cvefix: fix CVE-2023-39325
This commit is contained in:
hanchao
parent
bed0a15903
commit
4af3c6fe6d
@ -0,0 +1,150 @@
|
||||
From caffd20df66f326bdbce11a7b3b92d583ed8d05c Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Sat, 7 Oct 2023 05:16:27 +0800
|
||||
Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
|
||||
|
||||
Offering: Cloud Core Network
|
||||
CVE: CVE-2023-39325
|
||||
Reference: https://go-review.googlesource.com/c/go/+/534255
|
||||
|
||||
Pull in a security fix from x/net/http2:
|
||||
http2: limit maximum handler goroutines to MaxConcurrentStreamso
|
||||
|
||||
Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
|
||||
Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
|
||||
|
||||
Edited-by: machangwang m00509938
|
||||
|
||||
For #63417
|
||||
Fixes #63426
|
||||
Fixes CVE-2023-39325
|
||||
|
||||
Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Ian Cottrell <iancottrell@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Signed-off-by: Ma Chang Wang machangwang@huawei.com
|
||||
|
||||
Conflict: NA
|
||||
Reference: https://open.codehub.huawei.com/OpenSourceCenter/golang/go/merge_requests/109
|
||||
---
|
||||
src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 60 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
|
||||
index 0528cf6e31..480a5326d6 100644
|
||||
--- a/src/net/http/h2_bundle.go
|
||||
+++ b/src/net/http/h2_bundle.go
|
||||
@@ -4088,9 +4088,11 @@ type http2serverConn struct {
|
||||
advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
|
||||
curClientStreams uint32 // number of open streams initiated by the client
|
||||
curPushedStreams uint32 // number of open streams initiated by server push
|
||||
+ curHandlers uint32 // number of running handler goroutines
|
||||
maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
|
||||
maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
|
||||
streams map[uint32]*http2stream
|
||||
+ unstartedHandlers []http2unstartedHandler
|
||||
initialStreamSendWindowSize int32
|
||||
maxFrameSize int32
|
||||
headerTableSize uint32
|
||||
@@ -4475,6 +4477,8 @@ func (sc *http2serverConn) serve() {
|
||||
return
|
||||
case http2gracefulShutdownMsg:
|
||||
sc.startGracefulShutdownInternal()
|
||||
+ case http2handlerDoneMsg:
|
||||
+ sc.handlerDone()
|
||||
default:
|
||||
panic("unknown timer")
|
||||
}
|
||||
@@ -4520,6 +4524,7 @@ var (
|
||||
http2idleTimerMsg = new(http2serverMessage)
|
||||
http2shutdownTimerMsg = new(http2serverMessage)
|
||||
http2gracefulShutdownMsg = new(http2serverMessage)
|
||||
+ http2handlerDoneMsg = new(http2serverMessage)
|
||||
)
|
||||
|
||||
func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
|
||||
@@ -5466,8 +5471,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
|
||||
sc.conn.SetReadDeadline(time.Time{})
|
||||
}
|
||||
|
||||
- go sc.runHandler(rw, req, handler)
|
||||
- return nil
|
||||
+ return sc.scheduleHandler(id, rw, req, handler)
|
||||
}
|
||||
|
||||
func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
|
||||
@@ -5714,8 +5718,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
|
||||
return rw, req, nil
|
||||
}
|
||||
|
||||
+type http2unstartedHandler struct {
|
||||
+ streamID uint32
|
||||
+ rw *http2responseWriter
|
||||
+ req *Request
|
||||
+ handler func(ResponseWriter, *Request)
|
||||
+}
|
||||
+
|
||||
+// scheduleHandler starts a handler goroutine,
|
||||
+// or schedules one to start as soon as an existing handler finishes.
|
||||
+func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
|
||||
+ sc.serveG.check()
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ if sc.curHandlers < maxHandlers {
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(rw, req, handler)
|
||||
+ return nil
|
||||
+ }
|
||||
+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
|
||||
+ return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
|
||||
+ }
|
||||
+ sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
|
||||
+ streamID: streamID,
|
||||
+ rw: rw,
|
||||
+ req: req,
|
||||
+ handler: handler,
|
||||
+ })
|
||||
+ return nil
|
||||
+}
|
||||
+
|
||||
+func (sc *http2serverConn) handlerDone() {
|
||||
+ sc.serveG.check()
|
||||
+ sc.curHandlers--
|
||||
+ i := 0
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ for ; i < len(sc.unstartedHandlers); i++ {
|
||||
+ u := sc.unstartedHandlers[i]
|
||||
+ if sc.streams[u.streamID] == nil {
|
||||
+ // This stream was reset before its goroutine had a chance to start.
|
||||
+ continue
|
||||
+ }
|
||||
+ if sc.curHandlers >= maxHandlers {
|
||||
+ break
|
||||
+ }
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(u.rw, u.req, u.handler)
|
||||
+ sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
|
||||
+ }
|
||||
+ sc.unstartedHandlers = sc.unstartedHandlers[i:]
|
||||
+ if len(sc.unstartedHandlers) == 0 {
|
||||
+ sc.unstartedHandlers = nil
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
// Run on its own goroutine.
|
||||
func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
|
||||
+ defer sc.sendServeMsg(http2handlerDoneMsg)
|
||||
didPanic := true
|
||||
defer func() {
|
||||
rw.rws.stream.cancelCtx()
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -58,7 +58,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.15.7
|
||||
Release: 35
|
||||
Release: 36
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -250,6 +250,7 @@ Patch6105: 0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
|
||||
Patch6106: 0106-Backport-html-template-support-HTML-like-comments-in.patch
|
||||
Patch6107: 0107-Backport-html-template-properly-handle-special-tags-.patch
|
||||
Patch6108: 0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
|
||||
Patch6109: 0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
|
||||
|
||||
Patch9001: 0001-drop-hard-code-cert.patch
|
||||
Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
|
||||
@ -489,6 +490,12 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Sat Oct 28 2023 hanchao <hanchao63@huawei.com> - 1.15.7-36
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39325
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-39325
|
||||
|
||||
* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39323
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user