cvefix: fix CVE-2023-39325
This commit is contained in:
hanchao
parent
a55f2e83eb
commit
56ae71c2a1
147
0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
Normal file
147
0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
Normal file
@ -0,0 +1,147 @@
|
||||
From 6dc693737f84785a30238ca7640ad8ba605c0eac Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Sat, 7 Oct 2023 05:16:27 +0800
|
||||
Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
|
||||
|
||||
Offering: Cloud Core Network
|
||||
CVE: CVE-2023-39325
|
||||
Reference: https://go-review.googlesource.com/c/go/+/534255
|
||||
|
||||
Pull in a security fix from x/net/http2:
|
||||
http2: limit maximum handler goroutines to MaxConcurrentStreamso
|
||||
|
||||
Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
|
||||
Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
|
||||
|
||||
Edited-by: machangwang m00509938
|
||||
|
||||
For #63417
|
||||
Fixes #63426
|
||||
Fixes CVE-2023-39325
|
||||
|
||||
Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Ian Cottrell <iancottrell@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Signed-off-by: Ma Chang Wang machangwang@huawei.com
|
||||
---
|
||||
src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 60 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
|
||||
index 5433ebdc51..b87d14b6ea 100644
|
||||
--- a/src/net/http/h2_bundle.go
|
||||
+++ b/src/net/http/h2_bundle.go
|
||||
@@ -4181,9 +4181,11 @@ type http2serverConn struct {
|
||||
advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
|
||||
curClientStreams uint32 // number of open streams initiated by the client
|
||||
curPushedStreams uint32 // number of open streams initiated by server push
|
||||
+ curHandlers uint32 // number of running handler goroutines
|
||||
maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
|
||||
maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
|
||||
streams map[uint32]*http2stream
|
||||
+ unstartedHandlers []http2unstartedHandler
|
||||
initialStreamSendWindowSize int32
|
||||
maxFrameSize int32
|
||||
headerTableSize uint32
|
||||
@@ -4577,6 +4579,8 @@ func (sc *http2serverConn) serve() {
|
||||
return
|
||||
case http2gracefulShutdownMsg:
|
||||
sc.startGracefulShutdownInternal()
|
||||
+ case http2handlerDoneMsg:
|
||||
+ sc.handlerDone()
|
||||
default:
|
||||
panic("unknown timer")
|
||||
}
|
||||
@@ -4622,6 +4626,7 @@ var (
|
||||
http2idleTimerMsg = new(http2serverMessage)
|
||||
http2shutdownTimerMsg = new(http2serverMessage)
|
||||
http2gracefulShutdownMsg = new(http2serverMessage)
|
||||
+ http2handlerDoneMsg = new(http2serverMessage)
|
||||
)
|
||||
|
||||
func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
|
||||
@@ -5584,8 +5589,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
|
||||
sc.conn.SetReadDeadline(time.Time{})
|
||||
}
|
||||
|
||||
- go sc.runHandler(rw, req, handler)
|
||||
- return nil
|
||||
+ return sc.scheduleHandler(id, rw, req, handler)
|
||||
}
|
||||
|
||||
func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
|
||||
@@ -5832,8 +5836,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
|
||||
return rw, req, nil
|
||||
}
|
||||
|
||||
+type http2unstartedHandler struct {
|
||||
+ streamID uint32
|
||||
+ rw *http2responseWriter
|
||||
+ req *Request
|
||||
+ handler func(ResponseWriter, *Request)
|
||||
+}
|
||||
+
|
||||
+// scheduleHandler starts a handler goroutine,
|
||||
+// or schedules one to start as soon as an existing handler finishes.
|
||||
+func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
|
||||
+ sc.serveG.check()
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ if sc.curHandlers < maxHandlers {
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(rw, req, handler)
|
||||
+ return nil
|
||||
+ }
|
||||
+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
|
||||
+ return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
|
||||
+ }
|
||||
+ sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
|
||||
+ streamID: streamID,
|
||||
+ rw: rw,
|
||||
+ req: req,
|
||||
+ handler: handler,
|
||||
+ })
|
||||
+ return nil
|
||||
+}
|
||||
+
|
||||
+func (sc *http2serverConn) handlerDone() {
|
||||
+ sc.serveG.check()
|
||||
+ sc.curHandlers--
|
||||
+ i := 0
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ for ; i < len(sc.unstartedHandlers); i++ {
|
||||
+ u := sc.unstartedHandlers[i]
|
||||
+ if sc.streams[u.streamID] == nil {
|
||||
+ // This stream was reset before its goroutine had a chance to start.
|
||||
+ continue
|
||||
+ }
|
||||
+ if sc.curHandlers >= maxHandlers {
|
||||
+ break
|
||||
+ }
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(u.rw, u.req, u.handler)
|
||||
+ sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
|
||||
+ }
|
||||
+ sc.unstartedHandlers = sc.unstartedHandlers[i:]
|
||||
+ if len(sc.unstartedHandlers) == 0 {
|
||||
+ sc.unstartedHandlers = nil
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
// Run on its own goroutine.
|
||||
func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
|
||||
+ defer sc.sendServeMsg(http2handlerDoneMsg)
|
||||
didPanic := true
|
||||
defer func() {
|
||||
rw.rws.stream.cancelCtx()
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -63,7 +63,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.17.3
|
||||
Release: 24
|
||||
Release: 25
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -202,6 +202,7 @@ Patch6049: 0049-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.pa
|
||||
Patch6050: 0050-Backport-html-template-support-HTML-like-comments-in.patch
|
||||
Patch6051: 0051-Backport-html-template-properly-handle-special-tags-.patch
|
||||
Patch6052: 0052-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
|
||||
Patch6053: 0053-CVE-2023-39325-net-http-regenerate-h2_bundle.go.patch
|
||||
|
||||
ExclusiveArch: %{golang_arches}
|
||||
|
||||
@ -440,6 +441,12 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Mon Oct 23 2023 hanchao <hanchao63@huawei.com> - 1.17.3-25
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39325
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-39325
|
||||
|
||||
* Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-24
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-39323
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user