Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.25.9 2026-04-07T19:41:12Z 2026-04-07T19:41:12Z Gopher Robot gobot@golang.org 2026-04-07T19:19:30Z urn:sha1:7076e01d9d450bae9f25be76f45d58cc52e2aad2 Change-Id: Ia7f7e69f363309b6367594275174fcfa8e886541 Reviewed-on: https://go-review.googlesource.com/c/go/+/763700 TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> 2026-04-07T19:14:48Z Neal Patel nealpatel@google.com 2026-02-24T23:05:34Z urn:sha1:abaa0cbb259e059ee60c33a7507eddc1fe7d20fa The cgo compiler implicitly trusts generated files with 'cgo' prefixes; thus, SWIG files containing 'cgo' in their names will cause bypass of the trust boundary, leading to code smuggling or arbitrary code execution. The cgo compiler will now produce an error if it encounters any SWIG files containing this prefix. Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #78335 Fixes CVE-2026-27140 Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989 Reviewed-on: https://go-review.googlesource.com/c/go/+/763556 Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> 2026-04-07T19:14:44Z Roland Shoemaker bracewell@google.com 2026-03-23T18:54:41Z urn:sha1:02f574a8303560a4a79a42834f3092ce7c9a57cc When we made setReadTrafficSecret send an alert when there are pending handshake messages, we introduced a deadlock when the client sends multiple key update messages that request a response, as handleKeyUpdate will lock the mutex, and defer the unlocking until the end of the function, but setReadTrafficSecret called sendAlert in the failure case, which also tries to lock the mutex. Add an argument to setReadTrafficSecret which lets the caller indicate if the mutex is already locked, and if so, call sendAlertLocked instead of sendAlert. Thanks to Jakub Ciolek for reporting this issue. Fixes #78334 Fixes CVE-2026-32283 Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3988 Reviewed-on: https://go-review.googlesource.com/c/go/+/763555 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-04-07T19:14:40Z Damien Neil dneil@google.com 2026-03-23T20:12:44Z urn:sha1:82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e We did not set a limit on the maximum size of sparse maps in the old GNU sparse format. Set a limit based on the cumulative size of the extension blocks used to encode the map (consistent with how we limit the sparse map size for other formats). Add an additional limit to the total number of sparse file entries, regardless of encoding, to all sparse formats. Thanks to Colin Walters (walters@verbum.org), Uuganbayar Lkhamsuren (https://github.com/uug4na), and Jakub Ciolek for reporting this issue. Fixes #78301 Fixes CVE-2026-32288 Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4003 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763554 TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> 2026-04-07T19:14:36Z Junyang Shao shaojunyang@google.com 2026-03-06T00:03:45Z urn:sha1:7d2dd3488cdfbddda14c18c455d3263df75a46fc addWillOverflow and subWillOverflow has an implicit assumption that y is positive, using it outside of addU and subU is really incorrect. This CL fixes those incorrect usage to use the correct logic in place. Thanks to Jakub Ciolek for reporting this issue. Fixes #78333 Fixes CVE-2026-27143 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763553 Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-04-07T19:14:32Z Junyang Shao shaojunyang@google.com 2026-03-12T21:36:33Z urn:sha1:72cc33629a3b26e68f6e6e5564618a1d763896f3 When a no-op interface conversion is wrapped around the rhs of an assignment, the memory overlap detection logic in the compiler failed to peel down conversion to see the actual pointer, causing an incorrect no-overlapping determination. Thanks to Jakub Ciolek for reporting this issue. Fixes #78371 Fixes CVE-2026-27144 Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4002 Reviewed-on: https://go-review.googlesource.com/c/go/+/763552 Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> 2026-04-07T19:14:28Z Roland Shoemaker bracewell@google.com 2026-03-23T20:34:23Z urn:sha1:3ed316924408a02b256544eb40607e73702f2d0c Properly track JS template literal brace depth across branches/ranges, and prevent accidental re-use of escape analysis by including the brace depth in the stringification/mangling for contexts. Fixes #78331 Fixes CVE-2026-32289 Change-Id: I9f3f47c29e042220b18e4d3299db7a3fae4207fa Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3882 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4000 Reviewed-by: Damien Neil <dneil@google.com> Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763551 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> 2026-04-07T19:14:25Z Damien Neil dneil@google.com 2026-03-23T17:34:50Z urn:sha1:4c79c4223e42b4727d1600e71ad6983cfb21f534 On Linux, the fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag. Change the Linux Fchmodat function to use the fstatat2 syscall (added in Linux 6.6) when available. When fstatat2 is not available, use the same workaround as GNU libc and musl, which is to open the target file with O_PATH and then chmod it via /proc/self/fd. This change fixes an os.Root escape, where Root.Chmod could follow a symlink and act on a file outside of the root. Root.Chmod checks to see if its target is a symlink before calling fchmodat, so this escape requires the target to be replaced with a symlink in between the initial check and the fchmodat. Thanks to Uuganbayar Lkhamsuren (https://github.com/uug4na) for reporting this issue. Fixes CVE-2026-32282 Fixes #78293 Change-Id: Ie487be1a853b341a77b42ae0c59301d46a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3900 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3982 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763550 Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-03-26T20:05:22Z Roland Shoemaker bracewell@google.com 2026-03-05T22:28:44Z urn:sha1:edc1e4a5f2af48b648502d987b8d4eebf43c884b We added the "is this cert already in the chain" check (alreadyInChain) to considerCandidates before the signature limit. considerCandidates bails out when we exceed the signature check, but buildChains keeps calling considerCandidates until it exhausts all potential parents. In the case where a large number of certificates look to have signed each other (e.g. all have subject==issuerSubject and the same key), alreadyInChain is not particularly cheap, meaning even though we hit our "this is too much work" limit, we still do a lot of work. Move alreadyInChain after the signature limit, and also return a sentinel error, and check it in buildChains so we can break out of the loop early if we aren't actually going to do any more work. Thanks to Jakub Ciolek for reporting this issue. Updates #78282 Fixes #78361 Fixes CVE-2026-32280 Change-Id: Ie6f05c6ba3b0a40c21f64f7c4f846e74fae3b10e Reviewed-on: https://go-review.googlesource.com/c/go/+/758320 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> (cherry picked from commit 26d8a902002a2b41bc4c302044110f2eae8d597f) Reviewed-on: https://go-review.googlesource.com/c/go/+/759221 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> 2026-03-26T20:01:05Z Roland Shoemaker roland@golang.org 2026-03-23T19:09:47Z urn:sha1:210b8112b1bacef207c8064551ad5d2665203a8c We only need to do this once, not once per mapping. Thanks to Jakub Ciolek for reporting this issue. Updates #78281 Fixes #78359 Fixes CVE-2026-32281 Change-Id: Ic26f5f14d2a5e42ca8c24b8ae47bc3c5cc601863 Reviewed-on: https://go-review.googlesource.com/c/go/+/758061 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> (cherry picked from commit 312541b783ceae00471573da83367cae26ca255b) Reviewed-on: https://go-review.googlesource.com/c/go/+/759200 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>