[AUTO-CHERRYPICK] Fix CVE-2023-44487 in local-path-provisioner - branch 3.0-dev (#12812)

Co-authored-by: corvus-callidus <[email protected]>

Author: CBL-Mariner-Bot

SPECS/local-path-provisioner/CVE-2023-44487.patch

@@ -0,0 +1,77 @@
+From a0fd4b065528566eec54fe207aa5e3131babc378 Mon Sep 17 00:00:00 2001
+From: Monis Khan <[email protected]>
+Date: Sat, 7 Oct 2023 21:50:37 -0400
+Subject: [PATCH] Prevent rapid reset http2 DOS on API server
+
+This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
+the API server when the client is unauthenticated.
+
+The changes to util/runtime are required because otherwise a large
+number of requests can get blocked on the time.Sleep calls.
+
+For unauthenticated clients (either via 401 or the anonymous user),
+we simply no longer allow such clients to hold open http2
+connections.  They can use http2, but with the performance of http1
+(with keep-alive disabled).
+
+Since this change has the potential to cause issues, the
+UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
+remove this protection (it is enabled by default).  For example,
+when the API server is fronted by an L7 load balancer that is set up
+to mitigate http2 attacks, unauthenticated clients could force
+disable connection reuse between the load balancer and the API
+server (many incoming connections could share the same backend
+connection).  An API server that is on a private network may opt to
+disable this protection to prevent performance regressions for
+unauthenticated clients.
+
+For all other clients, we rely on the golang.org/x/net fix in
+https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd
+That change is not sufficient to adequately protect against a
+motivated client - future changes to Kube and/or golang.org/x/net
+will be explored to address this gap.
+
+The Kube API server now uses a max stream of 100 instead of 250
+(this matches the Go http2 client default).  This lowers the abuse
+limit from 1000 to 400.
+
+Signed-off-by: Monis Khan <[email protected]>
+
+Modified-by: corvus-callidus <[email protected]>
+- Adjust paths to apply to AzL3 package source
+- Remove runtime_test.go portion of patch since AzL3 package source doesn't
+  contain that file
+
+Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb
+---
+ vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go      | 15 +++++++++------
+ 1 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
+index d738725ca..3674914f7 100644
+--- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
++++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
+@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct {
+ // OnError will block if it is called more often than the embedded period time.
+ // This will prevent overly tight hot error loops.
+ func (r *rudimentaryErrorBackoff) OnError(error) {
++	now := time.Now() // start the timer before acquiring the lock
+ 	r.lastErrorTimeLock.Lock()
+-	defer r.lastErrorTimeLock.Unlock()
+-	d := time.Since(r.lastErrorTime)
+-	if d < r.minPeriod {
+-		// If the time moves backwards for any reason, do nothing
+-		time.Sleep(r.minPeriod - d)
+-	}
++	d := now.Sub(r.lastErrorTime)
+ 	r.lastErrorTime = time.Now()
++	r.lastErrorTimeLock.Unlock()
++
++	// Do not sleep with the lock held because that causes all callers of HandleError to block.
++	// We only want the current goroutine to block.
++	// A negative or zero duration causes time.Sleep to return immediately.
++	// If the time moves backwards for any reason, do nothing.
++	time.Sleep(r.minPeriod - d)
+ }
+ 
+ // GetCaller returns the caller of the function that calls it.

SPECS/local-path-provisioner/local-path-provisioner.spec

@@ -1,16 +1,17 @@
 Summary:        Provides a way for the Kubernetes users to utilize the local storage in each node
 Name:           local-path-provisioner
 Version:        0.0.24
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/rancher/local-path-provisioner
 Group:          Applications/Text
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/rancher/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-#Note that the source file should be renamed to the format {name}-%{version}.tar.gz
+#Note that the source file should be renamed to the format {name}-%%{version}.tar.gz
 Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2023-39325.patch
+Patch2:         CVE-2023-44487.patch
 BuildRequires: golang
 
 %description
@@ -31,6 +32,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner
 %{_bindir}/local-path-provisioner
 
 %changelog
+* Tue Mar 04 2025 corvus-callidus <[email protected]> - 0.0.24-4
+* Address CVE-2023-44487
+
 * Fri Feb 14 2025 Kanishk Bansal <[email protected]> - 0.0.24-3
 - Address CVE-2023-45288, CVE-2023-39325