net/http: handle server errors after sending GOAWAY [1.18 backport] #53977

neild · 2022-07-20T22:59:40Z

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.

This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101 and fixed by http://tg/1413887.

dmitshur · 2022-08-08T18:49:03Z

Since this is in Go1.18.6 milestone, added a "[1.18 backport]" suffix and a CherryPickCandidate label so this doesn't get missed during backport review, but I expect it to get approved as a security fix.

joedian · 2022-08-10T16:15:13Z

@neild can we add a backport for 1.19 as well?

neild · 2022-08-10T17:41:07Z

@neild can we add a backport for 1.19 as well?

Created #54376.

gopherbot · 2022-09-06T15:32:11Z

Change https://go.dev/cl/428635 mentions this issue: [release-branch.go1.18] net/http: update bundled golang.org/x/net/http2

Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #53977 For #54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

gopherbot · 2022-09-06T15:50:55Z

Closed by merging 5bc9106 to release-branch.go1.18.

gopherbot · 2022-09-06T16:47:48Z

Change https://go.dev/cl/428735 mentions this issue: http2: handle server errors after sending GOAWAY

The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>

gopherbot · 2022-09-06T16:56:19Z

Change https://go.dev/cl/428736 mentions this issue: [internal-branch.go1.18-vendor] http2: handle server errors after sending GOAWAY

gopherbot · 2022-09-06T16:57:13Z

Change https://go.dev/cl/428737 mentions this issue: [internal-branch.go1.19-vendor] http2: handle server errors after sending GOAWAY

…ding GOAWAY The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#54658 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/net/+/428736 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

gopherbot · 2022-09-07T23:42:02Z

Change https://go.dev/cl/429316 mentions this issue: [release-branch.go1.18] all: upgrade golang.org/x/net to v0.0.0-20220907013725-0a43f88f7ef0

…907013725-0a43f88f7ef0 Restore vendoring after go1.18.6 security release. For #53977 Change-Id: Ifff04582aa3d5fce40606265db42af3415c3c0b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/429316 Reviewed-by: Carlos Amedee <carlos@golang.org> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106

Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@6b7d79a Upstream Source Commit: golang@5bc9106 # Original Information Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@f17d272 Upstream Source Commit: golang@5bc9106 # Original Information Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106

The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>

neild added Security release-blocker labels Jul 20, 2022

neild added this to the Go1.18.5 milestone Jul 20, 2022

neild self-assigned this Jul 20, 2022

cherrymui modified the milestones: Go1.18.5, Go1.18.6 Jul 29, 2022

dmitshur added the CherryPickCandidate Used during the release process for point releases label Aug 8, 2022

dmitshur changed the title ~~security: fix CVE-2022-27664~~ security: fix CVE-2022-27664 [1.18 backport] Aug 8, 2022

joedian added the CherryPickApproved Used during the release process for point releases label Aug 17, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Aug 17, 2022

neild mentioned this issue Aug 24, 2022

net/http: handle server errors after sending GOAWAY #54658

Closed

heschi added release-blocker and removed release-blocker labels Aug 30, 2022

bassosimone mentioned this issue Sep 4, 2022

release 3.16: await for go1.18.6 ooni/probe#2256

Closed

gopherbot closed this as completed Sep 6, 2022

mknyszek changed the title ~~security: fix CVE-2022-27664 [1.18 backport]~~ net/http: handle server errors after sending GOAWAY [1.18 backport] Sep 6, 2022

golang locked and limited conversation to collaborators Sep 7, 2023

gopherbot added the FrozenDueToAge label Sep 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http: handle server errors after sending GOAWAY [1.18 backport] #53977

net/http: handle server errors after sending GOAWAY [1.18 backport] #53977

neild commented Jul 20, 2022 •

edited by mknyszek

dmitshur commented Aug 8, 2022 •

edited

joedian commented Aug 10, 2022

neild commented Aug 10, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 7, 2022

net/http: handle server errors after sending GOAWAY [1.18 backport] #53977

net/http: handle server errors after sending GOAWAY [1.18 backport] #53977

Comments

neild commented Jul 20, 2022 • edited by mknyszek

dmitshur commented Aug 8, 2022 • edited

joedian commented Aug 10, 2022

neild commented Aug 10, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 6, 2022

gopherbot commented Sep 7, 2022

neild commented Jul 20, 2022 •

edited by mknyszek

dmitshur commented Aug 8, 2022 •

edited