!16 Fix CVE-2024-24786

From: @northgarden 
Reviewed-by: @duyiwei7w 
Signed-off-by: @duyiwei7w

0001-fix-CVE-2023-39325.patch

@@ -0,0 +1,197 @@
+From 12296da9c423334046da42da52b0cc9a4f5cb32c Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 3 Apr 2024 11:40:04 +0800
+Subject: [PATCH] fix CVE-2023-39325
+
+http2: limit maximum handler goroutines to MaxConcurrentStreams
+
+When the peer opens a new stream while we have MaxConcurrentStreams
+handler goroutines running, defer starting a handler until one
+of the existing handlers exits.
+
+Fixes golang/go#63417
+Fixes CVE-2023-39325
+
+Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/534215
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golan
+---
+ vendor/golang.org/x/net/http2/server.go | 98 ++++++++++++++++++++++++-
+ 1 file changed, 96 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 09bc705..e7333e7 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -130,6 +130,12 @@ type Server struct {
+ 	// If nil, a default scheduler is chosen.
+ 	NewWriteScheduler func() WriteScheduler
+ 
++	// CountError, if non-nil, is called on HTTP/2 server errors.
++        // It's intended to increment a metric for monitoring, such
++        // as an expvar or Prometheus metric.
++        // The errType consists of only ASCII word characters.
++        CountError func(errType string)
++
+ 	// Internal state. This is a pointer (rather than embedded directly)
+ 	// so that we don't embed a Mutex in this struct, which will make the
+ 	// struct non-copyable, which might break some callers.
+@@ -515,9 +521,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -887,6 +895,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -932,6 +942,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -1889,8 +1900,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+@@ -1923,6 +1933,59 @@ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+ 	return nil
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ func checkPriority(streamID uint32, p PriorityParam) error {
+ 	if streamID == p.StreamDep {
+ 		// Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
+@@ -2139,6 +2202,7 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
+ 
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+@@ -2901,6 +2965,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
+ 			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
+ 		}
+ 
++		sc.curHandlers++
+ 		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ 		return promisedID, nil
+ 	}
+@@ -2980,3 +3045,32 @@ func h1ServerKeepAlivesDisabled(hs *http.Server) bool {
+ 	}
+ 	return false
+ }
++
++func (sc *serverConn) countError(name string, err error) error {
++        if sc == nil || sc.srv == nil {
++                return err
++        }
++        f := sc.srv.CountError
++        if f == nil {
++                return err
++        }
++        var typ string
++        var code ErrCode
++        switch e := err.(type) {
++        case ConnectionError:
++                typ = "conn"
++                code = ErrCode(e)
++        case StreamError:
++                typ = "stream"
++                code = ErrCode(e.Code)
++        default:
++                return err
++        }
++        codeStr := errCodeName[code]
++        if codeStr == "" {
++                codeStr = strconv.Itoa(int(code))
++        }
++        f(fmt.Sprintf("%s_%s_%s", typ, codeStr, name))
++        return err
++}
++
+-- 
+2.20.1
+

0002-fix-CVE-2022-41723.patch

@@ -0,0 +1,159 @@
+From 11bc24fcd1f15f54849c7aebefe1bbdc0d75437b Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Sun, 7 Apr 2024 17:04:42 +0800
+Subject: [PATCH] fix CVE-2022-41723
+
+http2/hpack: avoid quadratic complexity in hpack decoding
+
+When parsing a field literal containing two Huffman-encoded strings,
+don't decode the first string until verifying all data is present.
+Avoids forced quadratic complexity when repeatedly parsing a partial
+field, repeating the Huffman decoding of the string on each iteration.
+
+Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
+
+Fixes golang/go#57855
+Fixes CVE-2022-41723
+
+Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
+Run-TryBot: Michael Pratt <mpratt@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
+ 1 file changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..7e7e4cf 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.20.1
+

0003-fix-CVE-2024-24786.patch

@@ -0,0 +1,59 @@
+From f4c84f807993799702d4b7b75b59289b15c72a6f Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Mon, 8 Apr 2024 14:19:59 +0800
+Subject: [PATCH] fix CVE-2024-24786
+
+encoding/protojson, internal/encoding/json: handle missing object values
+
+In internal/encoding/json, report an error when encountering a }
+when we are expecting an object field value. For example, the input
+ now correctly results in an error at the closing } token.
+
+In encoding/protojson, check for an unexpected EOF token in
+skipJSONValue. This is redundant with the check in internal/encoding/json,
+but adds a bit more defense against any other similar bugs that
+might exist.
+
+Fixes CVE-2024-24786
+
+Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
+Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
+TryBot-Bypass: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Commit-Queue: Damien Neil <dneil@google.com>
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 72924a9..d3825ba 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
+ 				if err := d.skipJSONValue(); err != nil {
+ 					return err
+ 				}
++			case json.EOF:
++				// This can only happen if there's a bug in Decoder.Read.
++				// Avoid an infinite loop if this does happen.
++				return errors.New("unexpected EOF")
+ 			}
+ 		}
+ 
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.20.1
+

cri-tools.spec

@@ -0,0 +1,89 @@
+%global goipath         github.com/kubernetes-sigs/cri-tools
+%define gobuild(o:) %{expand:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=995136#c12
+  %global _dwz_low_mem_die_limit 0
+  %ifnarch ppc64
+  go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}' -compressdwarf=false" -a -v -x %{?**};
+  %else
+  go build                -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-}%{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}' -compressdwarf=false" -a -v -x %{?**};
+  %endif
+}
+%bcond_with check
+%global built_tag v%{version}
+
+Name:          cri-tools
+Version:       1.22.0
+Release:       5
+Summary:       CLI and validation tools for Container Runtime Interface
+License:       ASL 2.0
+URL:           https://%{goipath}
+Source0:       %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:       https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+
+Patch0001:     0001-fix-CVE-2023-39325.patch
+Patch0002:     0002-fix-CVE-2022-41723.patch
+Patch0003:     0003-fix-CVE-2024-24786.patch
+
+ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x}
+BuildRequires: golang, glibc-static, git
+Provides:      crictl = %{version}-%{release}
+
+%description
+%{summary}
+
+%prep
+%autosetup -p1 -n %{name}-%{version}
+tar -xf %SOURCE1
+
+%build
+GO_MD2MAN_PATH="$(pwd)%{_bindir}"
+mkdir -p _build/bin $GO_MD2MAN_PATH
+cd go-md2man-*
+go build -mod=vendor -o ../_build/bin/go-md2man .
+cp ../_build/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
+export PATH=$GO_MD2MAN_PATH:$PATH
+cd -
+
+%gobuild -o bin/crictl %{goipath}/cmd/crictl
+go-md2man -in docs/crictl.md -out docs/crictl.1
+
+%install
+# install binaries
+install -dp %{buildroot}%{_bindir}
+install -p -m 755 ./bin/crictl %{buildroot}%{_bindir}
+
+# install manpage
+install -dp %{buildroot}%{_mandir}/man1
+install -p -m 644 docs/crictl.1 %{buildroot}%{_mandir}/man1
+
+%files
+%license LICENSE
+%doc CHANGELOG.md CONTRIBUTING.md OWNERS README.md RELEASE.md code-of-conduct.md
+%doc docs/{benchmark.md,roadmap.md,validation.md}
+%{_bindir}/crictl
+%{_mandir}/man1/crictl*
+
+%changelog
+* Mon Apr 08 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.22.0-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-24786
+
+* Sun Apr 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.22.0-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-41723
+
+* Sun Apr 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.22.0-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-39325
+
+* Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 1.22.0-2
+- update Source0
+
+* Mon Mar 21 2022 fushanqing <fushanqing@kylinos.cn> - 1.22.0-1
+- Init Package

cri-tools.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: kubernetes-sigs/cri-tools
+tag_prefix: ^v
+separator: .