packages/golang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!279 cvefix: fix CVE-2023-39325

Browse Source 
From: @hcnbxx 
Reviewed-by: @jing-rui 
Signed-off-by: @jing-rui
This commit is contained in:
openeuler-ci-bot 2023-10-28 09:14:43 +00:00 committed by Gitee
commit 0b76401dd9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch Normal file
View File

@ -0,0 +1,150 @@
From caffd20df66f326bdbce11a7b3b92d583ed8d05c Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Sat, 7 Oct 2023 05:16:27 +0800
Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
Offering: Cloud Core Network
CVE: CVE-2023-39325
Reference: https://go-review.googlesource.com/c/go/+/534255
Pull in a security fix from x/net/http2:
http2: limit maximum handler goroutines to MaxConcurrentStreamso
Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
Edited-by: machangwang m00509938
For #63417
Fixes #63426
Fixes CVE-2023-39325
Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Signed-off-by: Ma Chang Wang machangwang@huawei.com
Conflict: NA
Reference: https://open.codehub.huawei.com/OpenSourceCenter/golang/go/merge_requests/109
---
src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 2 deletions(-)
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
index 0528cf6e31..480a5326d6 100644
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@@ -4088,9 +4088,11 @@ type http2serverConn struct {
advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
curClientStreams uint32 // number of open streams initiated by the client
curPushedStreams uint32 // number of open streams initiated by server push
+ curHandlers uint32 // number of running handler goroutines
maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
streams map[uint32]*http2stream
+ unstartedHandlers []http2unstartedHandler
initialStreamSendWindowSize int32
maxFrameSize int32
headerTableSize uint32
@@ -4475,6 +4477,8 @@ func (sc *http2serverConn) serve() {
return
case http2gracefulShutdownMsg:
sc.startGracefulShutdownInternal()
+ case http2handlerDoneMsg:
+ sc.handlerDone()
default:
panic("unknown timer")
}
@@ -4520,6 +4524,7 @@ var (
http2idleTimerMsg = new(http2serverMessage)
http2shutdownTimerMsg = new(http2serverMessage)
http2gracefulShutdownMsg = new(http2serverMessage)
+ http2handlerDoneMsg = new(http2serverMessage)
)
func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
@@ -5466,8 +5471,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
sc.conn.SetReadDeadline(time.Time{})
}
- go sc.runHandler(rw, req, handler)
- return nil
+ return sc.scheduleHandler(id, rw, req, handler)
}
func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
@@ -5714,8 +5718,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
return rw, req, nil
}
+type http2unstartedHandler struct {
+ streamID uint32
+ rw *http2responseWriter
+ req *Request
+ handler func(ResponseWriter, *Request)
+}
+
+// scheduleHandler starts a handler goroutine,
+// or schedules one to start as soon as an existing handler finishes.
+func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
+ sc.serveG.check()
+ maxHandlers := sc.advMaxStreams
+ if sc.curHandlers < maxHandlers {
+ sc.curHandlers++
+ go sc.runHandler(rw, req, handler)
+ return nil
+ }
+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
+ return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
+ }
+ sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
+ streamID: streamID,
+ rw: rw,
+ req: req,
+ handler: handler,
+ })
+ return nil
+}
+
+func (sc *http2serverConn) handlerDone() {
+ sc.serveG.check()
+ sc.curHandlers--
+ i := 0
+ maxHandlers := sc.advMaxStreams
+ for ; i < len(sc.unstartedHandlers); i++ {
+ u := sc.unstartedHandlers[i]
+ if sc.streams[u.streamID] == nil {
+ // This stream was reset before its goroutine had a chance to start.
+ continue
+ }
+ if sc.curHandlers >= maxHandlers {
+ break
+ }
+ sc.curHandlers++
+ go sc.runHandler(u.rw, u.req, u.handler)
+ sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
+ }
+ sc.unstartedHandlers = sc.unstartedHandlers[i:]
+ if len(sc.unstartedHandlers) == 0 {
+ sc.unstartedHandlers = nil
+ }
+}
+
// Run on its own goroutine.
func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
+ defer sc.sendServeMsg(http2handlerDoneMsg)
didPanic := true
defer func() {
rw.rws.stream.cancelCtx()
--
2.27.0

9
golang.spec
View File

@ -58,7 +58,7 @@
Name: golang Name: golang
Version: 1.15.7 Version: 1.15.7
Release: 35 Release: 36
Summary: The Go Programming Language Summary: The Go Programming Language
License: BSD and Public Domain License: BSD and Public Domain
URL: https://golang.org/ URL: https://golang.org/
@ -250,6 +250,7 @@ Patch6105: 0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
Patch6106: 0106-Backport-html-template-support-HTML-like-comments-in.patch Patch6106: 0106-Backport-html-template-support-HTML-like-comments-in.patch
Patch6107: 0107-Backport-html-template-properly-handle-special-tags-.patch Patch6107: 0107-Backport-html-template-properly-handle-special-tags-.patch
Patch6108: 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch Patch6108: 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
Patch6109: 0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
Patch9001: 0001-drop-hard-code-cert.patch Patch9001: 0001-drop-hard-code-cert.patch
Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@ -489,6 +490,12 @@ fi
%files devel -f go-tests.list -f go-misc.list -f go-src.list %files devel -f go-tests.list -f go-misc.list -f go-src.list
%changelog %changelog
* Sat Oct 28 2023 hanchao <hanchao63@huawei.com> - 1.15.7-36
- Type:CVE
- CVE:CVE-2023-39325
- SUG:NA
- DESC:fix CVE-2023-39325
* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35 * Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35
- Type:CVE - Type:CVE
- CVE:CVE-2023-39323 - CVE:CVE-2023-39323