From 5b7309a2aa9f00d919a5d66ed8b64fa5a24e9271 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 14 Jun 2019 17:47:09 +0200 Subject: build: bump to go 1.12.6 --- Makefile | 15 +- build.bat | 6 +- ...-environment-block-process-creation-token.patch | 181 --------------------- 3 files changed, 6 insertions(+), 196 deletions(-) delete mode 100644 golang-create-environment-block-process-creation-token.patch diff --git a/Makefile b/Makefile index eb50bc37..5220a93a 100644 --- a/Makefile +++ b/Makefile @@ -3,11 +3,9 @@ export CGO_ENABLED := 1 export CGO_CFLAGS := -O3 -Wall -Wno-unused-function -Wno-switch -std=gnu11 -DWINVER=0x0601 export CGO_LDFLAGS := -Wl,--major-os-version=6 -Wl,--minor-os-version=1 -Wl,--major-subsystem-version=6 -Wl,--minor-subsystem-version=1 export GOOS := windows -OLD_GOROOT := $(GOROOT) -export GOROOT := $(CURDIR)/.deps/goroot rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d)) -SOURCE_FILES := $(call rwildcard,,*.go *.c *.h) .deps/prepared +SOURCE_FILES := $(call rwildcard,,*.go *.c *.h) RESOURCE_FILES := resources.rc version.h manifest.xml $(patsubst %.svg,%.ico,$(wildcard ui/icon/*.svg)) DEPLOYMENT_HOST ?= winvm @@ -18,27 +16,24 @@ all: amd64/wireguard.exe x86/wireguard.exe %.ico: %.svg convert -background none $< -define icon:auto-resize="256,128,96,64,48,32,16" $@ -.deps/prepared: export GOROOT := $(OLD_GOROOT) -.deps/prepared: $(wildcard golang-*.patch) - rm -rf .deps && mkdir -p .deps - rsync --exclude=pkg/obj/go-build/trim.txt -aq $$(go env GOROOT)/ .deps/goroot - cat $^ | patch -f -N -r- -p1 -d .deps/goroot - touch $@ - resources_amd64.syso: $(RESOURCE_FILES) x86_64-w64-mingw32-windres -i $< -o $@ -O coff resources_386.syso: $(RESOURCE_FILES) i686-w64-mingw32-windres -i $< -o $@ -O coff +VERSIONCHECK := @[ "$$(go version | cut -d ' ' -f 3)" == go1.12.6 ] + amd64/wireguard.exe: export CC := x86_64-w64-mingw32-gcc amd64/wireguard.exe: export GOARCH := amd64 amd64/wireguard.exe: resources_amd64.syso $(SOURCE_FILES) + $(VERSIONCHECK) go build $(GOFLAGS) -o $@ x86/wireguard.exe: export CC := i686-w64-mingw32-gcc x86/wireguard.exe: export GOARCH := 386 x86/wireguard.exe: resources_386.syso $(SOURCE_FILES) + $(VERSIONCHECK) go build $(GOFLAGS) -o $@ fmt: export CC := i686-w64-mingw32-gcc diff --git a/build.bat b/build.bat index b402211d..5b99fc8c 100644 --- a/build.bat +++ b/build.bat @@ -12,20 +12,16 @@ if exist .deps\prepared goto :render rmdir /s /q .deps 2> NUL mkdir .deps || goto :error cd .deps || goto :error - call :download go.zip https://dl.google.com/go/go1.12.3.windows-amd64.zip 1806e089e85b84f192d782a7f70f90a32e0eccfd181405857e612f806ec04059 || goto :error + call :download go.zip https://dl.google.com/go/go1.12.6.windows-amd64.zip 9badf7bbc0ed55f2db967434b033a2cddf2e46dbdc5bb8560d8fde019e8e19d3 || goto :error rem Mirror of https://musl.cc/i686-w64-mingw32-native.zip call :download mingw-x86.zip https://download.wireguard.com/windows-toolchain/distfiles/i686-w64-mingw32-native-20190602.zip 003b7d07c837bfd365cf282772fb478bfd83195ee7f755d789420a6a651553a9 || goto :error rem Mirror of https://musl.cc/x86_64-w64-mingw32-native.zip call :download mingw-amd64.zip https://download.wireguard.com/windows-toolchain/distfiles/x86_64-w64-mingw32-native-20190602.zip 5e6629630f106dcad132f8b4eefdb6d2f98b1db251a1cf48a9f654da68793dad || goto :error rem Mirror of https://imagemagick.org/download/binaries/ImageMagick-7.0.8-42-portable-Q16-x64.zip call :download imagemagick.zip https://download.wireguard.com/windows-toolchain/distfiles/ImageMagick-7.0.8-42-portable-Q16-x64.zip 584e069f56456ce7dde40220948ff9568ac810688c892c5dfb7f6db902aa05aa "convert.exe colors.xml delegates.xml" || goto :error - rem Mirror of https://sourceforge.net/projects/gnuwin32/files/patch/2.5.9-7/patch-2.5.9-7-bin.zip with fixed manifest - call :download patch.zip https://download.wireguard.com/windows-toolchain/distfiles/patch-2.5.9-7-bin-fixed-manifest.zip 25977006ca9713f2662a5d0a2ed3a5a138225b8be3757035bd7da9dcf985d0a1 "--strip-components 1 bin" || goto :error rem Mirror of https://sourceforge.net/projects/ezwinports/files/make-4.2.1-without-guile-w32-bin.zip call :download make.zip https://download.wireguard.com/windows-toolchain/distfiles/make-4.2.1-without-guile-w32-bin.zip 30641be9602712be76212b99df7209f4f8f518ba764cf564262bc9d6e4047cc7 "--strip-components 1 bin" || goto :error call :download wireguard-tools.zip https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190601.zip 881868b07d585246426f7f514706e82af168d0e3f4767dd96508ae0608a4ad8b "--exclude wg-quick --strip-components 1" || goto :error - echo [+] Patching go - for %%a in ("..\golang-*.patch") do .\patch -f -N -r- -d go -p1 --binary < "%%a" || goto :error copy /y NUL prepared > NUL || goto :error cd .. || goto :error diff --git a/golang-create-environment-block-process-creation-token.patch b/golang-create-environment-block-process-creation-token.patch deleted file mode 100644 index 16eba589..00000000 --- a/golang-create-environment-block-process-creation-token.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 04a4a755d8835d7b05373c19977c4d8f31cbe119 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" -Date: Sun, 12 May 2019 14:34:30 +0200 -Subject: [PATCH] os: pass correct environment when creating Windows processes - -This is CVE-2019-11888. - -Previously, passing a nil environment but a non-nil token would result -in the new potentially unprivileged process inheriting the parent -potentially privileged environment, or would result in the new -potentially privileged process inheriting the parent potentially -unprivileged environment. Either way, it's bad. In the former case, it's -an infoleak. In the latter case, it's a possible EoP, since things like -PATH could be overwritten. - -Not specifying an environment currently means, "use the existing -environment". This commit amends the behavior to be, "use the existing -environment of the token the process is being created for." The behavior -therefore stays the same when creating processes without specifying a -token. And it does the correct thing when creating processes when -specifying a token. - -Fixes #32000 - -Change-Id: Ia57f6e89b97bdbaf7274d6a89c1d9948b6d40ef5 ---- - .../syscall/windows/syscall_windows.go | 3 ++ - .../syscall/windows/zsyscall_windows.go | 32 +++++++++++++++ - src/os/env_default.go | 13 ++++++ - src/os/env_windows.go | 41 +++++++++++++++++++ - src/os/exec_posix.go | 5 ++- - 5 files changed, 93 insertions(+), 1 deletion(-) - create mode 100644 src/os/env_default.go - create mode 100644 src/os/env_windows.go - -diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go -index 121132f6f7..099e91ed68 100644 ---- a/src/internal/syscall/windows/syscall_windows.go -+++ b/src/internal/syscall/windows/syscall_windows.go -@@ -305,3 +305,6 @@ const ( - func LoadGetFinalPathNameByHandle() error { - return procGetFinalPathNameByHandleW.Find() - } -+ -+//sys CreateEnvironmentBlock(block **uint16, token syscall.Token, inheritExisting bool) (err error) = userenv.CreateEnvironmentBlock -+//sys DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock -diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go -index 9527a370a4..ca5b4e6f16 100644 ---- a/src/internal/syscall/windows/zsyscall_windows.go -+++ b/src/internal/syscall/windows/zsyscall_windows.go -@@ -58,6 +58,8 @@ var ( - procNetShareAdd = modnetapi32.NewProc("NetShareAdd") - procNetShareDel = modnetapi32.NewProc("NetShareDel") - procGetFinalPathNameByHandleW = modkernel32.NewProc("GetFinalPathNameByHandleW") -+ procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock") -+ procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock") - procImpersonateSelf = modadvapi32.NewProc("ImpersonateSelf") - procRevertToSelf = modadvapi32.NewProc("RevertToSelf") - procOpenThreadToken = modadvapi32.NewProc("OpenThreadToken") -@@ -220,6 +222,36 @@ func GetFinalPathNameByHandle(file syscall.Handle, filePath *uint16, filePathSiz - return - } - -+func CreateEnvironmentBlock(block **uint16, token syscall.Token, inheritExisting bool) (err error) { -+ var _p0 uint32 -+ if inheritExisting { -+ _p0 = 1 -+ } else { -+ _p0 = 0 -+ } -+ r1, _, e1 := syscall.Syscall(procCreateEnvironmentBlock.Addr(), 3, uintptr(unsafe.Pointer(block)), uintptr(token), uintptr(_p0)) -+ if r1 == 0 { -+ if e1 != 0 { -+ err = errnoErr(e1) -+ } else { -+ err = syscall.EINVAL -+ } -+ } -+ return -+} -+ -+func DestroyEnvironmentBlock(block *uint16) (err error) { -+ r1, _, e1 := syscall.Syscall(procDestroyEnvironmentBlock.Addr(), 1, uintptr(unsafe.Pointer(block)), 0, 0) -+ if r1 == 0 { -+ if e1 != 0 { -+ err = errnoErr(e1) -+ } else { -+ err = syscall.EINVAL -+ } -+ } -+ return -+} -+ - func ImpersonateSelf(impersonationlevel uint32) (err error) { - r1, _, e1 := syscall.Syscall(procImpersonateSelf.Addr(), 1, uintptr(impersonationlevel), 0, 0) - if r1 == 0 { -diff --git a/src/os/env_default.go b/src/os/env_default.go -new file mode 100644 -index 0000000000..c11ccce7e3 ---- /dev/null -+++ b/src/os/env_default.go -@@ -0,0 +1,13 @@ -+// Copyright 2019 The Go Authors. All rights reserved. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+// +build !windows -+ -+package os -+ -+import "syscall" -+ -+func environForSysProcAttr(sys *syscall.SysProcAttr) ([]string, error) { -+ return Environ(), nil -+} -diff --git a/src/os/env_windows.go b/src/os/env_windows.go -new file mode 100644 -index 0000000000..2a5b82010e ---- /dev/null -+++ b/src/os/env_windows.go -@@ -0,0 +1,41 @@ -+// Copyright 2019 The Go Authors. All rights reserved. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+package os -+ -+import ( -+ "internal/syscall/windows" -+ "syscall" -+ "unicode/utf16" -+ "unsafe" -+) -+ -+func environForSysProcAttr(sys *syscall.SysProcAttr) (env []string, err error) { -+ if sys == nil || sys.Token == 0 { -+ env = Environ() -+ return -+ } -+ var block *uint16 -+ err = windows.CreateEnvironmentBlock(&block, sys.Token, false) -+ if err != nil { -+ return -+ } -+ blockp := uintptr(unsafe.Pointer(block)) -+ for { -+ entry := (*[(1 << 30) - 1]uint16)(unsafe.Pointer(blockp))[:] -+ for i, v := range entry { -+ if v == 0 { -+ entry = entry[:i] -+ break -+ } -+ } -+ if len(entry) == 0 { -+ break -+ } -+ env = append(env, string(utf16.Decode(entry))) -+ blockp += 2 * (uintptr(len(entry)) + 1) -+ } -+ windows.DestroyEnvironmentBlock(block) -+ return -+} -diff --git a/src/os/exec_posix.go b/src/os/exec_posix.go -index 7b1ef67d1c..5c1dcc3801 100644 ---- a/src/os/exec_posix.go -+++ b/src/os/exec_posix.go -@@ -38,7 +38,10 @@ func startProcess(name string, argv []string, attr *ProcAttr) (p *Process, err e - Sys: attr.Sys, - } - if sysattr.Env == nil { -- sysattr.Env = Environ() -+ sysattr.Env, err = environForSysProcAttr(sysattr.Sys) -+ if err != nil { -+ return -+ } - } - sysattr.Files = make([]uintptr, 0, len(attr.Files)) - for _, f := range attr.Files { --- -2.21.0 - -- cgit v1.2.3-59-g8ed1b