net/http: handle server errors after sending GOAWAY #54658
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
heschi
added
the
NeedsFix
|
Change https://go.dev/cl/428655 mentions this issue: |
|
Change https://go.dev/cl/428635 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #54376 For #54658 Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428655 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #53977 For #54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
mknyszek
changed the title
|
Change https://go.dev/cl/428736 mentions this issue: |
|
Change https://go.dev/cl/428737 mentions this issue: |
|
Change https://go.dev/cl/428717 mentions this issue: |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 7, 2022
…ding GOAWAY The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#54658 For golang/go#54376 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/net/+/428737 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 7, 2022
…ding GOAWAY The HTTP/2 server uses serverConn.goAwayCode to track whether a connection has encountered a fatal error. If an error is encountered after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the error status of the connection. Fixes an issue where a server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. Fixes CVE-2022-27664 For golang/go#54658 For golang/go#53977 Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/net/+/428735 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/net/+/428736 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Sep 8, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#54376 For golang#54658 Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428655 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Hi, I have a question. I don't understand why this would cause a permanent hang. Can you explain this in code? Thank you very much! |
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
|
@neild does this affect older versions of go like 1.16 or 1.17 ? |
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@6b7d79a Upstream Source Commit: golang@5bc9106 # Original Information Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@6b7d79a Upstream Source Commit: golang@5bc9106 # Original Information Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.18 EKS Patch Source Commit: danbudris@f17d272 Upstream Source Commit: golang@5bc9106 # Original Information Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes golang#53977 For golang#54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> comment out test skip from cherry pick of 5bc9106
This was referenced Oct 16, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.
This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101.
Backport issues: #53977 #54376
(I forgot to create the non-backport issue when making the backports, doing so now.)
The text was updated successfully, but these errors were encountered: