From e5fc50457838bc94981adc8d013dbdf5e60ce109 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Thu, 21 Mar 2024 11:37:25 +0800
Subject: [PATCH] fix CVE-2023-39325

---
 0005-fix-CVE-2023-39325.patch | 148 ++++++++++++++++++++++++++++++++++
 k3s-containerd.spec           |   9 ++-
 2 files changed, 156 insertions(+), 1 deletion(-)
 create mode 100644 0005-fix-CVE-2023-39325.patch

diff --git a/0005-fix-CVE-2023-39325.patch b/0005-fix-CVE-2023-39325.patch
new file mode 100644
index 0000000..399fb12
--- /dev/null
+++ b/0005-fix-CVE-2023-39325.patch
@@ -0,0 +1,148 @@
+From e9a63ee00a048c15b719c5cab0241a5d58901464 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 21 Mar 2024 10:57:12 +0800
+Subject: [PATCH] fix CVE-2023-39325 Pull in a security fix from x/net/http2:
+ http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+---
+ vendor/golang.org/x/net/http2/server.go | 63 ++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index e644d9b..432e2f1 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -520,9 +520,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -909,6 +911,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -954,6 +958,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+@@ -1945,6 +1949,59 @@ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+ 	return nil
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return ConnectionError(ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ func (sc *serverConn) checkPriority(streamID uint32, p PriorityParam) error {
+ 	if streamID == p.StreamDep {
+ 		// Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
+@@ -2161,6 +2218,7 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
+ 
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+@@ -2923,6 +2981,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
+ 			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
+ 		}
+ 
++		sc.curHandlers++
+ 		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ 		return promisedID, nil
+ 	}
+-- 
+2.20.1
+
diff --git a/k3s-containerd.spec b/k3s-containerd.spec
index 5298330..d6c79a8 100644
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@@ -3,7 +3,7 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        8
+Release:        9
 Summary:        An industry-standard container runtime
 License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
@@ -13,6 +13,7 @@ Patch0001:      0001-Fix-CVE-2023-25153.patch
 Patch0002:      0002-Fix-CVE-2022-23471.patch
 Patch0003:      0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch
 Patch0004:      0004-fix-CVE-2023-25173.patch
+Patch0005:      0005-fix-CVE-2023-39325.patch
 
 BuildRequires:  golang glibc-static make btrfs-progs-devel
 
@@ -73,6 +74,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
 
 
 %changelog
+* Thu Mar 21 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-39325
+
 * Tue Mar 19 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-8
 - Type:bugfix
 - CVE:NA
-- 
Gitee