From 7a9557cc4013e9b0c3fdbdd08ac5ed3b108bcf77 Mon Sep 17 00:00:00 2001
From: hanchao <hanchao63@huawei.com>
Date: Sat, 28 Oct 2023 16:31:32 +0800
Subject: [PATCH] cvefix: fix CVE-2023-39325

---
 ...487-net-http-regenerate-h2_bundle.go.patch | 150 ++++++++++++++++++
 golang.spec                                   |   9 +-
 2 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch

diff --git a/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch b/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
new file mode 100644
index 0000000..3590f90
--- /dev/null
+++ b/0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
@@ -0,0 +1,150 @@
+From caffd20df66f326bdbce11a7b3b92d583ed8d05c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Sat, 7 Oct 2023 05:16:27 +0800
+Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39325
+Reference: https://go-review.googlesource.com/c/go/+/534255
+
+Pull in a security fix from x/net/http2:
+http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: machangwang m00509938
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+
+Conflict: NA
+Reference: https://open.codehub.huawei.com/OpenSourceCenter/golang/go/merge_requests/109
+---
+ src/net/http/h2_bundle.go | 62 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 0528cf6e31..480a5326d6 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4088,9 +4088,11 @@ type http2serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*http2stream
++	unstartedHandlers           []http2unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -4475,6 +4477,8 @@ func (sc *http2serverConn) serve() {
+ 					return
+ 				case http2gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case http2handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -4520,6 +4524,7 @@ var (
+ 	http2idleTimerMsg        = new(http2serverMessage)
+ 	http2shutdownTimerMsg    = new(http2serverMessage)
+ 	http2gracefulShutdownMsg = new(http2serverMessage)
++	http2handlerDoneMsg      = new(http2serverMessage)
+ )
+ 
+ func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
+@@ -5466,8 +5471,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *http2stream) processTrailerHeaders(f *http2MetaHeadersFrame) error {
+@@ -5714,8 +5718,62 @@ func (sc *http2serverConn) newWriterAndRequestNoBody(st *http2stream, rp http2re
+ 	return rw, req, nil
+ }
+ 
++type http2unstartedHandler struct {
++	streamID uint32
++	rw       *http2responseWriter
++	req      *Request
++	handler  func(ResponseWriter, *Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return http2ConnectionError(http2ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *http2serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
++	defer sc.sendServeMsg(http2handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+-- 
+2.27.0
+
diff --git a/golang.spec b/golang.spec
index 9077863..460358d 100644
--- a/golang.spec
+++ b/golang.spec
@@ -58,7 +58,7 @@
 
 Name:           golang
 Version:        1.15.7
-Release:        35
+Release:        36
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -250,6 +250,7 @@ Patch6105:	0105-Backport-net-http-permit-requests-with-invalid-Host-headers.patc
 Patch6106:	0106-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6107:	0107-Backport-html-template-properly-handle-special-tags-.patch
 Patch6108:	0108-Backport-cmd-compile-use-absolute-file-name-in-isCgo.patch
+Patch6109:	0109-CVE-2023-39325-and-CVE-2023-44487-net-http-regenerate-h2_bundle.go.patch
 
 Patch9001:  0001-drop-hard-code-cert.patch
 Patch9002:  0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@@ -489,6 +490,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Sat Oct 28 2023 hanchao <hanchao63@huawei.com> - 1.15.7-36
+- Type:CVE
+- CVE:CVE-2023-39325
+- SUG:NA
+- DESC:fix CVE-2023-39325
+
 * Fri Oct 13 2023 luoyujie <luoyujie5@huawei.com> - 1.15.7-35
 - Type:CVE
 - CVE:CVE-2023-39323
-- 
Gitee