Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.26.2 2026-04-07T19:38:49Z 2026-04-07T19:38:49Z Gopher Robot gobot@golang.org 2026-04-07T19:19:24Z urn:sha1:9c8bf0e72a6fb3b415b591b124b59fbb7cf92252 Change-Id: I7f99e65c01c25ff7b5efed6c2aa124c52d0a977f Reviewed-on: https://go-review.googlesource.com/c/go/+/763682 Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> 2026-04-07T19:14:20Z Neal Patel nealpatel@google.com 2026-02-24T23:05:34Z urn:sha1:096f21b1c50fe62bc54c1fb1ede60fca63239123 The cgo compiler implicitly trusts generated files with 'cgo' prefixes; thus, SWIG files containing 'cgo' in their names will cause bypass of the trust boundary, leading to code smuggling or arbitrary code execution. The cgo compiler will now produce an error if it encounters any SWIG files containing this prefix. Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #78335 Fixes CVE-2026-27140 Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4021 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763549 TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> 2026-04-07T19:14:16Z Roland Shoemaker bracewell@google.com 2026-03-23T18:54:41Z urn:sha1:7cafb4140d5616f1a0316a194a977b0794cd7d7c When we made setReadTrafficSecret send an alert when there are pending handshake messages, we introduced a deadlock when the client sends multiple key update messages that request a response, as handleKeyUpdate will lock the mutex, and defer the unlocking until the end of the function, but setReadTrafficSecret called sendAlert in the failure case, which also tries to lock the mutex. Add an argument to setReadTrafficSecret which lets the caller indicate if the mutex is already locked, and if so, call sendAlertLocked instead of sendAlert. Thanks to Jakub Ciolek for reporting this issue. Fixes #78334 Fixes CVE-2026-32283 Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4004 Reviewed-on: https://go-review.googlesource.com/c/go/+/763548 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> 2026-04-07T19:14:12Z Damien Neil dneil@google.com 2026-03-23T20:12:44Z urn:sha1:a34b5e4d55e39efc9af0d803969e9399a553acf3 We did not set a limit on the maximum size of sparse maps in the old GNU sparse format. Set a limit based on the cumulative size of the extension blocks used to encode the map (consistent with how we limit the sparse map size for other formats). Add an additional limit to the total number of sparse file entries, regardless of encoding, to all sparse formats. Thanks to Colin Walters (walters@verbum.org), Uuganbayar Lkhamsuren (https://github.com/uug4na), and Jakub Ciolek for reporting this issue. Fixes #78301 Fixes CVE-2026-32288 Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4020 Reviewed-by: Neal Patel <nealpatel@google.com> Commit-Queue: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763547 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> 2026-04-07T19:14:08Z Junyang Shao shaojunyang@google.com 2026-03-06T00:03:45Z urn:sha1:c4b4bd7b3aefeb67a541912df0733bde68333bfc addWillOverflow and subWillOverflow has an implicit assumption that y is positive, using it outside of addU and subU is really incorrect. This CL fixes those incorrect usage to use the correct logic in place. Thanks to Jakub Ciolek for reporting this issue. Fixes #78333 Fixes CVE-2026-27143 Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3986 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763546 Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> 2026-04-07T19:14:04Z Junyang Shao shaojunyang@google.com 2026-03-12T21:36:33Z urn:sha1:3a4577a2687ad46d2a00305ddb68733283ea0720 When a no-op interface conversion is wrapped around the rhs of an assignment, the memory overlap detection logic in the compiler failed to peel down conversion to see the actual pointer, causing an incorrect no-overlapping determination. Thanks to Jakub Ciolek for reporting this issue. Fixes #78371 Fixes CVE-2026-27144 Change-Id: I55ff0806b099e1447bdbfba7fde6c6597db5d65c Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3780 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4001 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763545 TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> 2026-04-07T19:14:00Z Roland Shoemaker bracewell@google.com 2026-03-23T17:22:34Z urn:sha1:ceb4da6626ce94d75b2aefd0f24c6d0fd74f45f9 When applying excluded constraints to wildcard DNS SANs, the constraint checking implementation did not normalize the case of the constraint nor the SAN, which could lead to incorrect constraint checking results. This change lowercases both the constraint and the SAN before checking for matches, ensuring that constraint checking is case-insensitive as intended. Thanks to Riyas from Saintgits College of Engineering for reporting this issue. Fixes #78332 Fixes CVE-2026-33810 Change-Id: Id27792c8ed4c40f2810bad8dbd8d5d520cb465bb Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3860 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3984 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763544 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> 2026-04-07T19:13:56Z Roland Shoemaker bracewell@google.com 2026-03-23T20:34:23Z urn:sha1:babb1c32c2e7ee7a1147e7e587d35c553fb693ad Properly track JS template literal brace depth across branches/ranges, and prevent accidental re-use of escape analysis by including the brace depth in the stringification/mangling for contexts. Fixes #78331 Fixes CVE-2026-32289 Change-Id: I9f3f47c29e042220b18e4d3299db7a3fae4207fa Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3882 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3983 Reviewed-by: Damien Neil <dneil@google.com> Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763543 Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> 2026-04-07T19:13:52Z Damien Neil dneil@google.com 2026-03-23T17:34:50Z urn:sha1:b6176f459ad7b84ea7fb8daab983f4cef644a119 On Linux, the fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag. Change the Linux Fchmodat function to use the fstatat2 syscall (added in Linux 6.6) when available. When fstatat2 is not available, use the same workaround as GNU libc and musl, which is to open the target file with O_PATH and then chmod it via /proc/self/fd. This change fixes an os.Root escape, where Root.Chmod could follow a symlink and act on a file outside of the root. Root.Chmod checks to see if its target is a symlink before calling fchmodat, so this escape requires the target to be replaced with a symlink in between the initial check and the fchmodat. Thanks to Uuganbayar Lkhamsuren (https://github.com/uug4na) for reporting this issue. Fixes CVE-2026-32282 Fixes #78293 Change-Id: Ie487be1a853b341a77b42ae0c59301d46a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3900 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3981 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763542 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> 2026-03-26T20:49:23Z Damien Neil dneil@google.com 2026-03-26T19:13:56Z urn:sha1:917949cc1d16c652cb09ba369718f45e5d814d8f Too many systems seem to rely on net/url accepting invalid URLs with colons in the host subcomponent. Rather than adding exceptions for each (PostgreSQL, MongoDB, Redis, etc.), limit the strict validation to http/https only. This backport CL also includes test-only changes from CL 751360. For #78077 Fixes #78111 Change-Id: I851c82eb3505297013269d71dc626a4c1c202c82 Reviewed-on: https://go-review.googlesource.com/c/go/+/758900 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/759662 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>