-
Notifications
You must be signed in to change notification settings - Fork 554
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add patch for CVE-2023-45288 for kata-conatiners and kata-containers-cc
- Loading branch information
1 parent
9f45852
commit 38c7dc1
Showing
4 changed files
with
180 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 | ||
From: Damien Neil <dneil@google.com> | ||
Date: Wed, 10 Jan 2024 13:41:39 -0800 | ||
Subject: [PATCH] http2: close connections when receiving too many headers | ||
|
||
Maintaining HPACK state requires that we parse and process | ||
all HEADERS and CONTINUATION frames on a connection. | ||
When a request's headers exceed MaxHeaderBytes, we don't | ||
allocate memory to store the excess headers but we do | ||
parse them. This permits an attacker to cause an HTTP/2 | ||
endpoint to read arbitrary amounts of data, all associated | ||
with a request which is going to be rejected. | ||
|
||
Set a limit on the amount of excess header frames we | ||
will process before closing a connection. | ||
|
||
Thanks to Bartek Nowotarski for reporting this issue. | ||
|
||
Fixes CVE-2023-45288 | ||
Fixes golang/go#65051 | ||
|
||
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 | ||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 | ||
Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 | ||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> | ||
Reviewed-by: Than McIntosh <thanm@google.com> | ||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
--- | ||
src/runtime/vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ | ||
1 file changed, 31 insertions(+) | ||
|
||
diff --git a/src/runtime/vendor/golang.org/x/net/http2/frame.go b/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
index c1f6b90..175c154 100644 | ||
--- a/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
+++ b/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
if size > remainSize { | ||
hdec.SetEmitEnabled(false) | ||
mh.Truncated = true | ||
+ remainSize = 0 | ||
return | ||
} | ||
remainSize -= size | ||
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
var hc headersOrContinuation = hf | ||
for { | ||
frag := hc.HeaderBlockFragment() | ||
+ | ||
+ // Avoid parsing large amounts of headers that we will then discard. | ||
+ // If the sender exceeds the max header list size by too much, | ||
+ // skip parsing the fragment and close the connection. | ||
+ // | ||
+ // "Too much" is either any CONTINUATION frame after we've already | ||
+ // exceeded the max header list size (in which case remainSize is 0), | ||
+ // or a frame whose encoded size is more than twice the remaining | ||
+ // header list bytes we're willing to accept. | ||
+ if int64(len(frag)) > int64(2*remainSize) { | ||
+ if VerboseLogs { | ||
+ log.Printf("http2: header list too large") | ||
+ } | ||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
+ // but the struture of the server's frame writer makes this difficult. | ||
+ return nil, ConnectionError(ErrCodeProtocol) | ||
+ } | ||
+ | ||
+ // Also close the connection after any CONTINUATION frame following an | ||
+ // invalid header, since we stop tracking the size of the headers after | ||
+ // an invalid one. | ||
+ if invalid != nil { | ||
+ if VerboseLogs { | ||
+ log.Printf("http2: invalid header: %v", invalid) | ||
+ } | ||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
+ // but the struture of the server's frame writer makes this difficult. | ||
+ return nil, ConnectionError(ErrCodeProtocol) | ||
+ } | ||
+ | ||
if _, err := hdec.Write(frag); err != nil { | ||
return nil, ConnectionError(ErrCodeCompression) | ||
} | ||
-- | ||
2.44.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 | ||
From: Damien Neil <dneil@google.com> | ||
Date: Wed, 10 Jan 2024 13:41:39 -0800 | ||
Subject: [PATCH] http2: close connections when receiving too many headers | ||
|
||
Maintaining HPACK state requires that we parse and process | ||
all HEADERS and CONTINUATION frames on a connection. | ||
When a request's headers exceed MaxHeaderBytes, we don't | ||
allocate memory to store the excess headers but we do | ||
parse them. This permits an attacker to cause an HTTP/2 | ||
endpoint to read arbitrary amounts of data, all associated | ||
with a request which is going to be rejected. | ||
|
||
Set a limit on the amount of excess header frames we | ||
will process before closing a connection. | ||
|
||
Thanks to Bartek Nowotarski for reporting this issue. | ||
|
||
Fixes CVE-2023-45288 | ||
Fixes golang/go#65051 | ||
|
||
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 | ||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 | ||
Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 | ||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> | ||
Reviewed-by: Than McIntosh <thanm@google.com> | ||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
--- | ||
src/runtime/vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ | ||
1 file changed, 31 insertions(+) | ||
|
||
diff --git a/src/runtime/vendor/golang.org/x/net/http2/frame.go b/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
index c1f6b90..175c154 100644 | ||
--- a/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
+++ b/src/runtime/vendor/golang.org/x/net/http2/frame.go | ||
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
if size > remainSize { | ||
hdec.SetEmitEnabled(false) | ||
mh.Truncated = true | ||
+ remainSize = 0 | ||
return | ||
} | ||
remainSize -= size | ||
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { | ||
var hc headersOrContinuation = hf | ||
for { | ||
frag := hc.HeaderBlockFragment() | ||
+ | ||
+ // Avoid parsing large amounts of headers that we will then discard. | ||
+ // If the sender exceeds the max header list size by too much, | ||
+ // skip parsing the fragment and close the connection. | ||
+ // | ||
+ // "Too much" is either any CONTINUATION frame after we've already | ||
+ // exceeded the max header list size (in which case remainSize is 0), | ||
+ // or a frame whose encoded size is more than twice the remaining | ||
+ // header list bytes we're willing to accept. | ||
+ if int64(len(frag)) > int64(2*remainSize) { | ||
+ if VerboseLogs { | ||
+ log.Printf("http2: header list too large") | ||
+ } | ||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
+ // but the struture of the server's frame writer makes this difficult. | ||
+ return nil, ConnectionError(ErrCodeProtocol) | ||
+ } | ||
+ | ||
+ // Also close the connection after any CONTINUATION frame following an | ||
+ // invalid header, since we stop tracking the size of the headers after | ||
+ // an invalid one. | ||
+ if invalid != nil { | ||
+ if VerboseLogs { | ||
+ log.Printf("http2: invalid header: %v", invalid) | ||
+ } | ||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
+ // but the struture of the server's frame writer makes this difficult. | ||
+ return nil, ConnectionError(ErrCodeProtocol) | ||
+ } | ||
+ | ||
if _, err := hdec.Write(frag); err != nil { | ||
return nil, ConnectionError(ErrCodeCompression) | ||
} | ||
-- | ||
2.44.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters