From 7312d8fcfeca15ef5aaf4d48185432b91cab26e4 Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Mon, 25 Nov 2024 11:21:32 -0800 Subject: [PATCH 1/3] Fix CVE-2023-45288 in kata-containers --- SPECS/kata-containers/CVE-2023-45288.patch | 86 ++++++++++++++++++++++ SPECS/kata-containers/kata-containers.spec | 7 +- 2 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 SPECS/kata-containers/CVE-2023-45288.patch diff --git a/SPECS/kata-containers/CVE-2023-45288.patch b/SPECS/kata-containers/CVE-2023-45288.patch new file mode 100644 index 00000000000..95295abb442 --- /dev/null +++ b/SPECS/kata-containers/CVE-2023-45288.patch @@ -0,0 +1,86 @@ +From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } +-- +2.44.0 + diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index 0400e8d583f..bf06eba13dd 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -2,7 +2,7 @@ Name: kata-containers Version: 3.2.0.azl3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Kata Containers package developed for Pod Sandboxing on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -10,7 +10,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-cargo.tar.gz - +Patch0: CVE-2023-45288.patch ExclusiveArch: x86_64 BuildRequires: golang @@ -110,6 +110,9 @@ popd %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Mon Nov 25 2024 Aadhar Agarwal - 3.2.0.azl3-3 +- Fix CVE-2023-45288 + * Thu Oct 25 2024 Saul Paredes - 3.2.0.azl3-2 - Only build for x86_64 From 14703a4e05f6fb19e9cf80e3bd16739cd6f855cf Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Mon, 25 Nov 2024 16:31:47 -0800 Subject: [PATCH 2/3] Update date in changelog for 3.2.0.azl3-2 --- SPECS/kata-containers/kata-containers.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index bf06eba13dd..61335e7f884 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -113,7 +113,7 @@ popd * Mon Nov 25 2024 Aadhar Agarwal - 3.2.0.azl3-3 - Fix CVE-2023-45288 -* Thu Oct 25 2024 Saul Paredes - 3.2.0.azl3-2 +* Fri Oct 25 2024 Saul Paredes - 3.2.0.azl3-2 - Only build for x86_64 * Fri Sep 20 2024 Manuel Huber - 3.2.0.azl3-1 From 6083183a29829ebea97f665e29272afb8d04aa65 Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Mon, 25 Nov 2024 18:26:52 -0800 Subject: [PATCH 3/3] Update patch to find the vendor dir --- SPECS/kata-containers/CVE-2023-45288.patch | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SPECS/kata-containers/CVE-2023-45288.patch b/SPECS/kata-containers/CVE-2023-45288.patch index 95295abb442..fec5757cbdb 100644 --- a/SPECS/kata-containers/CVE-2023-45288.patch +++ b/SPECS/kata-containers/CVE-2023-45288.patch @@ -29,13 +29,13 @@ Auto-Submit: Dmitri Shuralyov Reviewed-by: Than McIntosh LUCI-TryBot-Result: Go LUCI --- - vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + src/runtime/vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +diff --git a/src/runtime/vendor/golang.org/x/net/http2/frame.go b/src/runtime/vendor/golang.org/x/net/http2/frame.go index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go +--- a/src/runtime/vendor/golang.org/x/net/http2/frame.go ++++ b/src/runtime/vendor/golang.org/x/net/http2/frame.go @@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { if size > remainSize { hdec.SetEmitEnabled(false)