grpc: fix CVE-2023-32732

Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Chen Qi <Qi.Chen@windriver.com> 2023-09-14 12:00:25 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-09-15 07:22:08 -0400
commit: 63a9c4978136caa12f9a5dccb5123e5b9d09f7e8 (patch)
tree: 0e30f19314489c2d20a109a602dcf30633ca5844
parent: acd40940f01534853907a070e6015de52cd50114 (diff)
download: meta-openembedded-63a9c4978136caa12f9a5dccb5123e5b9d09f7e8.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch b/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch
new file mode 100644
index 0000000000..ab46897b12
--- /dev/null
+++ b/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch
@@ -0,0 +1,81 @@
+From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 9 Aug 2023 13:33:45 +0800
+Subject: [PATCH] fix CVE-2023-32732
+CVE: CVE-2023-32732
+Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2]
+The original patch is adjusted to fit the current 1.50.1 version.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ .../ext/transport/chttp2/transport/hpack_parser.cc     | 10 +++++++---
+ src/core/ext/transport/chttp2/transport/internal.h     |  2 --
+ src/core/ext/transport/chttp2/transport/parsing.cc     |  6 ++----
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+index f2e49022dc3..cd459d15238 100644
+--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+@@ -1211,12 +1211,16 @@ class HPackParser::Parser {
+             "). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.",
+             *frame_length_, metadata_size_limit_);
+     if (metadata_buffer_ != nullptr) metadata_buffer_->Clear();
+    // StreamId is used as a signal to skip this stream but keep the connection
+    // alive
+     return input_->MaybeSetErrorAndReturn(
+         [] {
+           return grpc_error_set_int(
+-              GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+-                  "received initial metadata size exceeds limit"),
+-              GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED);
+             grpc_error_set_int(
+                  GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                      "received initial metadata size exceeds limit"),
+                  GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED),
+             GRPC_ERROR_INT_STREAM_ID, 0);
+         },
+         false);
+   }
+diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h
+index 4a2f4261d83..f8b544d9583 100644
+--- a/src/core/ext/transport/chttp2/transport/internal.h
+++ b/src/core/ext/transport/chttp2/transport/internal.h
+@@ -542,8 +542,6 @@ struct grpc_chttp2_stream {
+ 
+   grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture();
+ 
+-  /** saw some stream level error */
+-  grpc_error_handle forced_close_error = GRPC_ERROR_NONE;
+   /** how many header frames have we received? */
+   uint8_t header_frames_received = 0;
+   /** number of bytes received - reset at end of parse thread execution */
+diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc
+index 980f13543f6..afe6da190b6 100644
+--- a/src/core/ext/transport/chttp2/transport/parsing.cc
+++ b/src/core/ext/transport/chttp2/transport/parsing.cc
+@@ -22,6 +22,7 @@
+ #include <string.h>
+ 
+ #include <string>
+#include <utility>
+ 
+ #include "absl/base/attributes.h"
+ #include "absl/status/status.h"
+@@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t,
+     }
+     grpc_chttp2_parsing_become_skip_parser(t);
+     if (s) {
+-      s->forced_close_error = err;
+-      grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id,
+-                                               GRPC_HTTP2_PROTOCOL_ERROR,
+-                                               &s->stats.outgoing);
+      grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus()));
+     } else {
+       GRPC_ERROR_UNREF(err);
+     }
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb b/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb
index 7b8a25c277..b3956ce40c 100644
--- a/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb
+++ b/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BR
           file://0001-Revert-Changed-GRPCPP_ABSEIL_SYNC-to-GPR_ABSEIL_SYNC.patch \
           file://0001-cmake-add-separate-export-for-plugin-targets.patch \
           file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \
+           file://0001-fix-CVE-2023-32732.patch \
           "
 # Fixes build with older compilers 4.8 especially on ubuntu 14.04
 CXXFLAGS:append:class-native = " -Wl,--no-as-needed"
author	Chen Qi <Qi.Chen@windriver.com>	2023-09-14 12:00:25 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-09-15 07:22:08 -0400
commit	63a9c4978136caa12f9a5dccb5123e5b9d09f7e8 (patch)
tree	0e30f19314489c2d20a109a602dcf30633ca5844
parent	acd40940f01534853907a070e6015de52cd50114 (diff)
download	meta-openembedded-63a9c4978136caa12f9a5dccb5123e5b9d09f7e8.tar.gz

diff --git a/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch b/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch new file mode 100644 index 0000000000..ab46897b12 --- /dev/null +++ b/meta-oe/recipes-devtools/grpc/grpc/0001-fix-CVE-2023-32732.patch
@@ -0,0 +1,81 @@
		1	From d39489045b5aa73e27713e3cbacb8832c1140ec8 Mon Sep 17 00:00:00 2001
		2	From: Chen Qi <Qi.Chen@windriver.com>
		3	Date: Wed, 9 Aug 2023 13:33:45 +0800
		4	Subject: [PATCH] fix CVE-2023-32732
		5
		6	CVE: CVE-2023-32732
		7
		8	Upstream-Status: Backport [https://github.com/grpc/grpc/pull/32309/commits/6a7850ef4f042ac26559854266dddc79bfbc75b2]
		9	The original patch is adjusted to fit the current 1.50.1 version.
		10
		11	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		12	---
		13	.../ext/transport/chttp2/transport/hpack_parser.cc \| 10 +++++++---
		14	src/core/ext/transport/chttp2/transport/internal.h \| 2 --
		15	src/core/ext/transport/chttp2/transport/parsing.cc \| 6 ++----
		16	3 files changed, 9 insertions(+), 9 deletions(-)
		17
		18	diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
		19	index f2e49022dc3..cd459d15238 100644
		20	--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
		21	+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
		22	@@ -1211,12 +1211,16 @@ class HPackParser::Parser {
		23	"). GRPC_ARG_MAX_METADATA_SIZE can be set to increase this limit.",
		24	*frame_length_, metadata_size_limit_);
		25	if (metadata_buffer_ != nullptr) metadata_buffer_->Clear();
		26	+ // StreamId is used as a signal to skip this stream but keep the connection
		27	+ // alive
		28	return input_->MaybeSetErrorAndReturn(
		29	[] {
		30	return grpc_error_set_int(
		31	- GRPC_ERROR_CREATE_FROM_STATIC_STRING(
		32	- "received initial metadata size exceeds limit"),
		33	- GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED);
		34	+ grpc_error_set_int(
		35	+ GRPC_ERROR_CREATE_FROM_STATIC_STRING(
		36	+ "received initial metadata size exceeds limit"),
		37	+ GRPC_ERROR_INT_GRPC_STATUS, GRPC_STATUS_RESOURCE_EXHAUSTED),
		38	+ GRPC_ERROR_INT_STREAM_ID, 0);
		39	},
		40	false);
		41	}
		42	diff --git a/src/core/ext/transport/chttp2/transport/internal.h b/src/core/ext/transport/chttp2/transport/internal.h
		43	index 4a2f4261d83..f8b544d9583 100644
		44	--- a/src/core/ext/transport/chttp2/transport/internal.h
		45	+++ b/src/core/ext/transport/chttp2/transport/internal.h
		46	@@ -542,8 +542,6 @@ struct grpc_chttp2_stream {
		47
		48	grpc_core::Timestamp deadline = grpc_core::Timestamp::InfFuture();
		49
		50	- /** saw some stream level error */
		51	- grpc_error_handle forced_close_error = GRPC_ERROR_NONE;
		52	/** how many header frames have we received? */
		53	uint8_t header_frames_received = 0;
		54	/** number of bytes received - reset at end of parse thread execution */
		55	diff --git a/src/core/ext/transport/chttp2/transport/parsing.cc b/src/core/ext/transport/chttp2/transport/parsing.cc
		56	index 980f13543f6..afe6da190b6 100644
		57	--- a/src/core/ext/transport/chttp2/transport/parsing.cc
		58	+++ b/src/core/ext/transport/chttp2/transport/parsing.cc
		59	@@ -22,6 +22,7 @@
		60	#include <string.h>
		61
		62	#include <string>
		63	+#include <utility>
		64
		65	#include "absl/base/attributes.h"
		66	#include "absl/status/status.h"
		67	@@ -719,10 +720,7 @@ static grpc_error_handle parse_frame_slice(grpc_chttp2_transport* t,
		68	}
		69	grpc_chttp2_parsing_become_skip_parser(t);
		70	if (s) {
		71	- s->forced_close_error = err;
		72	- grpc_chttp2_add_rst_stream_to_next_write(t, t->incoming_stream_id,
		73	- GRPC_HTTP2_PROTOCOL_ERROR,
		74	- &s->stats.outgoing);
		75	+ grpc_chttp2_cancel_stream(t, s, std::exchange(err, absl::OkStatus()));
		76	} else {
		77	GRPC_ERROR_UNREF(err);
		78	}
		79	--
		80	2.34.1
		81


diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb b/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb index 7b8a25c277..b3956ce40c 100644 --- a/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb +++ b/meta-oe/recipes-devtools/grpc/grpc_1.50.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BR
26	file://0001-Revert-Changed-GRPCPP_ABSEIL_SYNC-to-GPR_ABSEIL_SYNC.patch \	26	file://0001-Revert-Changed-GRPCPP_ABSEIL_SYNC-to-GPR_ABSEIL_SYNC.patch \
27	file://0001-cmake-add-separate-export-for-plugin-targets.patch \	27	file://0001-cmake-add-separate-export-for-plugin-targets.patch \
28	file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \	28	file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \
		29	file://0001-fix-CVE-2023-32732.patch \
29	"	30	"
30	# Fixes build with older compilers 4.8 especially on ubuntu 14.04	31	# Fixes build with older compilers 4.8 especially on ubuntu 14.04
31	CXXFLAGS:append:class-native = " -Wl,--no-as-needed"	32	CXXFLAGS:append:class-native = " -Wl,--no-as-needed"