Actually fix CVE-2019-9514 and CVE-2019-9512

2019-08-28 12:37:49 +02:00 · 2019-08-28 12:37:49 +02:00 · af8d391cb2
parent 081d5ff6f2
commit af8d391cb2
2 changed files with 330 additions and 1 deletions
--- a/0001-release-branch.go1.13-net-http-update-bundled-golang.patch
+++ b/0001-release-branch.go1.13-net-http-update-bundled-golang.patch
@ -0,0 +1,323 @@
+From 5c379a437e904eb1f94296fa9d45276cd6e4f5a9 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Tue, 13 Aug 2019 16:29:01 -0400
+Subject: [PATCH] [release-branch.go1.13] net/http: update bundled
+ golang.org/x/net/http2 to import security fix
+
+Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
+the following security fix.
+
+    commit 74dc4d7220e7acc4e100824340f3e66577424772
+    Author: Filippo Valsorda <filippo@golang.org>
+    Date:   Sun Aug 11 02:12:18 2019 -0400
+
+    http2: limit number of control frames in server send queue
+
+    An attacker could cause servers to queue an unlimited number of PING
+    ACKs or RST_STREAM frames by soliciting them and not reading them, until
+    the program runs out of memory.
+
+    Limit control frames in the queue to a few thousands (matching the limit
+    imposed by other vendors) by counting as they enter and exit the scheduler,
+    so the protection will work with any WriteScheduler.
+
+    Once the limit is exceeded, close the connection, as we have no way to
+    communicate with the peer.
+
+    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
+    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
+    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
+
+This change was generated with cmd/go and cmd/bundle:
+
+$ go get -u golang.org/x/net
+$ go mod tidy
+$ go mod vendor
+$ go generate net/http
+
+Fixes CVE-2019-9512 and CVE-2019-9514
+Fixes #33606
+
+Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
+Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+(cherry picked from commit 145e193131eb486077b66009beb051aba07c52a5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/191618
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+---
+ src/go.mod                                    |  2 +-
+ src/go.sum                                    |  4 +-
+ src/net/http/h2_bundle.go                     | 56 +++++++++++++++----
+ .../x/net/lif/zsys_solaris_amd64.go           |  2 +-
+ .../golang.org/x/net/route/zsys_darwin.go     |  2 +-
+ .../golang.org/x/net/route/zsys_dragonfly.go  |  2 +-
+ .../x/net/route/zsys_freebsd_386.go           |  2 +-
+ .../x/net/route/zsys_freebsd_amd64.go         |  2 +-
+ .../x/net/route/zsys_freebsd_arm.go           |  2 +-
+ .../golang.org/x/net/route/zsys_netbsd.go     |  2 +-
+ .../golang.org/x/net/route/zsys_openbsd.go    |  2 +-
+ src/vendor/modules.txt                        |  2 +-
+ 12 files changed, 58 insertions(+), 22 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index 0d7d70f014..90af2a7ea0 100644
+--- a/src/go.mod
+++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.12
+ 
+ require (
+ 	golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8
+-	golang.org/x/net v0.0.0-20190607181551-461777fb6f67
+	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
+ 	golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect
+ 	golang.org/x/text v0.3.2 // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index 363ee7ae23..e358118e4c 100644
+--- a/src/go.sum
+++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
+ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20190607181551-461777fb6f67 h1:rJJxsykSlULwd2P2+pg/rtnwN2FrWp4IuCxOSyS0V00=
+-golang.org/x/net v0.0.0-20190607181551-461777fb6f67/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 h1:2WjIC11WRITGlVWmyLXKjzIVj1ZwoWZ//tadeUUV6/o=
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 173622fc8b..53cc5bd1b8 100644
+--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
+@@ -3611,10 +3611,11 @@ func (p *http2pipe) Done() <-chan struct{} {
+ }
+ 
+ const (
+-	http2prefaceTimeout        = 10 * time.Second
+-	http2firstSettingsTimeout  = 2 * time.Second // should be in-flight with preface anyway
+-	http2handlerChunkWriteSize = 4 << 10
+-	http2defaultMaxStreams     = 250 // TODO: make this 100 as the GFE seems to?
+	http2prefaceTimeout         = 10 * time.Second
+	http2firstSettingsTimeout   = 2 * time.Second // should be in-flight with preface anyway
+	http2handlerChunkWriteSize  = 4 << 10
+	http2defaultMaxStreams      = 250 // TODO: make this 100 as the GFE seems to?
+	http2maxQueuedControlFrames = 10000
+ )
+ 
+ var (
+@@ -3722,6 +3723,15 @@ func (s *http2Server) maxConcurrentStreams() uint32 {
+ 	return http2defaultMaxStreams
+ }
+ 
+// maxQueuedControlFrames is the maximum number of control frames like
+// SETTINGS, PING and RST_STREAM that will be queued for writing before
+// the connection is closed to prevent memory exhaustion attacks.
+func (s *http2Server) maxQueuedControlFrames() int {
+	// TODO: if anybody asks, add a Server field, and remember to define the
+	// behavior of negative values.
+	return http2maxQueuedControlFrames
+}
+
+ type http2serverInternalState struct {
+ 	mu          sync.Mutex
+ 	activeConns map[*http2serverConn]struct{}
+@@ -4065,6 +4075,7 @@ type http2serverConn struct {
+ 	sawFirstSettings            bool // got the initial SETTINGS frame after the preface
+ 	needToSendSettingsAck       bool
+ 	unackedSettings             int    // how many SETTINGS have we sent without ACKs?
+	queuedControlFrames         int    // control frames in the writeSched queue
+ 	clientMaxStreams            uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+@@ -4456,6 +4467,14 @@ func (sc *http2serverConn) serve() {
+ 			}
+ 		}
+ 
+		// If the peer is causing us to generate a lot of control frames,
+		// but not reading them from us, assume they are trying to make us
+		// run out of memory.
+		if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() {
+			sc.vlogf("http2: too many control frames in send queue, closing connection")
+			return
+		}
+
+ 		// Start the shutdown timer after sending a GOAWAY. When sending GOAWAY
+ 		// with no error code (graceful shutdown), don't start the timer until
+ 		// all open streams have been completed.
+@@ -4657,6 +4676,14 @@ func (sc *http2serverConn) writeFrame(wr http2FrameWriteRequest) {
+ 	}
+ 
+ 	if !ignoreWrite {
+		if wr.isControl() {
+			sc.queuedControlFrames++
+			// For extra safety, detect wraparounds, which should not happen,
+			// and pull the plug.
+			if sc.queuedControlFrames < 0 {
+				sc.conn.Close()
+			}
+		}
+ 		sc.writeSched.Push(wr)
+ 	}
+ 	sc.scheduleFrameWrite()
+@@ -4774,10 +4801,8 @@ func (sc *http2serverConn) wroteFrame(res http2frameWriteResult) {
+ // If a frame is already being written, nothing happens. This will be called again
+ // when the frame is done being written.
+ //
+-// If a frame isn't being written we need to send one, the best frame
+-// to send is selected, preferring first things that aren't
+-// stream-specific (e.g. ACKing settings), and then finding the
+-// highest priority stream.
+// If a frame isn't being written and we need to send one, the best frame
+// to send is selected by writeSched.
+ //
+ // If a frame isn't being written and there's nothing else to send, we
+ // flush the write buffer.
+@@ -4805,6 +4830,9 @@ func (sc *http2serverConn) scheduleFrameWrite() {
+ 		}
+ 		if !sc.inGoAway || sc.goAwayCode == http2ErrCodeNo {
+ 			if wr, ok := sc.writeSched.Pop(); ok {
+				if wr.isControl() {
+					sc.queuedControlFrames--
+				}
+ 				sc.startFrameWrite(wr)
+ 				continue
+ 			}
+@@ -5097,6 +5125,8 @@ func (sc *http2serverConn) processSettings(f *http2SettingsFrame) error {
+ 	if err := f.ForeachSetting(sc.processSetting); err != nil {
+ 		return err
+ 	}
+	// TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be
+	// acknowledged individually, even if multiple are received before the ACK.
+ 	sc.needToSendSettingsAck = true
+ 	sc.scheduleFrameWrite()
+ 	return nil
+@@ -7451,7 +7481,7 @@ func (cc *http2ClientConn) roundTrip(req *Request) (res *Response, gotErrAfterRe
+ 		req.Method != "HEAD" {
+ 		// Request gzip only, not deflate. Deflate is ambiguous and
+ 		// not as universally supported anyway.
+-		// See: http://www.gzip.org/zlib/zlib_faq.html#faq38
+		// See: https://zlib.net/zlib_faq.html#faq39
+ 		//
+ 		// Note that we don't request this for HEAD requests,
+ 		// due to a bug in nginx:
+@@ -9445,7 +9475,7 @@ type http2WriteScheduler interface {
+ 
+ 	// Pop dequeues the next frame to write. Returns false if no frames can
+ 	// be written. Frames with a given wr.StreamID() are Pop'd in the same
+-	// order they are Push'd.
+	// order they are Push'd. No frames should be discarded except by CloseStream.
+ 	Pop() (wr http2FrameWriteRequest, ok bool)
+ }
+ 
+@@ -9489,6 +9519,12 @@ func (wr http2FrameWriteRequest) StreamID() uint32 {
+ 	return wr.stream.id
+ }
+ 
+// isControl reports whether wr is a control frame for MaxQueuedControlFrames
+// purposes. That includes non-stream frames and RST_STREAM frames.
+func (wr http2FrameWriteRequest) isControl() bool {
+	return wr.stream == nil
+}
+
+ // DataSize returns the number of flow control bytes that must be consumed
+ // to write this entire frame. This is 0 for non-DATA frames.
+ func (wr http2FrameWriteRequest) DataSize() int {
+diff --git a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
+index b5e999bec3..d7a70d4ed9 100644
+--- a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
+++ b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_solaris.go
+ 
+ package lif
+diff --git a/src/vendor/golang.org/x/net/route/zsys_darwin.go b/src/vendor/golang.org/x/net/route/zsys_darwin.go
+index 4e2e1ab090..19e4133f7d 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_darwin.go
+++ b/src/vendor/golang.org/x/net/route/zsys_darwin.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_darwin.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
+index 719c88d11f..8ed2d4d550 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
+++ b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_dragonfly.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
+index b03bc01f65..f36aaadb59 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_freebsd.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
+index 0b675b3d3f..4c639b82e4 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_freebsd.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
+index 58f8ea16f2..710c1472b6 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_freebsd.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_netbsd.go b/src/vendor/golang.org/x/net/route/zsys_netbsd.go
+index e0df45e8b5..b4f66ca6cb 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_netbsd.go
+++ b/src/vendor/golang.org/x/net/route/zsys_netbsd.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_netbsd.go
+ 
+ package route
+diff --git a/src/vendor/golang.org/x/net/route/zsys_openbsd.go b/src/vendor/golang.org/x/net/route/zsys_openbsd.go
+index db8c8efb49..1021b4cea4 100644
+--- a/src/vendor/golang.org/x/net/route/zsys_openbsd.go
+++ b/src/vendor/golang.org/x/net/route/zsys_openbsd.go
+@@ -1,4 +1,4 @@
+-// Created by cgo -godefs - DO NOT EDIT
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+ // cgo -godefs defs_openbsd.go
+ 
+ package route
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 20f261bf83..453a312661 100644
+--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
+@@ -7,7 +7,7 @@ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/chacha20
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20190607181551-461777fb6f67
+# golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
+ golang.org/x/net/http/httpproxy
+-- 
+2.21.0
+
--- a/golang.spec
+++ b/golang.spec
@ -106,7 +106,7 @@

 Name:           golang
 Version:        1.13
-Release:        0.rc1.1%{?dist}
+Release:        0.rc1.2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -184,6 +184,7 @@ Requires:       go-srpm-macros
 Patch1:       0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
 Patch2:       0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
 Patch3:       0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
+Patch4:       0001-release-branch.go1.13-net-http-update-bundled-golang.patch

 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -310,6 +311,7 @@ Requires:       %{name} = %{version}-%{release}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1

 cp %{SOURCE1} ./src/runtime/

@ -548,6 +550,10 @@ fi
 %endif

 %changelog
+* Wed Aug 28 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc1.2
+- Actually fix CVE-2019-9514 and CVE-2019-9512
+- Related: BZ#1741816, BZ#1741827
+
 * Mon Aug 26 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc1.1
 - Rebase to 1.13rc1
 - Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512