| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: Ia2366ca54412a0e31c3838f71f302e2e7f26260e
Reviewed-on: https://go-review.googlesource.com/c/go/+/752121
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which
causes the excluded domain name wildcard checking to panic, because we
assume names are always non-empty. RFC 5280 appears to say the empty
string should not be accepted, although confusingly refers to this as
" " (a single space). We should probably not allow that when creating
certificates, and possibly when creating them as well (1.27 I guess).
Thanks to Jakub Ciolek for reporting this issue.
Updates #77953
Fixes #77974
Fixes CVE-2026-27138
Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752083
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
For full email addresses (local@domain), we stored a map between the
case sensitive local portion to the case insensitive domain portion, and
used that to check if a email SAN matched the constraint. This could be
abused, because it was a map[string]string, meaning if any two
constraints had the same local portion but different domains, the second
would overwrite the first.
Change the map from map[string]string to map[rfc2821Mailbox]struct{},
where the domain portion of the mailbox is lowercased. When checking for
a match we then check the parsed mailbox against the map, lowercasing
the domain portion of the query when we initially parse the address.
This gives us the same functionality as before, but without the
possibility of one constraint overwriting another.
Thanks to Jakub Ciolek for reporting this issue.
Updates #77952
Fixes #77973
Fixes CVE-2026-27137
Change-Id: Ia405209be6f3b87cf4ac220a645467418dc41805
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3440
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3620
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752082
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
attributes
The meta tag can include a content attribute that contains URLs, which
we currently don't escape if they are inserted via a template action.
This can plausibly lead to XSS vulnerabilities if untrusted data is
inserted there, the http-equiv attribute is set to "refresh", and the
content attribute contains an action like `url={{.}}`.
Track whether we are inside of a meta element, if we are inside of a
content attribute, _and_ if the content attribute contains "url=". If
all of those are true, then we will apply the same URL escaping that we
use elsewhere.
Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this
escaping for cases where this behavior is considered safe. The behavior
can be disabled by setting htmlmetacontenturlescape=0.
Updates #77954
Fixes #77972
Fixes CVE-2026-27142
Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752081
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
This change rejects IPv6 literals that do not appear at the start of the
host subcomponent of a URL.
For example:
http://example.com[::1] -> rejects
http://[::1] -> accepts
Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.
Updates #77578
Fixes #77970
Fixes CVE-2026-25679
Change-Id: I7109031880758f7c1eb4eca513323328feace33c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3622
Reviewed-on: https://go-review.googlesource.com/c/go/+/752080
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
work init
This restores the previous behavior of setting go directive to the toolchain's version as per #77653.
For #77653
Fixes #77860
Change-Id: Ie9d2de025a75f39fd8d6d01776d0cf4e5da954f9
Reviewed-on: https://go-review.googlesource.com/c/go/+/749948
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Austin Clements <austin@google.com>
|
|
Update x/tools vendor to the tip of internal-branch.go1.26-vendor
branch (642dd50), to pull in recent fixes of the modernizer. Done
by
cd GOROOT/cmd
go get golang.org/x/tools@internal-branch.go1.26-vendor
go mod tidy
go mod vendor
Fixes #77766
Fixes #77803
Fixes #77804
Fixes #77805
Fixes #77807
Fixes #77849
Fixes #77899
Fixes #77904
Change-Id: Id7aa8c2247949bdc104898270a4ceb3eee68a818
Reviewed-on: https://go-review.googlesource.com/c/go/+/750761
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
|
|
When reading the contents of a directory using
File.ReadDir or File.Readdir, the os.FileInfo was
populated on Unix platforms using lstat.
This lstat call is vulnerable to a TOCTOU race
and could escape the root.
For example:
- Open the directory "dir" within a Root.
This directory contains a file named "file".
- Use File.ReadDir to list the contents of "dir",
receiving a os.DirEntry for "dir/file".
- Replace "dir" with a symlink to "/etc".
- Use DirEntry.Info to retrieve the FileInfo for "dir/file".
This FileInfo contains information on "/etc/file" instead.
This escape permits identifying the presence or absence of
files outside a Root, as well as retreiving stat metadata
(size, mode, modification time, etc.) for files outside a Root.
This escape does not permit reading or writing to files
outside a Root.
For #77827
Fixes #77834
Fixes CVE-2026-27139
Change-Id: I40004f830c588e516aff8ee593d630d36a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/749480
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
(cherry picked from commit 657ed934e85dc575aad51356c4b437961e7c1313)
Reviewed-on: https://go-review.googlesource.com/c/go/+/749822
|
|
interfaces are unwrapped
Ensures that deeply nested structs that have the underlying shape
of a pointer get unwrapped properly.
Update #77536
Change-Id: I004f424d2c62ec7026281daded9b3d96c021e2e1
Reviewed-on: https://go-review.googlesource.com/c/go/+/747760
Reviewed-by: Mark Freeman <markfreeman@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
(cherry picked from commit 1aa534dbb8970b86b0f4059b7665e3505d145e25)
Reviewed-on: https://go-review.googlesource.com/c/go/+/749460
|
|
if lots of 0-sized fields
Normally we don't SSA-ify variables with types that have more than
4 fields. But we really do want to SSA-ify them if they are pointer
shaped.
An odd case, but the compiler shouldn't barf on them.
Failure probably started with CL 714421.
Fixes #77536
Change-Id: I51ef87676cc31df1e51e164bbd58d58c0ab72436
Reviewed-on: https://go-review.googlesource.com/c/go/+/744280
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
(cherry picked from commit 6435bf46c17dccb2eb5f7bab7dd8aa4972252b21)
Reviewed-on: https://go-review.googlesource.com/c/go/+/749421
Reviewed-by: Mark Freeman <markfreeman@google.com>
|
|
certificate
The current localhostCert used for testing seems to have its expiry date
mistakenly set to Mar 18 19:27:54 2026 GMT.
To prevent test failures, use fixed time in tests. Also, regenerate the
certificate so we can fix the time to UNIX epoch (the current
certificate is only valid after Mar 18 2025).
Fixes #77532
Change-Id: I3136d29eaa0c8c4361f5627003f08a0059702f0d
Reviewed-on: https://go-review.googlesource.com/c/go/+/744260
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 215a070a049ce449480ca6948e7fafdeb7b16920)
Reviewed-on: https://go-review.googlesource.com/c/go/+/748061
|
|
Implement a new pkg-config safe flag list (containing everything except
for --log-file) and use that when checking flags passed to pkg-config,
instead of using checkCompilerFlags.
Updates #77387
Fixes #77474
Change-Id: Id6141d0a2934053aa43e3aa8ce402bd499c4c028
Reviewed-on: https://go-review.googlesource.com/c/go/+/741042
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
(cherry picked from commit 28fbdf7acb4146b5bc3d88128e407d1344691839)
Reviewed-on: https://go-review.googlesource.com/c/go/+/745480
Reviewed-by: David Chase <drchase@google.com>
|
|
32-bit constants
Folding a 64-bit integer into a 32-bit constant may result in a negative
integer if the value exceeds math.MaxInt32 (the maximum value of a 32-
bit signed integer). This negative value will be sign-extended to 64
bits at runtime, leading to unexpected results when used in bitwise
AND/OR operations.
Fixes #77618
Change-Id: Idb081a3c20c28bddddcc8eff1225d62123b37a2d
Reviewed-on: https://go-review.googlesource.com/c/go/+/745581
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit 3c8b5e673816c733f13a38b1ed1f53d7d49ea084)
Reviewed-on: https://go-review.googlesource.com/c/go/+/745840
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
|
|
Note this is a sum of CLs 731340, 733180, and 736715.
Fixes #77529
Fixes #77624
Change-Id: I0c8119877184d2e6506d0b34895a746bafed3829
Reviewed-on: https://go-review.googlesource.com/c/go/+/746360
Reviewed-by: Madeline Kalil <mkalil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
initialization
The bug was first introduced when the compiler is still written in C,
with CL 2254041. The static array was laid out with the wrong context,
causing a stack pointer will be stored in global object.
Fixes #77252
Change-Id: I22c8393314d251beb53db537043a63714c84f36a
Reviewed-on: https://go-review.googlesource.com/c/go/+/737821
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org>
(cherry picked from commit dae71067ce7ee41ebe752a4ee3c544506e74f824)
Reviewed-on: https://go-review.googlesource.com/c/go/+/738940
Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
|
|
For instructions that clobber both of their input registers, make
sure we don't clobber the same register twice when both input
registers are the same.
This is rare, but it can happen.
Fixes #77623
Change-Id: I794249cf43a8cc4ab3262055daef9193e2442f73
Reviewed-on: https://go-review.googlesource.com/c/go/+/745621
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit f65692ea562bf24c21ae46854e98584dd4bcc201)
Reviewed-on: https://go-review.googlesource.com/c/go/+/745820
Reviewed-by: Mark Freeman <markfreeman@google.com>
|
|
field for zero-sized payloads
Because our wrapper functions barf if the pointer is nil, even if
we don't actually dereference the pointer.
Fixes #77780
Change-Id: Ib1b93d9f0fdc771cd884137007508ba2b1da4b7a
Reviewed-on: https://go-review.googlesource.com/c/go/+/748660
Reviewed-by: Ian Lance Taylor <iant@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Keith Randall <khr@google.com>
(cherry picked from commit 60dc96479a85db0e245a5c14d964628169abedf4)
Reviewed-on: https://go-review.googlesource.com/c/go/+/748720
Reviewed-by: David Chase <drchase@google.com>
|
|
sign-extended
CL 701297 accidentailly broke the type casting behavior for Hash.
Previously, the generated rules for Hash shared a common pattern:
v.AuxInt = int32ToAuxInt(fixed32(config, sym, off))
which inherently equaled to a signed-extend:
v.AuxInt = int64(int32(types.TypeHash(...)))
The pattern in CL 701297 was however:
v.AuxInt = int64(types.TypeHash(t))
Since types.TypeHash() returns a uint32, casting it to a wider integer
implies zero-extend. This diverges from the definition of AuxInt, in
which "Unused portions are filled by sign-extending the used portion,
even if the represented value is unsigned."
As a result, ssa.checkFunc(), where AuxInt is checked against the
mentioned rule, is unhappy and shouts:
internal compiler error: 'typeAsserts': bad int32 AuxInt value for v1317
Reproduce it with:
GOARCH=mips go tool compile -m -d=ssa/check/on test/devirtualization.go
This is only reproducible with GOARCH=mips/mipsle (cross and native).
Probably the rewrite rules of other architectures prevent Hash from
running into rewriteFixedLoad.
Fix it by emit sign-extend properly. Additionally, do the same for Kind_
as reflectdata.ABIKindOfType() also returns a fragile unsigned interger
(uint8).
Updates #67304
Fixes #77786
Change-Id: Ib4f3c94c0e3908698868449db2fdcdf4541f2e7e
Reviewed-on: https://go-review.googlesource.com/c/go/+/744860
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Jake Bailey <jacob.b.bailey@gmail.com>
Reviewed-by: Keith Randall <khr@golang.org>
Auto-Submit: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit a78df5aa0afcd64935f89577c0da0ed2315014ea)
Reviewed-on: https://go-review.googlesource.com/c/go/+/748780
Reviewed-by: David Chase <drchase@google.com>
|
|
syscall signatures
This CL corrects code submitted in CL 741040.
Fixes #77407
Change-Id: I1c22c1a9f77028f3c2a8e3905f2ec5b071b5445e
GitHub-Last-Rev: 2bfb07310b4707484b5bdce96ad367db567741c4
GitHub-Pull-Request: golang/go#77525
Reviewed-on: https://go-review.googlesource.com/c/go/+/743780
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
(cherry picked from commit a09c908cc6e63a89a6206eadb12f8e2800326465)
Reviewed-on: https://go-review.googlesource.com/c/go/+/746720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Mark Freeman <markfreeman@google.com>
|
|
The change in CL 707096 to exclude GOOS=solaris needs to also be applied
for GOOS=illumos, which shares the same linker lineage.
Fixes #77680
Change-Id: Ifc2047595af2db52870f9fb0a9faf646666d9e61
Reviewed-on: https://go-review.googlesource.com/c/go/+/746560
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
(cherry picked from commit 50b63f6cb90a1437ca6756ede016f1918e721da6)
Reviewed-on: https://go-review.googlesource.com/c/go/+/746660
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Mark Freeman <markfreeman@google.com>
|
|
windows: retry file open with DELETE access after access denied
Additional access rights when opening files, including SYNCHRONIZE,
break deletion when the caller has FILE_DELETE_CHILD on the parent
directory but not the file. Retry with DELETE only restores correct
Windows semantics.
For #77407
Change-Id: Ie53bc6f1673de1a8af4dcfb7496daf99e71098cb
GitHub-Last-Rev: 0ad635cf1a13c0242e3b1922cf47a8c594dd7215
GitHub-Pull-Request: golang/go#77403
Reviewed-on: https://go-review.googlesource.com/c/go/+/741040
Reviewed-by: Quim Muntal <quimmuntal@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
(cherry picked from commit db5882ea9bf63849d554910f486c4c5cfea08852)
Reviewed-on: https://go-review.googlesource.com/c/go/+/746362
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Mark Freeman <markfreeman@google.com>
|
|
Change-Id: Id361013d8afc588e79cdf962a9780e0f03128352
Reviewed-on: https://go-review.googlesource.com/c/go/+/743961
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
|
CL 688335 accidentally introduced a blank line between the Profile doc
comment and the type definition, causing the entire doc to get dropped.
Change-Id: I97b1c0e57d142d7caea6e543a0138ed6dcd1c3fe
Reviewed-on: https://go-review.googlesource.com/c/go/+/743680
Auto-Submit: Austin Clements <austin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
|
documentation
The three SHA256 ops (SHA256Message1, SHA256Message2 and SHA256TwoRounds)
all incorrectly referred to the SHA1 algorithm in their documentation
rather than SHA256.
Change-Id: Id6c1bfe4fee4517c0e498fb063cc9112464bc1e7
Reviewed-on: https://go-review.googlesource.com/c/go/+/735420
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 0430fa977573866f93e66aa61a66b37ff0738aba)
Reviewed-on: https://go-review.googlesource.com/c/go/+/742583
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
QUICConn's Context
Methods on QUICConn are synchronous:
The connection state is expected to change only in reaction
to a user calling a QUICConn method, and the state change
should finish completely before the method returns.
The connection context provided to QUICConn.Start violates
this model, because canceling the context causes an
asynchronous state change.
Prior to CL 719040, this caused no problems because canceling
the context did not cause any user-visible state changes.
In particular, canceling the context did not cause any new
events to be immediately returned by QUICConn.NextEvent.
CL 719040 introduced a new error event. Now, canceling a
QUICConn's context causes a new connection event to be
generated.
Receiving this event causes a data race visible to the
race detector, but the core problem is not the data race
itself: It's that an asynchronous event (canceling the
connection context) causes an change to the connection
events.
Fix this race by reworking the handling of QUICConn
context cancellation a bit. We no longer react to
cancellation while control of the connection lies
with the user. We only process cancellation as
part of a user call, such as QUICConn.Close
or QUICConn.HandleData.
Fixes #77274
Change-Id: If2e0f73618c4852114e0931b6bd0cb0b6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/742561
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit d4febb45179fa99ee1d5783bcb693ed7ba14115c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/742761
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
|
|
For #77428.
Fixes #77429.
Change-Id: I02d76ac9220fb2e0df404e4a446953bc0b56475f
Reviewed-on: https://go-review.googlesource.com/c/go/+/741560
Auto-Submit: Rhys Hiltner <rhys.hiltner@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit ae842f71461ad178eff7283bc36e150fe284b9aa)
Reviewed-on: https://go-review.googlesource.com/c/go/+/742581
Reviewed-by: Rhys Hiltner <rhys.hiltner@gmail.com>
|
|
Change-Id: Icdbfe2e74b099da6f3498549873c18e1ef295c64
Reviewed-on: https://go-review.googlesource.com/c/go/+/741942
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
|
|
Updates #77113
Updates #77217
Updates CVE-2025-68121
Change-Id: Ia47904a9ed001275aad0243a6a0ce57e6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/740240
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 1c9abbdc8e9032cd613bd147c78b166ebacc8a2e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/741181
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
Windows and macOS
TestHandshakeChangeRootCAsResumption and TestHandshakeGetConfigForClientDifferentClientCAs
changed because previously rootA and rootB shared Subject and SPKI,
which made the new full-chain revalidation check succeed, as the
same leaf would verify against both roots.
Updates #77376
Fixes #77426
Cq-Include-Trybots: luci.golang.try:go1.26-darwin-arm64-longtest
Change-Id: I60bed694bdc621c9e83f1bd8a8224c016a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/741361
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
(cherry picked from commit b691a2edc7f5863f61a07c4a4f087eef1a15a704)
Reviewed-on: https://go-review.googlesource.com/c/go/+/741680
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
when no remaining references
Updates #77404
Fixes #77405
Change-Id: I0402becb94855baf942d6ba3815cc2a3c1526d6e
Reviewed-on: https://go-review.googlesource.com/c/go/+/740921
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
(cherry picked from commit 31c9bcb1037a332fd547808693cd1899090b5854)
Reviewed-on: https://go-review.googlesource.com/c/go/+/741360
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
allocs in b.Loop body due to autotmp variable scope
The motivating example I created for #73137 still seems
to heap allocate in go1.26rc2 when used in a b.Loop body.
│ go1.25 │ go1.26rc2 │
│ allocs/op │ allocs/op vs base │
NewX/b.Loop-basic-4 1.000 ± 0% 1.000 ± 0% ~ (p=1.000 n=10) ¹
I suspect it is because the temps are by default declared
outside the loop body, which escape analysis will determine is
an escaping value and result in a heap allocation. (I've seen
this problem before, including in my older CL 546023 that attempts
to help PGO with a similar issue.)
This is an attempt to address that by placing ODCLs within the
b.Loop body for the temps that are created so that they can be
marked keepalive.
There are two cases handled in the CL: function return values
and function arguments. The first case is what affects my example
from #73137, and is also illustrated via the NewX test case in
the new test/escape_bloop.go file.
Without this CL, the NewX call in the BenchmarkBloop test is inlined,
which is an improvement over Go 1.25, but the slice still escapes
because the temporary used for the return value is declared outside
the loop body.
With this CL, the slice does not escape.
The second case is illustrated via the new BenchmarkBLoopFunctionArg
test, which shows a function argument that escapes without this CL
but does not escape with this CL.
We can also make the two new b.Loop tests in testing/benchmark_test.go
individually pass or fail as expected based on individually
reverting the two changes in this CL.
While we are here, we add a note to typecheck.TempAt to help
make people aware of this behavior.
Updates #73137
Fixes #77339
Reviewed-on: https://go-review.googlesource.com/c/go/+/738822
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Change-Id: I80e89ca95ba297b0d95f02782e6f4ae901a4361a
Reviewed-on: https://go-review.googlesource.com/c/go/+/740600
Reviewed-by: Austin Clements <austin@google.com>
Auto-Submit: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
|
mask/merge methods
Change-Id: I34678f4ef17fe1b8b7657a2c3d39685b4a5951f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/739981
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
(cherry picked from commit 985b0b3fe26661c10a3201470e80685765656363)
Reviewed-on: https://go-review.googlesource.com/c/go/+/739941
Reviewed-by: David Chase <drchase@google.com>
|
|
sessions
When resuming TLS sessions, on the server and client verify that the
chains stored in the session state (verifiedChains) are still acceptable
with regards to the Config by checking for the inclusion of the root in
either ClientCAs (server) or RootCAs (client). This prevents resuming
a session with a certificate chain that would be rejected during a full
handshake due to an untrusted root.
Updates #77113
Updates #77357
Updates CVE-2025-68121
Change-Id: I11fe00909ef1961c24ecf80bf5b97f7b1121d359
Reviewed-on: https://go-review.googlesource.com/c/go/+/737700
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/740004
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
|
|
during resumption
When resuming a session, check that the verifiedChains contain at least
one chain that is still valid at the time of resumption. If not, trigger
a new handshake.
Updates #77113
Updates #77357
Updates CVE-2025-68121
Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e
Reviewed-on: https://go-review.googlesource.com/c/go/+/739321
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/740003
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
|
|
ticket keys in Config.Clone"
This reverts CL 736709 (commit bba24719a4cad5cc8d771fc9cfff5a38019d554a).
Updates #77113
Updates #77357
Updates CVE-2025-68121
Change-Id: I0261cb75e9adf9d0ac9890dc91ae8476b8988ba0
Reviewed-on: https://go-review.googlesource.com/c/go/+/739320
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/740002
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
|
|
AVX512VAES feature
The code previously filters out VAES-only instructions, this CL added
them back.
This CL added the VAES feature check following the Intel xed data:
XED_ISA_SET_VAES: vaes.7.0.ecx.9 # avx.1.0.ecx.28
This CL also found out that the old AVX512VAES feature check is not
checking the correct bits, it also fixes it:
XED_ISA_SET_AVX512_VAES_128: vaes.7.0.ecx.9 aes.1.0.ecx.25 avx512f.7.0.ebx.16 avx512vl.7.0.ebx.31
XED_ISA_SET_AVX512_VAES_256: vaes.7.0.ecx.9 aes.1.0.ecx.25 avx512f.7.0.ebx.16 avx512vl.7.0.ebx.31
XED_ISA_SET_AVX512_VAES_512: vaes.7.0.ecx.9 aes.1.0.ecx.25 avx512f.7.0.ebx.16
It restricts to the most strict common set - includes avx512vl for even
512-bits although it doesn't requires it.
Change-Id: I4e2f72b312fd2411589fbc12f9ee5c63c09c2e9a
Reviewed-on: https://go-review.googlesource.com/c/go/+/738500
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 83b232b0af1bd498d3df099eb68e3b1e40df2527)
Reviewed-on: https://go-review.googlesource.com/c/go/+/739922
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
|
default
We're finding some regressions in overall icache footprint at scale and
we should figure out how to deal with those before rolling this out to
everybody.
Change-Id: I98e792db31712bf64575d76dfeafedb48898f76a
Reviewed-on: https://go-review.googlesource.com/c/go/+/738780
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
(cherry picked from commit 4af8ad24ee3b55ccb644680d95e2502e5551ea0b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/738900
|
|
For #76474.
Change-Id: Ic50e288f99b731b62af9aa73ce6721f0f2f3596d
|
|
After CL 700496, mspan.scanIdx is never used, this CL just remove it.
Change-Id: I41ce9902957c0cfa6fbf26b66a2a7787b179376a
Reviewed-on: https://go-review.googlesource.com/c/go/+/737220
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
|
The StaticInit pass asserts that the operand of &v is a global,
but this is not so for the &autotemp desugaring of new(expr).
(The variable has by that point escaped to the heap, so
the object code calls runtime.newobject. A future optimization
would be to statically allocate the variable when it is safe
and advantageous to do so.)
Thanks to khr for suggesting the fix.
+ static test
Fixes #77237
Change-Id: I71b34a1353fe0f3e297beab9851f8f87d765d8f1
Reviewed-on: https://go-review.googlesource.com/c/go/+/737680
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Change-Id: I89a41bbc83fdf473399527a933d57794ce83f68a
Reviewed-on: https://go-review.googlesource.com/c/go/+/737261
Reviewed-by: Russ Cox <rsc@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Florian Lehner <lehner.florian86@gmail.com>
|
|
Updates #77101.
Change-Id: I6a6a636cd58e1bd01943066368cb1424db6c6a92
Reviewed-on: https://go-review.googlesource.com/c/go/+/737040
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
This change causes the "x is not a type" diagnostic to describe
x's actual kind, helping to reveal when shadowing is at work.
(The kind description could improve other errors too.)
Fixes #76877
Change-Id: Ia3484998bb384ff570c20b6792cf8461c60aa38c
Reviewed-on: https://go-review.googlesource.com/c/go/+/731180
Reviewed-by: Robert Griesemer <gri@google.com>
Auto-Submit: Alan Donovan <adonovan@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Robert Griesemer <gri@google.com>
|
|
Constructing the zip index (which is done once when first opening
a file in an archive) can consume large amounts of CPU when
processing deeply-nested directory paths.
Switch to a less inefficient algorithm.
Thanks to Jakub Ciolek for reporting this issue.
goos: darwin
goarch: arm64
pkg: archive/zip
cpu: Apple M4 Pro
│ /tmp/bench.0 │ /tmp/bench.1 │
│ sec/op │ sec/op vs base │
ReaderOneDeepDir-14 25983.62m ± 2% 46.01m ± 2% -99.82% (p=0.000 n=8)
ReaderManyDeepDirs-14 16.221 ± 1% 2.763 ± 6% -82.96% (p=0.000 n=8)
ReaderManyShallowFiles-14 130.3m ± 1% 128.8m ± 2% -1.20% (p=0.003 n=8)
geomean 3.801 253.9m -93.32%
Fixes #77102
Fixes CVE-2025-61728
Change-Id: I2c9c864be01b2a2769eb67fbab1b250aeb8f6c42
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3060
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736713
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
|
net/url does not currently limit the number of query parameters parsed by
url.ParseQuery or URL.Query.
When parsing a application/x-www-form-urlencoded form,
net/http.Request.ParseForm will parse up to 10 MB of query parameters.
An input consisting of a large number of small, unique parameters can
cause excessive memory consumption.
We now limit the number of query parameters parsed to 10000 by default.
The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=<n>.
Setting urlmaxqueryparams to 0 disables the limit.
Thanks to jub0bs for reporting this issue.
Fixes #77101
Fixes CVE-2025-61726
Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736712
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.
Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.
Fixes CVE-2025-61731
Fixes #77100
Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736711
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
In various situations, the toolchain invokes VCS commands. Some of these
commands take arbitrary input, either provided by users or fetched from
external sources. To prevent potential command injection vulnerabilities
or misinterpretation of arguments as flags, this change updates the VCS
commands to use various techniques to separate flags from positional
arguments, and to directly associate flags with their values.
Additionally, we update the environment variable for Mercurial to use
`HGPLAIN=+strictflags`, which is the more explicit way to disable user
configurations (intended or otherwise) that might interfere with command
execution.
We also now disallow version strings from being prefixed with '-' or
'/', as doing so opens us up to making the same mistake again in the
future. As far as we know there are currently ~0 public modules affected
by this.
While I was working on cmd/go/internal/vcs, I also noticed that a
significant portion of the commands being implemented were dead code.
In order to reduce the maintenance burden and surface area for potential
issues, I removed the dead code for unused commands.
We should probably follow up with a more structured change to make it
harder to accidentally re-introduce these issues in the future, but for
now this addresses the issue at hand.
Thanks to splitline (@splitline) from DEVCORE Research Team for
reporting this issue.
Fixes CVE-2025-68119
Fixes #77099
Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736710
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Once a tls.Config is used, it is not safe to mutate. We provide the
Clone method in order to allow users to copy and modify a Config that
is in use.
If Config.SessionTicketKey is not populated, and if
Config.SetSessionTicketKeys has not been called, we automatically
populate and rotate session ticket keys. Clone was previously copying
these keys into the new Config, meaning that two Configs could share
the same auto-rotated session ticket keys. This could allow sessions to
be resumed across different Configs, which may have completely different
configurations.
This change updates Clone to not copy the auto-rotated session ticket
keys.
Additionally, when resuming a session, check that not just that the leaf
certificate is unexpired, but that the entire certificate chain is still
unexpired.
Fixes #77113
Fixes CVE-2025-68121
Change-Id: I011df7329de83068d11b3f0c793763692d018a98
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3300
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736709
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Change-Id: If5ce85a68010848f16c4c2509e18466ed1356912
Reviewed-on: https://go-review.googlesource.com/c/go/+/736763
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
|
|
Constructing the zip index (which is done once when first opening
a file in an archive) can consume large amounts of CPU when
processing deeply-nested directory paths.
Switch to a less inefficient algorithm.
Thanks to Jakub Ciolek for reporting this issue.
goos: darwin
goarch: arm64
pkg: archive/zip
cpu: Apple M4 Pro
│ /tmp/bench.0 │ /tmp/bench.1 │
│ sec/op │ sec/op vs base │
ReaderOneDeepDir-14 25983.62m ± 2% 46.01m ± 2% -99.82% (p=0.000 n=8)
ReaderManyDeepDirs-14 16.221 ± 1% 2.763 ± 6% -82.96% (p=0.000 n=8)
ReaderManyShallowFiles-14 130.3m ± 1% 128.8m ± 2% -1.20% (p=0.003 n=8)
geomean 3.801 253.9m -93.32%
Fixes #77102
Fixes CVE-2025-61728
Change-Id: I2c9c864be01b2a2769eb67fbab1b250aeb8f6c42
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3060
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3346
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736708
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
|
