Message ID | 20240419132224.2631349-1-soumya.sambu@windriver.com |
---|---|
State | Superseded |
Delegated to: | Steve Sakoman |
Headers | show |
Series | [kirkstone,1/1] go: Fix CVE-2023-45288 | expand |
Hi Soumya, I've already sent patch for the Kirkstone branch. https://lists.openembedded.org/g/openembedded-core/message/198495 Thanks & Regards, Vijay On Fri, Apr 19, 2024 at 6:52 PM Soumya via lists.openembedded.org <soumya.sambu=windriver.com@lists.openembedded.org> wrote: > From: Soumya Sambu <soumya.sambu@windriver.com> > > An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of > header data by sending an excessive number of CONTINUATION frames. > Maintaining HPACK state requires parsing and processing all HEADERS > and CONTINUATION frames on a connection. When a request's headers > exceed MaxHeaderBytes, no memory is allocated to store the excess > headers, but they are still parsed. This permits an attacker to cause > an HTTP/2 endpoint to read arbitrary amounts of header data, all > associated with a request which is going to be rejected. These headers > can include Huffman-encoded data which is significantly more expensive > for the receiver to decode than for an attacker to send. The fix sets > a limit on the amount of excess header frames we will process before > closing a connection. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-45288 > > Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > --- > meta/recipes-devtools/go/go-1.17.13.inc | 3 +- > .../go/go-1.22/CVE-2023-45288.patch | 96 +++++++++++++++++++ > 2 files changed, 98 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc > b/meta/recipes-devtools/go/go-1.17.13.inc > index 768961de2c..b5566db1fe 100644 > --- a/meta/recipes-devtools/go/go-1.17.13.inc > +++ b/meta/recipes-devtools/go/go-1.17.13.inc > @@ -1,6 +1,6 @@ > require go-common.inc > > -FILESEXTRAPATHS:prepend := > "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" > +FILESEXTRAPATHS:prepend := > "${FILE_DIRNAME}/go-1.22:${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" > > LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" > > @@ -55,6 +55,7 @@ SRC_URI += "\ > file://CVE-2023-45290.patch \ > file://CVE-2024-24784.patch \ > file://CVE-2024-24785.patch \ > + file://CVE-2023-45288.patch \ > " > SRC_URI[main.sha256sum] = > "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" > > diff --git a/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > new file mode 100644 > index 0000000000..ad84fb84d9 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > @@ -0,0 +1,96 @@ > +From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001 > +From: Damien Neil <dneil@google.com> > +Date: Thu, 28 Mar 2024 16:57:51 -0700 > +Subject: [PATCH] [release-branch.go1.22] net/http: update bundled > + golang.org/x/net/http2 > + > +Disable cmd/internal/moddeps test, since this update includes PRIVATE > +track fixes. > + > +Fixes CVE-2023-45288 > +For #65051 > +Fixes #66298 > + > +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 > +Reviewed-on: > https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 > +Reviewed-by > <https://team-review.git.corp.google.com/c/golang/go-private/+/2197227+Reviewed-by>: > Tatiana Bradley <tatianabradley@google.com> > +Run-TryBot: Damien Neil <dneil@google.com> > +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 > +Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> > +TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> > +Reviewed-by: Than McIntosh <thanm@google.com> > + > +CVE: CVE-2023-45288 > + > +Upstream-Status: Backport [ > https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b > ] > + > +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > +--- > + src/cmd/internal/moddeps/moddeps_test.go | 1 + > + src/net/http/h2_bundle.go | 31 ++++++++++++++++++++++++ > + 2 files changed, 32 insertions(+) > + > +diff --git a/src/cmd/internal/moddeps/moddeps_test.go > b/src/cmd/internal/moddeps/moddeps_test.go > +index d48d43f..ee6d455 100644 > +--- a/src/cmd/internal/moddeps/moddeps_test.go > ++++ b/src/cmd/internal/moddeps/moddeps_test.go > +@@ -36,6 +36,7 @@ import ( > + func TestAllDependencies(t *testing.T) { > + t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from > vendored modules") > + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from > vendored modules") > ++ t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from > vendored modules") > + > + goBin := testenv.GoToolPath(t) > + > +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go > +index 9d6abd8..10ff193 100644 > +--- a/src/net/http/h2_bundle.go > ++++ b/src/net/http/h2_bundle.go > +@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf > *http2HeadersFrame) (*http2MetaHeadersFr > + if size > remainSize { > + hdec.SetEmitEnabled(false) > + mh.Truncated = true > ++ remainSize = 0 > + return > + } > + remainSize -= size > +@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf > *http2HeadersFrame) (*http2MetaHeadersFr > + var hc http2headersOrContinuation = hf > + for { > + frag := hc.HeaderBlockFragment() > ++ > ++ // Avoid parsing large amounts of headers that we will > then discard. > ++ // If the sender exceeds the max header list size by too > much, > ++ // skip parsing the fragment and close the connection. > ++ // > ++ // "Too much" is either any CONTINUATION frame after we've > already > ++ // exceeded the max header list size (in which case > remainSize is 0), > ++ // or a frame whose encoded size is more than twice the > remaining > ++ // header list bytes we're willing to accept. > ++ if int64(len(frag)) > int64(2*remainSize) { > ++ if http2VerboseLogs { > ++ log.Printf("http2: header list too large") > ++ } > ++ // It would be nice to send a RST_STREAM before > sending the GOAWAY, > ++ // but the struture of the server's frame writer > makes this difficult. > ++ return nil, > http2ConnectionError(http2ErrCodeProtocol) > ++ } > ++ > ++ // Also close the connection after any CONTINUATION frame > following an > ++ // invalid header, since we stop tracking the size of the > headers after > ++ // an invalid one. > ++ if invalid != nil { > ++ if http2VerboseLogs { > ++ log.Printf("http2: invalid header: %v", > invalid) > ++ } > ++ // It would be nice to send a RST_STREAM before > sending the GOAWAY, > ++ // but the struture of the server's frame writer > makes this difficult. > ++ return nil, > http2ConnectionError(http2ErrCodeProtocol) > ++ } > ++ > + if _, err := hdec.Write(frag); err != nil { > + return nil, > http2ConnectionError(http2ErrCodeCompression) > + } > +-- > +2.40.0 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#198549): > https://lists.openembedded.org/g/openembedded-core/message/198549 > Mute This Topic: https://lists.openembedded.org/mt/105617671/7301997 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > vanusuri@mvista.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 768961de2c..b5566db1fe 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -1,6 +1,6 @@ require go-common.inc -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.22:${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -55,6 +55,7 @@ SRC_URI += "\ file://CVE-2023-45290.patch \ file://CVE-2024-24784.patch \ file://CVE-2024-24785.patch \ + file://CVE-2023-45288.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch new file mode 100644 index 0000000000..ad84fb84d9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch @@ -0,0 +1,96 @@ +From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 28 Mar 2024 16:57:51 -0700 +Subject: [PATCH] [release-branch.go1.22] net/http: update bundled + golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2023-45288 +For #65051 +Fixes #66298 + +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 +Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> +TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Than McIntosh <thanm@google.com> + +CVE: CVE-2023-45288 + +Upstream-Status: Backport [https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/net/http/h2_bundle.go | 31 ++++++++++++++++++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index d48d43f..ee6d455 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -36,6 +36,7 @@ import ( + func TestAllDependencies(t *testing.T) { + t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules") + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") ++ t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored modules") + + goBin := testenv.GoToolPath(t) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 9d6abd8..10ff193 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + var hc http2headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if http2VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if http2VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, http2ConnectionError(http2ErrCodeCompression) + } +-- +2.40.0