!279 cvefix: fix CVE-2023-39325

From: @hcnbxx Reviewed-by: @jing-rui Signed-off-by: @jing-rui
2023-10-28 09:14:43 +00:00 · 2023-10-28 09:14:43 +00:00 · 0b76401dd9
commit 0b76401dd9
parent bed0a15903 4af3c6fe6d
2 changed files with 158 additions and 1 deletions
--- a/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
+++ b/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
@ -0,0 +1,150 @@
+From caffd20df66f326bdbce11a7b3b92d583ed8d05c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Sat, 7 Oct 2023 05:16:27 +0800
+Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39325
+Reference: https://go-review.googlesource.com/c/go/+/534255
+
+Pull in a security fix from x/net/http2:
+http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: machangwang m00509938
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+
+Conflict: NA
+Reference: https://open.codehub.huawei.com/OpenSourceCenter/golang/go/merge_requests/109
+---
+ src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 0528cf6e31..480a5326d6 100644
+--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
+@@ -4088,9 +4088,11 @@ type http2serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
+	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*http2stream
+	unstartedHandlers           []http2unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -4475,6 +4477,8 @@ func (sc *http2serverConn) serve() {
+ 					return
+ 				case http2gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
+				case http2handlerDoneMsg:
+					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -4520,6 +4524,7 @@ var (
+ 	http2idleTimerMsg        = new(http2serverMessage)
+ 	http2shutdownTimerMsg    = new(http2serverMessage)
+ 	http2gracefulShutdownMsg = new(http2serverMessage)
+	http2handlerDoneMsg      = new(http2serverMessage)
+ )
+ 
+ func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
+@@ -5466,8 +5471,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
+	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
+@@ -5714,8 +5718,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
+ 	return rw, req, nil
+ }
+ 
+type http2unstartedHandler struct {
+	streamID uint32
+	rw       *http2responseWriter
+	req      *Request
+	handler  func(ResponseWriter, *Request)
+}
+
+// scheduleHandler starts a handler goroutine,
+// or schedules one to start as soon as an existing handler finishes.
+func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
+	sc.serveG.check()
+	maxHandlers := sc.advMaxStreams
+	if sc.curHandlers < maxHandlers {
+		sc.curHandlers++
+		go sc.runHandler(rw, req, handler)
+		return nil
+	}
+	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
+		return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
+	}
+	sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
+		streamID: streamID,
+		rw:       rw,
+		req:      req,
+		handler:  handler,
+	})
+	return nil
+}
+
+func (sc *http2serverConn) handlerDone() {
+	sc.serveG.check()
+	sc.curHandlers--
+	i := 0
+	maxHandlers := sc.advMaxStreams
+	for ; i < len(sc.unstartedHandlers); i++ {
+		u := sc.unstartedHandlers[i]
+		if sc.streams[u.streamID] == nil {
+			// This stream was reset before its goroutine had a chance to start.
+			continue
+		}
+		if sc.curHandlers >= maxHandlers {
+			break
+		}
+		sc.curHandlers++
+		go sc.runHandler(u.rw, u.req, u.handler)
+		sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
+	}
+	sc.unstartedHandlers = sc.unstartedHandlers[i:]
+	if len(sc.unstartedHandlers) == 0 {
+		sc.unstartedHandlers = nil
+	}
+}
+
+ // Run on its own goroutine.
+ func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
+	defer sc.sendServeMsg(http2handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+-- 
+2.27.0
+
--- a/golang.spec
+++ b/golang.spec
@ -58,7 +58,7 @@

 Name:           golang
 Version:        1.15.7
-Release:        35
+Release:        36
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -250,6 +250,7 @@ Patch6105:	0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
 Patch6106:	0106-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6107:	0107-Backport-html-template-properly-handle-special-tags-.patch
 Patch6108:	0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
+Patch6109:	0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch

 Patch9001:  0001-drop-hard-code-cert.patch
 Patch9002:  0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@ -489,6 +490,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Sat Oct 28 2023 hanchao <hanchao63@huawei.com> - 1.15.7-36
+- Type:CVE
+- CVE:CVE-2023-39325
+- SUG:NA
+- DESC:fix CVE-2023-39325
+
 * Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35
 - Type:CVE
 - CVE:CVE-2023-39323