microsoft
diff --git a/‎SPECS/kata-containers-cc/CVE-2023-44487.patch‎
Lines changed: 227 additions & 0 deletions b/‎SPECS/kata-containers-cc/CVE-2023-44487.patch‎
Lines changed: 227 additions & 0 deletions
diff --git a/‎SPECS/kata-containers-cc/kata-containers-cc.spec‎
Lines changed: 5 additions & 1 deletion b/‎SPECS/kata-containers-cc/kata-containers-cc.spec‎
Lines changed: 5 additions & 1 deletion
@@ -0,0 +1,227 @@
+From 99f0248a3060aa55599e867ece965119851f19c8 Mon Sep 17 00:00:00 2001
+From: Manuel Huber <mahuber@microsoft.com>
+Date: Wed, 5 Mar 2025 16:18:29 +0000
+Subject: [PATCH] runtime: fix CVE-2023-44487
+
+Fix this CVE in the grpc vendor dependency.
+First, apply 6eabd7e1834e47b20f55cbe9d473fc607c693358,
+then apply the actual CVE fix that was backported to the
+oldest version (1.53.0), i.e., commit
+5efd7bd73e11fea58d1c7f1c110902e78a286299 in modified form.
+Modified, because v1.47.0 does not yet have the _test files.
+
+Signed-off-by: Manuel Huber <mahuber@microsoft.com>
+---
+ .../grpc/internal/transport/http2_server.go   | 11 +--
+ .../vendor/google.golang.org/grpc/server.go   | 93 +++++++++++--------
+ 2 files changed, 59 insertions(+), 45 deletions(-)
+
+diff --git a/src/runtime/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/src/runtime/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+index 45d7bd145e..f5edd95f69 100644
+--- a/src/runtime/vendor/google.golang.org/grpc/internal/transport/http2_server.go
++++ b/src/runtime/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
+ 		ID:  http2.SettingMaxFrameSize,
+ 		Val: http2MaxFrameLen,
+ 	}}
+-	// TODO(zhaoq): Have a better way to signal "no limit" because 0 is
+-	// permitted in the HTTP2 spec.
+-	maxStreams := config.MaxStreams
+-	if maxStreams == 0 {
+-		maxStreams = math.MaxUint32
+-	} else {
++	if config.MaxStreams != math.MaxUint32 {
+ 		isettings = append(isettings, http2.Setting{
+ 			ID:  http2.SettingMaxConcurrentStreams,
+-			Val: maxStreams,
++			Val: config.MaxStreams,
+ 		})
+ 	}
+ 	dynamicWindow := true
+@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
+ 		framer:            framer,
+ 		readerDone:        make(chan struct{}),
+ 		writerDone:        make(chan struct{}),
+-		maxStreams:        maxStreams,
++		maxStreams:        config.MaxStreams,
+ 		inTapHandle:       config.InTapHandle,
+ 		fc:                &trInFlow{limit: uint32(icwz)},
+ 		state:             reachable,
+diff --git a/src/runtime/vendor/google.golang.org/grpc/server.go b/src/runtime/vendor/google.golang.org/grpc/server.go
+index 65de84b300..63dc911d65 100644
+--- a/src/runtime/vendor/google.golang.org/grpc/server.go
++++ b/src/runtime/vendor/google.golang.org/grpc/server.go
+@@ -43,7 +43,6 @@ import (
+ 	"google.golang.org/grpc/internal"
+ 	"google.golang.org/grpc/internal/binarylog"
+ 	"google.golang.org/grpc/internal/channelz"
+-	"google.golang.org/grpc/internal/grpcrand"
+ 	"google.golang.org/grpc/internal/grpcsync"
+ 	"google.golang.org/grpc/internal/transport"
+ 	"google.golang.org/grpc/keepalive"
+@@ -107,12 +106,6 @@ type serviceInfo struct {
+ 	mdata       interface{}
+ }
+ 
+-type serverWorkerData struct {
+-	st     transport.ServerTransport
+-	wg     *sync.WaitGroup
+-	stream *transport.Stream
+-}
+-
+ // Server is a gRPC server to serve RPC requests.
+ type Server struct {
+ 	opts serverOptions
+@@ -137,7 +130,7 @@ type Server struct {
+ 	channelzID *channelz.Identifier
+ 	czData     *channelzData
+ 
+-	serverWorkerChannels []chan *serverWorkerData
++	serverWorkerChannel chan func()
+ }
+ 
+ type serverOptions struct {
+@@ -168,6 +161,7 @@ type serverOptions struct {
+ }
+ 
+ var defaultServerOptions = serverOptions{
++	maxConcurrentStreams:  math.MaxUint32,
+ 	maxReceiveMessageSize: defaultServerMaxReceiveMessageSize,
+ 	maxSendMessageSize:    defaultServerMaxSendMessageSize,
+ 	connectionTimeout:     120 * time.Second,
+@@ -361,6 +355,9 @@ func MaxSendMsgSize(m int) ServerOption {
+ // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number
+ // of concurrent streams to each ServerTransport.
+ func MaxConcurrentStreams(n uint32) ServerOption {
++	if n == 0 {
++		n = math.MaxUint32
++	}
+ 	return newFuncServerOption(func(o *serverOptions) {
+ 		o.maxConcurrentStreams = n
+ 	})
+@@ -520,40 +517,33 @@ func NumStreamWorkers(numServerWorkers uint32) ServerOption {
+ const serverWorkerResetThreshold = 1 << 16
+ 
+ // serverWorkers blocks on a *transport.Stream channel forever and waits for
+-// data to be fed by serveStreams. This allows different requests to be
++// data to be fed by serveStreams. This allows multiple requests to be
+ // processed by the same goroutine, removing the need for expensive stack
+ // re-allocations (see the runtime.morestack problem [1]).
+ //
+ // [1] https://github.com/golang/go/issues/18138
+-func (s *Server) serverWorker(ch chan *serverWorkerData) {
+-	// To make sure all server workers don't reset at the same time, choose a
+-	// random number of iterations before resetting.
+-	threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold)
+-	for completed := 0; completed < threshold; completed++ {
+-		data, ok := <-ch
++func (s *Server) serverWorker() {
++	for completed := 0; completed < serverWorkerResetThreshold; completed++ {
++		f, ok := <-s.serverWorkerChannel
+ 		if !ok {
+ 			return
+ 		}
+-		s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
+-		data.wg.Done()
++		f()
+ 	}
+-	go s.serverWorker(ch)
++	go s.serverWorker()
+ }
+ 
+-// initServerWorkers creates worker goroutines and channels to process incoming
++// initServerWorkers creates worker goroutines and a channel to process incoming
+ // connections to reduce the time spent overall on runtime.morestack.
+ func (s *Server) initServerWorkers() {
+-	s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers)
++	s.serverWorkerChannel = make(chan func())
+ 	for i := uint32(0); i < s.opts.numServerWorkers; i++ {
+-		s.serverWorkerChannels[i] = make(chan *serverWorkerData)
+-		go s.serverWorker(s.serverWorkerChannels[i])
++		go s.serverWorker()
+ 	}
+ }
+ 
+ func (s *Server) stopServerWorkers() {
+-	for i := uint32(0); i < s.opts.numServerWorkers; i++ {
+-		close(s.serverWorkerChannels[i])
+-	}
++	close(s.serverWorkerChannel)
+ }
+ 
+ // NewServer creates a gRPC server which has no service registered and has not
+@@ -902,26 +892,26 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
+ 	defer st.Close()
+ 	var wg sync.WaitGroup
+ 
+-	var roundRobinCounter uint32
++	streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams)
+ 	st.HandleStreams(func(stream *transport.Stream) {
+ 		wg.Add(1)
++
++		streamQuota.acquire()
++		f := func() {
++			defer streamQuota.release()
++			defer wg.Done()
++			s.handleStream(st, stream, s.traceInfo(st, stream))
++		}
++
+ 		if s.opts.numServerWorkers > 0 {
+-			data := &serverWorkerData{st: st, wg: &wg, stream: stream}
+ 			select {
+-			case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data:
++			case s.serverWorkerChannel <- f:
++				return
+ 			default:
+ 				// If all stream workers are busy, fallback to the default code path.
+-				go func() {
+-					s.handleStream(st, stream, s.traceInfo(st, stream))
+-					wg.Done()
+-				}()
+ 			}
+-		} else {
+-			go func() {
+-				defer wg.Done()
+-				s.handleStream(st, stream, s.traceInfo(st, stream))
+-			}()
+ 		}
++		go f()
+ 	}, func(ctx context.Context, method string) context.Context {
+ 		if !EnableTracing {
+ 			return ctx
+@@ -1885,3 +1875,32 @@ type channelzServer struct {
+ func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric {
+ 	return c.s.channelzMetric()
+ }
++
++// atomicSemaphore implements a blocking, counting semaphore. acquire should be
++// called synchronously; release may be called asynchronously.
++type atomicSemaphore struct {
++	n    int64
++	wait chan struct{}
++}
++
++func (q *atomicSemaphore) acquire() {
++	if atomic.AddInt64(&q.n, -1) < 0 {
++		// We ran out of quota.  Block until a release happens.
++		<-q.wait
++	}
++}
++
++func (q *atomicSemaphore) release() {
++	// N.B. the "<= 0" check below should allow for this to work with multiple
++	// concurrent calls to acquire, but also note that with synchronous calls to
++	// acquire, as our system does, n will never be less than -1.  There are
++	// fairness issues (queuing) to consider if this was to be generalized.
++	if atomic.AddInt64(&q.n, 1) <= 0 {
++		// An acquire was waiting on us.  Unblock it.
++		q.wait <- struct{}{}
++	}
++}
++
++func newHandlerQuota(n uint32) *atomicSemaphore {
++	return &atomicSemaphore{n: int64(n), wait: make(chan struct{}, 1)}
++}
+-- 
+2.39.4
+
@@ -13,7 +13,7 @@
 
 Name:         kata-containers-cc
 Version:      3.2.0.azl2
-Release:      5%{?dist}
+Release:      6%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
 Vendor:       Microsoft Corporation
@@ -24,6 +24,7 @@ Source2:      mariner-coco-build-uvm.sh
 Patch0:       CVE-2023-45288.patch
 Patch1:       CVE-2023-39325.patch
 Patch2:       CVE-2024-24786.patch
+Patch3:       CVE-2023-44487.patch
 
 ExclusiveArch: x86_64
 
@@ -291,6 +292,9 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
+* Mon Mar 10 2025 Manuel Huber <mahuber@microsoft.com> - 3.2.0.azl2-6
+- Add patch for CVE-2023-44487
+
 * Wed Nov 27 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 3.2.0.azl2-5
 - Add patches for CVE-2023-45288, CVE-2023-39325 and CVE-2024-24786