Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: ReadRequest can stack overflow due to recursion with very large headers #45710

Closed
katiehockman opened this issue Apr 22, 2021 · 10 comments
Closed

Comments

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Apr 22, 2021

ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/net@v0.0.0-20210428140749-89ef3d95e781.

This is CVE-2021-31525.

According to the new security policy (#44918), this will be fixed as a PUBLIC track issue.

Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

/cc @golang/security

@katiehockman katiehockman added this to the Go1.17 milestone Apr 22, 2021
@katiehockman katiehockman self-assigned this Apr 22, 2021
@katiehockman
Copy link
Member Author

@katiehockman katiehockman commented Apr 22, 2021

@gopherbot please consider this for backport to 1.16.4 and 1.15.12, it's a security issue.

/cc @golang/release FYI

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 22, 2021

Backport issue(s) opened: #45711 (for 1.15), #45712 (for 1.16).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@odeke-em odeke-em changed the title http: ReadRequest can stack overflow net/http: ReadRequest can stack overflow due to recursion with very large headers Apr 23, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Apr 23, 2021

Change https://golang.org/cl/313069 mentions this issue: httpguts: remove recursion for HeaderValuesContainsToken

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 28, 2021

Change https://golang.org/cl/314596 mentions this issue: std: update golang.org/x/net to 20210428140749-89ef3d95e781

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 28, 2021

Change https://golang.org/cl/314649 mentions this issue: [internal-branch.go1.16-vendor

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 28, 2021

Change https://golang.org/cl/314650 mentions this issue: [release-branch.go1.15] http/httpguts: remove recursion in HeaderValuesContainsToken

@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Apr 28, 2021

The x/net fix still needs to be pulled into the main repo for Go 1.17 (which can be done individually like in CL 314596 or together with more x/net updates as part of #36905), reopening for that and adding release-blocker so it's not missed.

@dmitshur dmitshur reopened this Apr 28, 2021
gopherbot pushed a commit to golang/net that referenced this issue Apr 28, 2021
…aderValuesContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710
Updates golang/go#45712

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 89ef3d9)
Reviewed-on: https://go-review.googlesource.com/c/net/+/314649
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit to golang/net that referenced this issue Apr 28, 2021
…esContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Updates golang/go#45710
Updates golang/go#45711

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 89ef3d9)
Reviewed-on: https://go-review.googlesource.com/c/net/+/314650
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented May 6, 2021

The x/net fix has been pulled into the main repo for Go 1.17 as part of CL 316251. Closing as fixed.

@dmitshur dmitshur closed this May 6, 2021
AkihiroSuda pushed a commit to containerd/containerd that referenced this issue May 7, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
@carnil
Copy link

@carnil carnil commented May 7, 2021

This issue appears to have assigned CVE-2021-31525 according to https://bugzilla.redhat.com/show_bug.cgi?id=1958341

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue May 8, 2021
Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  golang/go#45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue May 8, 2021
Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  golang/go#45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
@katiehockman
Copy link
Member Author

@katiehockman katiehockman commented May 10, 2021

Yes, it has been assigned CVE-2021-31525.

I've gone ahead and update the original comment with the content of the announcement, which had the full details.

dmcgowan added a commit to dmcgowan/containerd that referenced this issue May 10, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 79d800b)
Signed-off-by: Derek McGowan <derek@mcg.dev>
dmcgowan added a commit to dmcgowan/containerd that referenced this issue May 10, 2021
fix [#45710](golang/go#45710) and CVE-2021-31525.

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 79d800b)
Signed-off-by: Derek McGowan <derek@mcg.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants