3.0-dev - coredns - Address CVE-2023-44487, CVE-2023-45288, CVE-2023-49295, CVE-2024-0874, CVE-2024-22189 (#9480)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>

SPECS/coredns/CVE-2023-44487.patch

@@ -0,0 +1,151 @@
+From: Damien Neil <dneil@google.com>
+Date: Fri, 6 Oct 2023 09:51:19 -0700
+Subject: [PATCH] http2: limit maximum handler goroutines to
+ MaxConcurrentStreams
+
+When the peer opens a new stream while we have MaxConcurrentStreams
+handler goroutines running, defer starting a handler until one
+of the existing handlers exits.
+
+Fixes golang/go#63417
+Fixes CVE-2023-39325
+
+Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/534215
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+
+Modified to apply to vendored code by: Daniel McIlvaney <damcilva@microsoft.com>
+ - Adjusted paths
+ - Removed reference to server_test.go
+---
+ vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++-
+ 1 file changed, 64 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 033b6e6..4561e3c 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -581,9 +581,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
+@@ -981,6 +983,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -1028,6 +1032,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -2025,8 +2030,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		}
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (sc *serverConn) upgradeRequest(req *http.Request) {
+@@ -2046,6 +2050,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
++	// This is the first request on the connection,
++	// so start the handler directly rather than going
++	// through scheduleHandler.
++	sc.curHandlers++
+ 	go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ }
+
+@@ -2286,8 +2294,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response
+ 	return &responseWriter{rws: rws}
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+--
+2.33.8

SPECS/coredns/CVE-2023-45288.patch

@@ -0,0 +1,86 @@
+From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 10 Jan 2024 13:41:39 -0800
+Subject: [PATCH] http2: close connections when receiving too many headers
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes golang/go#65051
+
+Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index c1f6b90..175c154 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.44.0
+

SPECS/coredns/CVE-2023-49295.patch

@@ -0,0 +1,88 @@
+From d7aa627ebde91cf799ada2a07443faa9b1e5abb8 Mon Sep 17 00:00:00 2001
+From: Marten Seemann <martenseemann@gmail.com>
+Date: Wed, 13 Dec 2023 09:47:09 +0530
+Subject: [PATCH] limit the number of queued PATH_RESPONSE frames to 256
+ (#4199)
+
+---
+ framer.go      | 37 +++++++++++++++++++++++++++++------
+ framer_test.go | 52 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 82 insertions(+), 7 deletions(-)
+
+diff --git a/vendor/github.com/quic-go/quic-go/framer.go b/vendor/github.com/quic-go/framer.go
+index 9409af4c2e..d5c61bcf73 100644
+--- a/vendor/github.com/quic-go/quic-go/framer.go
++++ b/vendor/github.com/quic-go/quic-go/framer.go
+@@ -23,6 +23,8 @@ type framer interface {
+ 	Handle0RTTRejection() error
+ }
+ 
++const maxPathResponses = 256
++
+ type framerI struct {
+ 	mutex sync.Mutex
+ 
+@@ -33,6 +35,7 @@ type framerI struct {
+ 
+ 	controlFrameMutex sync.Mutex
+ 	controlFrames     []wire.Frame
++	pathResponses     []*wire.PathResponseFrame
+ }
+ 
+ var _ framer = &framerI{}
+@@ -52,20 +55,43 @@ func (f *framerI) HasData() bool {
+ 		return true
+ 	}
+ 	f.controlFrameMutex.Lock()
+-	hasData = len(f.controlFrames) > 0
+-	f.controlFrameMutex.Unlock()
+-	return hasData
++	defer f.controlFrameMutex.Unlock()
++	return len(f.controlFrames) > 0 || len(f.pathResponses) > 0
+ }
+ 
+ func (f *framerI) QueueControlFrame(frame wire.Frame) {
+ 	f.controlFrameMutex.Lock()
++	defer f.controlFrameMutex.Unlock()
++
++	if pr, ok := frame.(*wire.PathResponseFrame); ok {
++		// Only queue up to maxPathResponses PATH_RESPONSE frames.
++		// This limit should be high enough to never be hit in practice,
++		// unless the peer is doing something malicious.
++		if len(f.pathResponses) >= maxPathResponses {
++			return
++		}
++		f.pathResponses = append(f.pathResponses, pr)
++		return
++	}
+ 	f.controlFrames = append(f.controlFrames, frame)
+-	f.controlFrameMutex.Unlock()
+ }
+ 
+ func (f *framerI) AppendControlFrames(frames []ackhandler.Frame, maxLen protocol.ByteCount, v protocol.VersionNumber) ([]ackhandler.Frame, protocol.ByteCount) {
+-	var length protocol.ByteCount
+ 	f.controlFrameMutex.Lock()
++	defer f.controlFrameMutex.Unlock()
++
++	var length protocol.ByteCount
++	// add a PATH_RESPONSE first, but only pack a single PATH_RESPONSE per packet
++	if len(f.pathResponses) > 0 {
++		frame := f.pathResponses[0]
++		frameLen := frame.Length(v)
++		if frameLen <= maxLen {
++			frames = append(frames, ackhandler.Frame{Frame: frame})
++			length += frameLen
++			f.pathResponses = f.pathResponses[1:]
++		}
++	}
++
+ 	for len(f.controlFrames) > 0 {
+ 		frame := f.controlFrames[len(f.controlFrames)-1]
+ 		frameLen := frame.Length(v)
+@@ -76,7 +102,6 @@ func (f *framerI) AppendControlFrames(frames []ackhandler.Frame, maxLen protocol
+ 		length += frameLen
+ 		f.controlFrames = f.controlFrames[:len(f.controlFrames)-1]
+ 	}
+-	f.controlFrameMutex.Unlock()
+ 	return frames, length
+ }

SPECS/coredns/CVE-2024-22189.patch

@@ -0,0 +1,76 @@
+diff --git a/vendor/github.com/quic-go/quic-go/connection.go b/vendor/github.com/quic-go/quic-go/connection.go
+index cca816f..abae204 100644
+--- a/vendor/github.com/quic-go/quic-go/connection.go
++++ b/vendor/github.com/quic-go/quic-go/connection.go
+@@ -518,6 +518,9 @@ func (s *connection) run() error {
+ 
+ runLoop:
+ 	for {
++		if s.framer.QueuedTooManyControlFrames() {
++			s.closeLocal(&qerr.TransportError{ErrorCode: InternalError})
++		}
+ 		// Close immediately if requested
+ 		select {
+ 		case closeErr = <-s.closeChan:
+diff --git a/vendor/github.com/quic-go/quic-go/framer.go b/vendor/github.com/quic-go/quic-go/framer.go
+index d5c61bc..9f07752 100644
+--- a/vendor/github.com/quic-go/quic-go/framer.go
++++ b/vendor/github.com/quic-go/quic-go/framer.go
+@@ -21,9 +21,19 @@ type framer interface {
+ 	AppendStreamFrames([]ackhandler.StreamFrame, protocol.ByteCount, protocol.VersionNumber) ([]ackhandler.StreamFrame, protocol.ByteCount)
+ 
+ 	Handle0RTTRejection() error
++
++	// QueuedTooManyControlFrames says if the control frame queue exceeded its maximum queue length.
++	// This is a hack.
++	// It is easier to implement than propagating an error return value in QueueControlFrame.
++	// The correct solution would be to queue frames with their respective structs.
++	// See https://github.com/quic-go/quic-go/issues/4271 for the queueing of stream-related control frames.
++	QueuedTooManyControlFrames() bool
+ }
+ 
+-const maxPathResponses = 256
++const (
++	maxPathResponses = 256
++	maxControlFrames = 16 << 10
++)
+ 
+ type framerI struct {
+ 	mutex sync.Mutex
+@@ -33,9 +43,10 @@ type framerI struct {
+ 	activeStreams map[protocol.StreamID]struct{}
+ 	streamQueue   ringbuffer.RingBuffer[protocol.StreamID]
+ 
+-	controlFrameMutex sync.Mutex
+-	controlFrames     []wire.Frame
+-	pathResponses     []*wire.PathResponseFrame
++	controlFrameMutex          sync.Mutex
++	controlFrames              []wire.Frame
++	pathResponses              []*wire.PathResponseFrame
++	queuedTooManyControlFrames bool
+ }
+ 
+ var _ framer = &framerI{}
+@@ -73,6 +84,11 @@ func (f *framerI) QueueControlFrame(frame wire.Frame) {
+ 		f.pathResponses = append(f.pathResponses, pr)
+ 		return
+ 	}
++	// This is a hack.
++	if len(f.controlFrames) >= maxControlFrames {
++		f.queuedTooManyControlFrames = true
++		return
++	}
+ 	f.controlFrames = append(f.controlFrames, frame)
+ }
+ 
+@@ -105,6 +121,10 @@ func (f *framerI) AppendControlFrames(frames []ackhandler.Frame, maxLen protocol
+ 	return frames, length
+ }
+ 
++func (f *framerI) QueuedTooManyControlFrames() bool {
++	return f.queuedTooManyControlFrames
++}
++
+ func (f *framerI) AddActiveStream(id protocol.StreamID) {
+ 	f.mutex.Lock()
+ 	if _, ok := f.activeStreams[id]; !ok {

SPECS/coredns/coredns.spec

@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,11 @@ Source0:        %{name}-%{version}.tar.gz
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         makefile-buildoption-commitnb.patch
+Patch1:         CVE-2023-44487.patch
+Patch2:         CVE-2023-49295.patch
+Patch3:         CVE-2024-22189.patch
+Patch4:         CVE-2023-45288.patch
+Patch5:         CVE-2024-0874.patch
 
 BuildRequires:  golang >= 1.12
 
@@ -38,11 +43,12 @@ BuildRequires:  golang >= 1.12
 CoreDNS is a fast and flexible DNS server.
 
 %prep
-%autosetup -p1
+%autosetup -N
+# Apply vendor before patching
+tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1
 
 %build
-# create vendor folder from the vendor tarball and set vendor mode
-tar -xf %{SOURCE1} --no-same-owner
 export BUILDOPTS="-mod=vendor -v"
 # set commit number that correspond to the github tag for that version
 export GITCOMMIT="ae2bbc29be1aaae0b3ded5d188968a6c97bb3144"
@@ -58,7 +64,10 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
-* Tue Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
+* Mon Jun 24 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-2
+- Address CVE-2023-44487, CVE-2023-45288, CVE-2023-49295, CVE-2024-0874, CVE-2024-22189
+
+* Wed Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 1.11.1-1
 - Upgrade to 1.11.1 to match version required by kubernetes
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.3-10