configs, which may have completely different configurations. This change updates Clone to not copy the auto-rotated session ticket keys. Additionally, when resuming a session, check that not just that the leaf certificate is unexpired, but that the entire certificate chain is still unexpired. Fixes #77113 Fixes CVE-2025-68121 Change-Id: I011df7329de83068d11b3f0c793763692d018a98 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3300 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3322 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736700 TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> 2026-01-07T21:28:54Z Roland Shoemaker roland@golang.org 2025-11-24T22:03:10Z urn:sha1:ad2cd043db66cd36e1f55359638729d2c8ff3d99 For TLS 1.3, after procesesing the server/client hello, if there isn't a CCS message, reject the trailing messages which were appended to the hello messages. This prevents an on-path attacker from injecting plaintext messages into the handshake. Additionally, check that we don't have any buffered messages before we switch the read traffic secret regardless, since any buffered messages would have been under an old key which is no longer appropriate. We also invert the ordering of setting the read/write secrets so that if we fail when changing the read secret we send the alert using the correct write secret. Updates #76443 Fixes #76854 Fixes CVE-2025-61730 Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52 Reviewed-on: https://go-review.googlesource.com/c/go/+/724120 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Coia Prant <coiaprant@gmail.com> (cherry picked from commit 5046bdf8a612b35a2c1a9e168054c1d5c65e7dd7) Reviewed-on: https://go-review.googlesource.com/c/go/+/731961 Reviewed-by: Damien Neil <dneil@google.com> 2026-01-07T17:25:41Z Cuong Manh Le cuong.manhle.vn@gmail.com 2025-12-22T11:49:17Z urn:sha1:27dc6f01ffe70179b90d6c660d67d29967fa2eef For an out-of-range jump table index, the constant facts should not be propagated to the destinations. Fixes #76966 Change-Id: Iff29814cb466c7aaa432cec212e5387665c45afc Reviewed-on: https://go-review.googlesource.com/c/go/+/731860 Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/732480 Reviewed-by: Michael Knyszek <mknyszek@google.com> Auto-Submit: Junyang Shao <shaojunyang@google.com> Commit-Queue: Junyang Shao <shaojunyang@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2025-12-30T01:52:19Z khr@golang.org khr@golang.org 2025-12-08T14:21:39Z urn:sha1:6cdf9962bd4422f760c141c5ae66522d9837e353 When compiling with -l, we can't take a stack split here. Fixes #76760 Change-Id: Ieab1225c6259c7f16bb5188aa84bff615d9db2e5 Reviewed-on: https://go-review.googlesource.com/c/go/+/728060 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Keith Randall <khr@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Keith Randall <khr@google.com> (cherry picked from commit d4972f6295aede2ddc35bcb1da5f6351623e9e4d) Reviewed-on: https://go-review.googlesource.com/c/go/+/728580 2025-12-29T20:53:21Z Jayanth Krishnamurthy jayanth.krishnamurthy@ibm.com jayanth.krishnamurthy@ibm.com 2025-11-06T19:43:45Z urn:sha1:2ca51cba03ab27427b143ac24dae03c720017835 The ppc64x TSAN wrappers for atomic And/Or did not initialize R6 with the Go argument frame before calling racecallatomic. Since racecallatomic expects R6 to point to the argument list and dereferences it unconditionally, this led to a nil-pointer dereference under -race. Other atomic TSAN wrappers (Load/Store/Add/Swap/CAS) already set up R6 in the expected way. This change aligns the And/Or wrappers with the rest by adding the missing R6 initialisation. This keeps the behavior consistent across all atomic operations on ppc64x. Fixes #76796. Change-Id: Iaf578449a6171a0c6f7c33ec6f64c1251297ae6d Reviewed-on: https://go-review.googlesource.com/c/go/+/718560 Reviewed-by: Mark Freeman <markfreeman@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Paul Murphy <paumurph@redhat.com> (cherry picked from commit 44cb82449e7f24530fe0fe0bf8261ba9e0e4e7d8) Reviewed-on: https://go-review.googlesource.com/c/go/+/729420 Reviewed-by: Roland Shoemaker <roland@golang.org> 2025-12-19T17:55:33Z Dave Vasilevsky dave@vasilevsky.ca 2025-11-25T03:55:45Z urn:sha1:058ca7412ad28c5407a272dbb3b594401a46aba9 Some Linux filesystems have been known to return valid enties with zero inodes. This new behavior also puts Go in agreement with recent glibc. Fixes #76624 Change-Id: Ieaf50739a294915a3ea2ef8c5a3bb2a91a186881 GitHub-Last-Rev: 8f83d009ef0320fd3fe7cf03e55d5d24df57f015 GitHub-Pull-Request: golang/go#76448 Reviewed-on: https://go-review.googlesource.com/c/go/+/724220 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Ian Lance Taylor <iant@golang.org> Auto-Submit: Ian Lance Taylor <iant@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/725341