[AUTO-CHERRYPICK] Fix coredns CVE-2023-44487 by patching vendor tar - branch main (#7628)
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
This commit is contained in:
parent
fc0b1c0039
commit
79fe0a7963
|
@ -0,0 +1,152 @@
|
|||
From b225e7ca6dde1ef5a5ae5ce922861bda011cfabd Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Fri, 6 Oct 2023 09:51:19 -0700
|
||||
Subject: [PATCH] http2: limit maximum handler goroutines to
|
||||
MaxConcurrentStreams
|
||||
|
||||
When the peer opens a new stream while we have MaxConcurrentStreams
|
||||
handler goroutines running, defer starting a handler until one
|
||||
of the existing handlers exits.
|
||||
|
||||
Fixes golang/go#63417
|
||||
Fixes CVE-2023-39325
|
||||
|
||||
Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Reviewed-by: Ian Cottrell <iancottrell@google.com>
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/534215
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
|
||||
Modified to apply to vendored code by: Daniel McIlvaney <damcilva@microsoft.com>
|
||||
- Adjusted paths
|
||||
- Removed reference to server_test.go
|
||||
---
|
||||
|
||||
vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++-
|
||||
vendor/golang.org/x/net/http2/server_test.go | 113 +++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 177 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
|
||||
index de60fa88f..02c88b6b3 100644
|
||||
--- a/vendor/golang.org/x/net/http2/server.go
|
||||
+++ b/vendor/golang.org/x/net/http2/server.go
|
||||
@@ -581,9 +581,11 @@ type serverConn struct {
|
||||
advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
|
||||
curClientStreams uint32 // number of open streams initiated by the client
|
||||
curPushedStreams uint32 // number of open streams initiated by server push
|
||||
+ curHandlers uint32 // number of running handler goroutines
|
||||
maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
|
||||
maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
|
||||
streams map[uint32]*stream
|
||||
+ unstartedHandlers []unstartedHandler
|
||||
initialStreamSendWindowSize int32
|
||||
maxFrameSize int32
|
||||
peerMaxHeaderListSize uint32 // zero means unknown (default)
|
||||
@@ -981,6 +983,8 @@ func (sc *serverConn) serve() {
|
||||
return
|
||||
case gracefulShutdownMsg:
|
||||
sc.startGracefulShutdownInternal()
|
||||
+ case handlerDoneMsg:
|
||||
+ sc.handlerDone()
|
||||
default:
|
||||
panic("unknown timer")
|
||||
}
|
||||
@@ -1020,6 +1024,7 @@ var (
|
||||
idleTimerMsg = new(serverMessage)
|
||||
shutdownTimerMsg = new(serverMessage)
|
||||
gracefulShutdownMsg = new(serverMessage)
|
||||
+ handlerDoneMsg = new(serverMessage)
|
||||
)
|
||||
|
||||
func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
|
||||
@@ -2017,8 +2022,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
|
||||
st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout)
|
||||
}
|
||||
|
||||
- go sc.runHandler(rw, req, handler)
|
||||
- return nil
|
||||
+ return sc.scheduleHandler(id, rw, req, handler)
|
||||
}
|
||||
|
||||
func (sc *serverConn) upgradeRequest(req *http.Request) {
|
||||
@@ -2038,6 +2042,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) {
|
||||
sc.conn.SetReadDeadline(time.Time{})
|
||||
}
|
||||
|
||||
+ // This is the first request on the connection,
|
||||
+ // so start the handler directly rather than going
|
||||
+ // through scheduleHandler.
|
||||
+ sc.curHandlers++
|
||||
go sc.runHandler(rw, req, sc.handler.ServeHTTP)
|
||||
}
|
||||
|
||||
@@ -2278,8 +2286,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response
|
||||
return &responseWriter{rws: rws}
|
||||
}
|
||||
|
||||
+type unstartedHandler struct {
|
||||
+ streamID uint32
|
||||
+ rw *responseWriter
|
||||
+ req *http.Request
|
||||
+ handler func(http.ResponseWriter, *http.Request)
|
||||
+}
|
||||
+
|
||||
+// scheduleHandler starts a handler goroutine,
|
||||
+// or schedules one to start as soon as an existing handler finishes.
|
||||
+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
|
||||
+ sc.serveG.check()
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ if sc.curHandlers < maxHandlers {
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(rw, req, handler)
|
||||
+ return nil
|
||||
+ }
|
||||
+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
|
||||
+ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
|
||||
+ }
|
||||
+ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
|
||||
+ streamID: streamID,
|
||||
+ rw: rw,
|
||||
+ req: req,
|
||||
+ handler: handler,
|
||||
+ })
|
||||
+ return nil
|
||||
+}
|
||||
+
|
||||
+func (sc *serverConn) handlerDone() {
|
||||
+ sc.serveG.check()
|
||||
+ sc.curHandlers--
|
||||
+ i := 0
|
||||
+ maxHandlers := sc.advMaxStreams
|
||||
+ for ; i < len(sc.unstartedHandlers); i++ {
|
||||
+ u := sc.unstartedHandlers[i]
|
||||
+ if sc.streams[u.streamID] == nil {
|
||||
+ // This stream was reset before its goroutine had a chance to start.
|
||||
+ continue
|
||||
+ }
|
||||
+ if sc.curHandlers >= maxHandlers {
|
||||
+ break
|
||||
+ }
|
||||
+ sc.curHandlers++
|
||||
+ go sc.runHandler(u.rw, u.req, u.handler)
|
||||
+ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
|
||||
+ }
|
||||
+ sc.unstartedHandlers = sc.unstartedHandlers[i:]
|
||||
+ if len(sc.unstartedHandlers) == 0 {
|
||||
+ sc.unstartedHandlers = nil
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
// Run on its own goroutine.
|
||||
func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
|
||||
+ defer sc.sendServeMsg(handlerDoneMsg)
|
||||
didPanic := true
|
||||
defer func() {
|
||||
rw.rws.stream.cancelCtx()
|
|
@ -3,7 +3,7 @@
|
|||
Summary: Fast and flexible DNS server
|
||||
Name: coredns
|
||||
Version: 1.11.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: Apache License 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
@ -32,22 +32,37 @@ Source0: %{name}-%{version}.tar.gz
|
|||
Source1: %{name}-%{version}-vendor.tar.gz
|
||||
Patch0: makefile-buildoption-commitnb.patch
|
||||
|
||||
# Patch for old x/net/http2 vendored code, apply after vendored code is extracted.
|
||||
Patch1000: CVE-2023-44487.patch
|
||||
|
||||
BuildRequires: golang >= 1.12
|
||||
|
||||
%description
|
||||
CoreDNS is a fast and flexible DNS server.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
%autosetup -N
|
||||
%autopatch -p1 -M 999
|
||||
|
||||
%build
|
||||
# create vendor folder from the vendor tarball and set vendor mode
|
||||
tar -xf %{SOURCE1} --no-same-owner
|
||||
patch -p1 < %{PATCH1000}
|
||||
export BUILDOPTS="-mod=vendor -v"
|
||||
# set commit number that correspond to the github tag for that version
|
||||
export GITCOMMIT="ae2bbc29be1aaae0b3ded5d188968a6c97bb3144"
|
||||
make
|
||||
|
||||
%check
|
||||
# From go.test.yml
|
||||
go install github.com/fatih/faillint@latest && \
|
||||
(cd request && go test -v -race ./...) && \
|
||||
(cd core && go test -v -race ./...) && \
|
||||
(cd coremain && go test -v -race ./...) && \
|
||||
(cd plugin && go test -v -race ./...) && \
|
||||
(cd test && go test -v -race ./...) && \
|
||||
./coredns -version
|
||||
|
||||
%install
|
||||
install -m 755 -d %{buildroot}%{_bindir}
|
||||
install -p -m 755 -t %{buildroot}%{_bindir} %{name}
|
||||
|
@ -58,6 +73,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
|
|||
%{_bindir}/%{name}
|
||||
|
||||
%changelog
|
||||
* Mon Jan 29 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.11.1-2
|
||||
- Address CVE-2023-44487 by patching vendored golang.org/x/net
|
||||
|
||||
* Tue Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
|
||||
- Upgrade to 1.11.1 to match version required by kubernetes
|
||||
|
||||
|
|
Loading…
Reference in New Issue