golang/0010-release-branch.go1.19-net-textproto-mime-multipart-i.patch

From 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Thu, 16 Mar 2023 16:56:12 -0700
Subject: [PATCH] [release-branch.go1.19] net/textproto, mime/multipart:
 improve accounting of non-file data

For requests containing large numbers of small parts,
memory consumption of a parsed form could be about 250%
over the estimated size.

When considering the size of parsed forms, account for the size of
FileHeader structs and increase the estimate of memory consumed by
map entries.

Thanks to Jakob Ackermann (@das7pad) for reporting this issue.

For CVE-2023-24536
For #59153
For #59269

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802396
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Change-Id: I31bc50e9346b4eee6fbe51a18c3c57230cc066db
Reviewed-on: https://go-review.googlesource.com/c/go/+/481984
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
---
 src/mime/multipart/formdata.go      |  9 +++--
 src/mime/multipart/formdata_test.go | 55 ++++++++++++-----------------
 src/net/textproto/reader.go         |  8 ++++-
 3 files changed, 37 insertions(+), 35 deletions(-)

diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
index 975dcb6b26..3f6ff697ca 100644
--- a/src/mime/multipart/formdata.go
+++ b/src/mime/multipart/formdata.go
@@ -103,8 +103,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
 		// Multiple values for the same key (one map entry, longer slice) are cheaper
 		// than the same number of values for different keys (many map entries), but
 		// using a consistent per-value cost for overhead is simpler.
+		const mapEntryOverhead = 200
 		maxMemoryBytes -= int64(len(name))
-		maxMemoryBytes -= 100 // map overhead
+		maxMemoryBytes -= mapEntryOverhead
 		if maxMemoryBytes < 0 {
 			// We can't actually take this path, since nextPart would already have
 			// rejected the MIME headers for being too large. Check anyway.
@@ -128,7 +129,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
 		}
 
 		// file, store in memory or on disk
+		const fileHeaderSize = 100
 		maxMemoryBytes -= mimeHeaderSize(p.Header)
+		maxMemoryBytes -= mapEntryOverhead
+		maxMemoryBytes -= fileHeaderSize
 		if maxMemoryBytes < 0 {
 			return nil, ErrMessageTooLarge
 		}
@@ -183,9 +187,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
 }
 
 func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {
+	size = 400
 	for k, vs := range h {
 		size += int64(len(k))
-		size += 100 // map entry overhead
+		size += 200 // map entry overhead
 		for _, v := range vs {
 			size += int64(len(v))
 		}
diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
index f5b56083b2..8ed26e0c34 100644
--- a/src/mime/multipart/formdata_test.go
+++ b/src/mime/multipart/formdata_test.go
@@ -192,10 +192,10 @@ func (r *failOnReadAfterErrorReader) Read(p []byte) (n int, err error) {
 // TestReadForm_NonFileMaxMemory asserts that the ReadForm maxMemory limit is applied
 // while processing non-file form data as well as file form data.
 func TestReadForm_NonFileMaxMemory(t *testing.T) {
-	n := 10<<20 + 25
 	if testing.Short() {
-		n = 10<<10 + 25
+		t.Skip("skipping in -short mode")
 	}
+	n := 10 << 20
 	largeTextValue := strings.Repeat("1", n)
 	message := `--MyBoundary
 Content-Disposition: form-data; name="largetext"
@@ -203,38 +203,29 @@ Content-Disposition: form-data; name="largetext"
 ` + largeTextValue + `
 --MyBoundary--
 `
-
 	testBody := strings.ReplaceAll(message, "\n", "\r\n")
-	testCases := []struct {
-		name      string
-		maxMemory int64
-		err       error
-	}{
-		{"smaller", 50 + int64(len("largetext")) + 100, nil},
-		{"exact-fit", 25 + int64(len("largetext")) + 100, nil},
-		{"too-large", 0, ErrMessageTooLarge},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if tc.maxMemory == 0 && testing.Short() {
-				t.Skip("skipping in -short mode")
-			}
-			b := strings.NewReader(testBody)
-			r := NewReader(b, boundary)
-			f, err := r.ReadForm(tc.maxMemory)
-			if err == nil {
-				defer f.RemoveAll()
-			}
-			if tc.err != err {
-				t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)
-			}
-			if err == nil {
-				if g := f.Value["largetext"][0]; g != largeTextValue {
-					t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
-				}
-			}
-		})
+	// Try parsing the form with increasing maxMemory values.
+	// Changes in how we account for non-file form data may cause the exact point
+	// where we change from rejecting the form as too large to accepting it to vary,
+	// but we should see both successes and failures.
+	const failWhenMaxMemoryLessThan = 128
+	for maxMemory := int64(0); maxMemory < failWhenMaxMemoryLessThan*2; maxMemory += 16 {
+		b := strings.NewReader(testBody)
+		r := NewReader(b, boundary)
+		f, err := r.ReadForm(maxMemory)
+		if err != nil {
+			continue
+		}
+		if g := f.Value["largetext"][0]; g != largeTextValue {
+			t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
+		}
+		f.RemoveAll()
+		if maxMemory < failWhenMaxMemoryLessThan {
+			t.Errorf("ReadForm(%v): no error, expect to hit memory limit when maxMemory < %v", maxMemory, failWhenMaxMemoryLessThan)
+		}
+		return
 	}
+	t.Errorf("ReadForm(x) failed for x < 1024, expect success")
 }
 
 // TestReadForm_MetadataTooLarge verifies that we account for the size of field names,
diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
index 9a21777df8..c1284fde25 100644
--- a/src/net/textproto/reader.go
+++ b/src/net/textproto/reader.go
@@ -503,6 +503,12 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
 
 	m := make(MIMEHeader, hint)
 
+	// Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.
+	// Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large
+	// MIMEHeaders average about 200 bytes per entry.
+	lim -= 400
+	const mapEntryOverhead = 200
+
 	// The first line cannot start with a leading space.
 	if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
 		line, err := r.readLineSlice()
@@ -538,7 +544,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
 		vv := m[key]
 		if vv == nil {
 			lim -= int64(len(key))
-			lim -= 100 // map entry overhead
+			lim -= mapEntryOverhead
 		}
 		lim -= int64(len(value))
 		if lim < 0 {
-- 
2.37.1
[Backport] fix some CVE CVE num upstream commit openEuler patch CVE-2023-29400 9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 0016-release-branch.go1.19-html-template-emit-filterFails.patch CVE-2023-24540 ce7bd33345416e6d8cac901792060591cafc2797 0015-release-branch.go1.19-html-template-handle-all-JS-wh.patch CVE-2023-24539 e49282327b05192e46086bf25fd3ac691205fe80 0014-release-branch.go1.19-html-template-disallow-angle-b.patch CVE-2023-24538 b1e3ecfa06b67014429a197ec5e134ce4303ad9b 0013-release-branch.go1.19-html-template-disallow-actions.patch CVE-2023-24537 126a1d02da82f93ede7ce0bd8d3c51ef627f2104 0012-release-branch.go1.19-go-scanner-reject-large-line-a.patch CVE-2023-24536 7917b5f31204528ea72e0629f0b7d52b35b27538 0011-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch CVE-2023-24536 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 0010-release-branch.go1.19-net-textproto-mime-multipart-i.patch CVE-2023-24536 ef41a4e2face45e580c5836eaebd51629fc23f15 0009-release-branch.go1.19-mime-multipart-avoid-excessive.patch CVE-2023-24534 d6759e7a059f4208f07aa781402841d7ddaaef96 0008-release-branch.go1.19-net-textproto-avoid-overpredic.patch CVE-2023-24532 639b67ed114151c0d786aa26e7faeab942400703 0007-release-branch.go1.19-crypto-internal-nistec-reduce-.patch CVE-2022-41723 5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 0006-release-branch.go1.19-net-http-update-bundled-golang.patch CVE-2022-41724 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 0005-release-branch.go1.19-crypto-tls-replace-all-usages-.patch CVE-2022-41725 5c55ac9bf1e5f779220294c843526536605f42ab 0004-release-branch.go1.19-mime-multipart-limit-memory-in.patch CVE-2022-41722 3345ddca41f00f9ed6fc3c1a36f6e2bede02d7ff 0003-release-branch.go1.19-path-filepath-do-not-Clean-a-..patch Signed-off-by: zhangzhihui <zhangzhihui@xfusion.com> 2023-05-10 15:59:54 +08:00			`From 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 Mon Sep 17 00:00:00 2001`
			`From: Damien Neil <dneil@google.com>`
			`Date: Thu, 16 Mar 2023 16:56:12 -0700`
			`Subject: [PATCH] [release-branch.go1.19] net/textproto, mime/multipart:`
			`improve accounting of non-file data`

			`For requests containing large numbers of small parts,`
			`memory consumption of a parsed form could be about 250%`
			`over the estimated size.`

			`When considering the size of parsed forms, account for the size of`
			`FileHeader structs and increase the estimate of memory consumed by`
			`map entries.`

			`Thanks to Jakob Ackermann (@das7pad) for reporting this issue.`

			`For CVE-2023-24536`
			`For #59153`
			`For #59269`

			`Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454`
			`Run-TryBot: Damien Neil <dneil@google.com>`
			`Reviewed-by: Roland Shoemaker <bracewell@google.com>`
			`Reviewed-by: Julie Qiu <julieqiu@google.com>`
			`Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802396`
			`Run-TryBot: Roland Shoemaker <bracewell@google.com>`
			`Reviewed-by: Damien Neil <dneil@google.com>`
			`Change-Id: I31bc50e9346b4eee6fbe51a18c3c57230cc066db`
			`Reviewed-on: https://go-review.googlesource.com/c/go/+/481984`
			`Reviewed-by: Matthew Dempsky <mdempsky@google.com>`
			`Auto-Submit: Michael Knyszek <mknyszek@google.com>`
			`TryBot-Result: Gopher Robot <gobot@golang.org>`
			`Run-TryBot: Michael Knyszek <mknyszek@google.com>`
			`---`
			`src/mime/multipart/formdata.go \| 9 +++--`
			`src/mime/multipart/formdata_test.go \| 55 ++++++++++++-----------------`
			`src/net/textproto/reader.go \| 8 ++++-`
			`3 files changed, 37 insertions(+), 35 deletions(-)`

			`diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go`
			`index 975dcb6b26..3f6ff697ca 100644`
			`--- a/src/mime/multipart/formdata.go`
			`+++ b/src/mime/multipart/formdata.go`
			`@@ -103,8 +103,9 @@ func (r Reader) readForm(maxMemory int64) (_ Form, err error) {`
			`// Multiple values for the same key (one map entry, longer slice) are cheaper`
			`// than the same number of values for different keys (many map entries), but`
			`// using a consistent per-value cost for overhead is simpler.`
			`+ const mapEntryOverhead = 200`
			`maxMemoryBytes -= int64(len(name))`
			`- maxMemoryBytes -= 100 // map overhead`
			`+ maxMemoryBytes -= mapEntryOverhead`
			`if maxMemoryBytes < 0 {`
			`// We can't actually take this path, since nextPart would already have`
			`// rejected the MIME headers for being too large. Check anyway.`
			`@@ -128,7 +129,10 @@ func (r Reader) readForm(maxMemory int64) (_ Form, err error) {`
			`}`

			`// file, store in memory or on disk`
			`+ const fileHeaderSize = 100`
			`maxMemoryBytes -= mimeHeaderSize(p.Header)`
			`+ maxMemoryBytes -= mapEntryOverhead`
			`+ maxMemoryBytes -= fileHeaderSize`
			`if maxMemoryBytes < 0 {`
			`return nil, ErrMessageTooLarge`
			`}`
			`@@ -183,9 +187,10 @@ func (r Reader) readForm(maxMemory int64) (_ Form, err error) {`
			`}`

			`func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {`
			`+ size = 400`
			`for k, vs := range h {`
			`size += int64(len(k))`
			`- size += 100 // map entry overhead`
			`+ size += 200 // map entry overhead`
			`for _, v := range vs {`
			`size += int64(len(v))`
			`}`
			`diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go`
			`index f5b56083b2..8ed26e0c34 100644`
			`--- a/src/mime/multipart/formdata_test.go`
			`+++ b/src/mime/multipart/formdata_test.go`
			`@@ -192,10 +192,10 @@ func (r *failOnReadAfterErrorReader) Read(p []byte) (n int, err error) {`
			`// TestReadForm_NonFileMaxMemory asserts that the ReadForm maxMemory limit is applied`
			`// while processing non-file form data as well as file form data.`
			`func TestReadForm_NonFileMaxMemory(t *testing.T) {`
			`- n := 10<<20 + 25`
			`if testing.Short() {`
			`- n = 10<<10 + 25`
			`+ t.Skip("skipping in -short mode")`
			`}`
			`+ n := 10 << 20`
			`largeTextValue := strings.Repeat("1", n)`
			message := `--MyBoundary
			`Content-Disposition: form-data; name="largetext"`
			`@@ -203,38 +203,29 @@ Content-Disposition: form-data; name="largetext"`
			` + largeTextValue + `
			`--MyBoundary--`
			`
			`-`
			`testBody := strings.ReplaceAll(message, "\n", "\r\n")`
			`- testCases := []struct {`
			`- name string`
			`- maxMemory int64`
			`- err error`
			`- }{`
			`- {"smaller", 50 + int64(len("largetext")) + 100, nil},`
			`- {"exact-fit", 25 + int64(len("largetext")) + 100, nil},`
			`- {"too-large", 0, ErrMessageTooLarge},`
			`- }`
			`- for _, tc := range testCases {`
			`- t.Run(tc.name, func(t *testing.T) {`
			`- if tc.maxMemory == 0 && testing.Short() {`
			`- t.Skip("skipping in -short mode")`
			`- }`
			`- b := strings.NewReader(testBody)`
			`- r := NewReader(b, boundary)`
			`- f, err := r.ReadForm(tc.maxMemory)`
			`- if err == nil {`
			`- defer f.RemoveAll()`
			`- }`
			`- if tc.err != err {`
			`- t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)`
			`- }`
			`- if err == nil {`
			`- if g := f.Value["largetext"][0]; g != largeTextValue {`
			`- t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))`
			`- }`
			`- }`
			`- })`
			`+ // Try parsing the form with increasing maxMemory values.`
			`+ // Changes in how we account for non-file form data may cause the exact point`
			`+ // where we change from rejecting the form as too large to accepting it to vary,`
			`+ // but we should see both successes and failures.`
			`+ const failWhenMaxMemoryLessThan = 128`
			`+ for maxMemory := int64(0); maxMemory < failWhenMaxMemoryLessThan*2; maxMemory += 16 {`
			`+ b := strings.NewReader(testBody)`
			`+ r := NewReader(b, boundary)`
			`+ f, err := r.ReadForm(maxMemory)`
			`+ if err != nil {`
			`+ continue`
			`+ }`
			`+ if g := f.Value["largetext"][0]; g != largeTextValue {`
			`+ t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))`
			`+ }`
			`+ f.RemoveAll()`
			`+ if maxMemory < failWhenMaxMemoryLessThan {`
			`+ t.Errorf("ReadForm(%v): no error, expect to hit memory limit when maxMemory < %v", maxMemory, failWhenMaxMemoryLessThan)`
			`+ }`
			`+ return`
			`}`
			`+ t.Errorf("ReadForm(x) failed for x < 1024, expect success")`
			`}`

			`// TestReadForm_MetadataTooLarge verifies that we account for the size of field names,`
			`diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go`
			`index 9a21777df8..c1284fde25 100644`
			`--- a/src/net/textproto/reader.go`
			`+++ b/src/net/textproto/reader.go`
			`@@ -503,6 +503,12 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {`

			`m := make(MIMEHeader, hint)`

			`+ // Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.`
			`+ // Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large`
			`+ // MIMEHeaders average about 200 bytes per entry.`
			`+ lim -= 400`
			`+ const mapEntryOverhead = 200`
			`+`
			`// The first line cannot start with a leading space.`
			`if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' \|\| buf[0] == '\t') {`
			`line, err := r.readLineSlice()`
			`@@ -538,7 +544,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {`
			`vv := m[key]`
			`if vv == nil {`
			`lim -= int64(len(key))`
			`- lim -= 100 // map entry overhead`
			`+ lim -= mapEntryOverhead`
			`}`
			`lim -= int64(len(value))`
			`if lim < 0 {`
			`--`
			`2.37.1`