From e321493843ba90a55c946376dd4caca0ba4cfb02 Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Tue, 26 Nov 2024 16:21:49 -0800 Subject: [PATCH 1/3] Add patch for CVE-2023-45288 for kata-conatiners and kata-containers-cc --- SPECS/kata-containers-cc/CVE-2023-45288.patch | 85 +++++++++++++++++++ .../kata-containers-cc.spec | 6 +- SPECS/kata-containers/CVE-2023-45288.patch | 85 +++++++++++++++++++ SPECS/kata-containers/kata-containers.spec | 6 +- 4 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 SPECS/kata-containers-cc/CVE-2023-45288.patch create mode 100644 SPECS/kata-containers/CVE-2023-45288.patch diff --git a/SPECS/kata-containers-cc/CVE-2023-45288.patch b/SPECS/kata-containers-cc/CVE-2023-45288.patch new file mode 100644 index 00000000000..48c60f10efe --- /dev/null +++ b/SPECS/kata-containers-cc/CVE-2023-45288.patch @@ -0,0 +1,85 @@ +From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/runtime/vendor/golang.org/x/net/http2/frame.go b/src/runtime/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/src/runtime/vendor/golang.org/x/net/http2/frame.go ++++ b/src/runtime/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } +-- +2.44.0 diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index 26dc873a10b..abf9a665e2a 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -13,7 +13,7 @@ Name: kata-containers-cc Version: 3.2.0.azl2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 Vendor: Microsoft Corporation @@ -21,6 +21,7 @@ URL: https://github.com/microsoft/kata-containers Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-cargo.tar.gz Source2: mariner-coco-build-uvm.sh +Patch0: CVE-2023-45288.patch ExclusiveArch: x86_64 @@ -288,6 +289,9 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu %changelog +* Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 +- Add a patch for CVE-2023-45288 + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7 diff --git a/SPECS/kata-containers/CVE-2023-45288.patch b/SPECS/kata-containers/CVE-2023-45288.patch new file mode 100644 index 00000000000..48c60f10efe --- /dev/null +++ b/SPECS/kata-containers/CVE-2023-45288.patch @@ -0,0 +1,85 @@ +From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/runtime/vendor/golang.org/x/net/http2/frame.go b/src/runtime/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/src/runtime/vendor/golang.org/x/net/http2/frame.go ++++ b/src/runtime/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } +-- +2.44.0 diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 4e271c48e79..b654e2bfd50 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -39,7 +39,7 @@ Summary: Kata Containers Name: kata-containers Version: 3.2.0.azl2 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation URL: https://github.com/microsoft/kata-containers @@ -47,6 +47,7 @@ Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/% Source1: %{name}-%{version}-cargo.tar.gz Source2: 50-kata Source3: mariner-build-uvm.sh +Patch0: CVE-2023-45288.patch BuildRequires: golang BuildRequires: git-core @@ -215,6 +216,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu %changelog +* Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 +- Add a patch for CVE-2023-45288 + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7 From 080a3d3c8d4775440f44d5d39a818f8a7b009732 Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Wed, 27 Nov 2024 11:50:17 -0800 Subject: [PATCH 2/3] Add patch for CVE-2023-39325 for kata-containers and kata-containers-cc --- SPECS/kata-containers-cc/CVE-2023-39325.patch | 152 ++++++++++++++++++ .../kata-containers-cc.spec | 3 +- SPECS/kata-containers/CVE-2023-39325.patch | 152 ++++++++++++++++++ SPECS/kata-containers/kata-containers.spec | 3 +- 4 files changed, 308 insertions(+), 2 deletions(-) create mode 100644 SPECS/kata-containers-cc/CVE-2023-39325.patch create mode 100644 SPECS/kata-containers/CVE-2023-39325.patch diff --git a/SPECS/kata-containers-cc/CVE-2023-39325.patch b/SPECS/kata-containers-cc/CVE-2023-39325.patch new file mode 100644 index 00000000000..4d996b35226 --- /dev/null +++ b/SPECS/kata-containers-cc/CVE-2023-39325.patch @@ -0,0 +1,152 @@ +From 84b30b3380727ea94e05c438ab695ea24e38fb0c Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + .../vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/src/runtime/vendor/golang.org/x/net/http2/server.go b/src/runtime/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/src/runtime/vendor/golang.org/x/net/http2/server.go ++++ b/src/runtime/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index abf9a665e2a..4757e0357d4 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -22,6 +22,7 @@ Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/%{v Source1: %{name}-%{version}-cargo.tar.gz Source2: mariner-coco-build-uvm.sh Patch0: CVE-2023-45288.patch +Patch1: CVE-2023-39325.patch ExclusiveArch: x86_64 @@ -290,7 +291,7 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %changelog * Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 -- Add a patch for CVE-2023-45288 +- Add patches for CVE-2023-45288, CVE-2023-39325 * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7 diff --git a/SPECS/kata-containers/CVE-2023-39325.patch b/SPECS/kata-containers/CVE-2023-39325.patch new file mode 100644 index 00000000000..4d996b35226 --- /dev/null +++ b/SPECS/kata-containers/CVE-2023-39325.patch @@ -0,0 +1,152 @@ +From 84b30b3380727ea94e05c438ab695ea24e38fb0c Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 6 Oct 2023 09:51:19 -0700 +Subject: [PATCH] http2: limit maximum handler goroutines to + MaxConcurrentStreams + +When the peer opens a new stream while we have MaxConcurrentStreams +handler goroutines running, defer starting a handler until one +of the existing handlers exits. + +Fixes golang/go#63417 +Fixes CVE-2023-39325 + +Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854 +TryBot-Result: Security TryBots +Reviewed-by: Ian Cottrell +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/net/+/534215 +Reviewed-by: Michael Pratt +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Damien Neil + +Modified to apply to vendored code by: Daniel McIlvaney + - Adjusted paths + - Removed reference to server_test.go +--- + .../vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/src/runtime/vendor/golang.org/x/net/http2/server.go b/src/runtime/vendor/golang.org/x/net/http2/server.go +index 8cb14f3..6000140 100644 +--- a/src/runtime/vendor/golang.org/x/net/http2/server.go ++++ b/src/runtime/vendor/golang.org/x/net/http2/server.go +@@ -581,9 +581,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + peerMaxHeaderListSize uint32 // zero means unknown (default) +@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -1028,6 +1032,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + } + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (sc *serverConn) upgradeRequest(req *http.Request) { +@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { + sc.conn.SetReadDeadline(time.Time{}) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + } + +@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response + return &responseWriter{rws: rws} + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +-- +2.33.8 diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index b654e2bfd50..afc6c0b202f 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -48,6 +48,7 @@ Source1: %{name}-%{version}-cargo.tar.gz Source2: 50-kata Source3: mariner-build-uvm.sh Patch0: CVE-2023-45288.patch +Patch1: CVE-2023-39325.patch BuildRequires: golang BuildRequires: git-core @@ -217,7 +218,7 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %changelog * Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 -- Add a patch for CVE-2023-45288 +- Add patches for CVE-2023-45288, CVE-2023-39325 * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7 From 21fe366d6893d662aa7a56b56f99882da790fed9 Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Wed, 27 Nov 2024 12:00:53 -0800 Subject: [PATCH 3/3] Add patch for CVE-2024-24786 for kata-containers and kata-containers-cc --- SPECS/kata-containers-cc/CVE-2024-24786.patch | 40 +++++++++++++++++++ .../kata-containers-cc.spec | 5 ++- SPECS/kata-containers/CVE-2024-24786.patch | 40 +++++++++++++++++++ SPECS/kata-containers/kata-containers.spec | 5 ++- 4 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 SPECS/kata-containers-cc/CVE-2024-24786.patch create mode 100644 SPECS/kata-containers/CVE-2024-24786.patch diff --git a/SPECS/kata-containers-cc/CVE-2024-24786.patch b/SPECS/kata-containers-cc/CVE-2024-24786.patch new file mode 100644 index 00000000000..8d4d86b526a --- /dev/null +++ b/SPECS/kata-containers-cc/CVE-2024-24786.patch @@ -0,0 +1,40 @@ +From 6c1b60f80d28a7ac1b931ee04b516893c23700fa Mon Sep 17 00:00:00 2001 +From: Cameron Baird +Date: Thu, 22 Aug 2024 17:53:06 +0000 +Subject: [PATCH] Manually format patch for CVE-2024-24786 + +--- + .../protobuf/encoding/protojson/well_known_types.go | 3 +++ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index c85f846..344c903 100644 +--- a/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -348,6 +348,9 @@ func (d decoder) skipJSONValue() error { + } + } + } ++ ++ case json.EOF: ++ return errors.New("unexpected EOF") + } + return nil + } +diff --git a/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index b13fd29..b2be4e8 100644 +--- a/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.34.1 + diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index 4757e0357d4..97442b3814f 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -23,6 +23,7 @@ Source1: %{name}-%{version}-cargo.tar.gz Source2: mariner-coco-build-uvm.sh Patch0: CVE-2023-45288.patch Patch1: CVE-2023-39325.patch +Patch2: CVE-2024-24786.patch ExclusiveArch: x86_64 @@ -290,8 +291,8 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu %changelog -* Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 -- Add patches for CVE-2023-45288, CVE-2023-39325 +* Wed Nov 27 2024 Aadhar Agarwal - 3.2.0.azl2-5 +- Add patches for CVE-2023-45288, CVE-2023-39325 and CVE-2024-24786 * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7 diff --git a/SPECS/kata-containers/CVE-2024-24786.patch b/SPECS/kata-containers/CVE-2024-24786.patch new file mode 100644 index 00000000000..8d4d86b526a --- /dev/null +++ b/SPECS/kata-containers/CVE-2024-24786.patch @@ -0,0 +1,40 @@ +From 6c1b60f80d28a7ac1b931ee04b516893c23700fa Mon Sep 17 00:00:00 2001 +From: Cameron Baird +Date: Thu, 22 Aug 2024 17:53:06 +0000 +Subject: [PATCH] Manually format patch for CVE-2024-24786 + +--- + .../protobuf/encoding/protojson/well_known_types.go | 3 +++ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index c85f846..344c903 100644 +--- a/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/src/runtime/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -348,6 +348,9 @@ func (d decoder) skipJSONValue() error { + } + } + } ++ ++ case json.EOF: ++ return errors.New("unexpected EOF") + } + return nil + } +diff --git a/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index b13fd29..b2be4e8 100644 +--- a/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/src/runtime/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.34.1 + diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index afc6c0b202f..9fd6cc0ce0c 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -49,6 +49,7 @@ Source2: 50-kata Source3: mariner-build-uvm.sh Patch0: CVE-2023-45288.patch Patch1: CVE-2023-39325.patch +Patch2: CVE-2024-24786.patch BuildRequires: golang BuildRequires: git-core @@ -217,8 +218,8 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu %changelog -* Tue Nov 26 2024 Aadhar Agarwal - 3.2.0.azl2-5 -- Add patches for CVE-2023-45288, CVE-2023-39325 +* Wed Nov 27 2024 Aadhar Agarwal - 3.2.0.azl2-5 +- Add patches for CVE-2023-45288, CVE-2023-39325 and CVE-2024-24786 * Mon Sep 09 2024 CBL-Mariner Servicing Account - 3.2.0.azl2-4 - Bump release to rebuild with go 1.22.7