!4 fix cve-2020-11100

Merge pull request !4 from cuibb1/master
2020-05-13 13:53:36 +08:00 · 2020-05-13 13:53:36 +08:00 · 4564787683
commit 4564787683
parent 387a68e795 f9317ca885
2 changed files with 60 additions and 1 deletions
--- a/CVE-2020-11100.patch
+++ b/CVE-2020-11100.patch
@ -0,0 +1,52 @@
 From 5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Sun, 29 Mar 2020 08:53:31 +0200
 Subject: [PATCH 1/1] BUG/CRITICAL: hpack: never index a header into the
 headroom after wrapping
 The HPACK header table is implemented as a wrapping list inside a contigous
 area. Headers names and values are stored from right to left while indexes
 are stored from left to right. When there's no more room to store a new one,
 we wrap to the right again, or possibly defragment it if needed. The condition
 do use the right part (called tailroom) or the left part (called headroom)
 depends on the location of the last inserted header. After wrapping happens,
 the code forces to stick to tailroom by pretending there's no more headroom,
 so that the size fit test always fails. The problem is that nothing prevents
 from storing a header with an empty name and empty value, resulting in a
 total size of zero bytes, which satisfies the condition to use the headroom.
 Doing this in a wrapped buffer results in changing the "front" header index
 and causing miscalculations on the available size and the addresses of the
 next headers. This may even allow to overwrite some parts of the index,
 opening the possibility to perform arbitrary writes into a 32-bit relative
 address space.
 This patch fixes the issue by making sure the headroom is considered only
 when the buffer does not wrap, instead of relying on the zero size. This
 must be backported to all versions supporting H2, which is as far as 1.8.
 Many thanks to Felix Wilhelm of Google Project Zero for responsibly
 reporting this problem with a reproducer and a detailed analysis.
 CVE-2020-11100 was assigned to this issue.
 ---
 src/hpack-tbl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
 index 70d7f35..727ff7a 100644
 --- a/src/hpack-tbl.c
 +++ b/src/hpack-tbl.c
@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
 	 * room left in the tail to suit the protocol, but tests show that in
 	 * practice it almost never happens in other situations so the extra
 	 * test is useless and we simply fill the headroom as long as it's
 -	 * available.
 +	 * available and we don't wrap.
 	 */
 -	if (headroom >= name.len + value.len) {
 +	if (prev == dht->front && headroom >= name.len + value.len) {
 		/* install upfront and update ->front */
 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
 		dht->front = head;
 -- 
 1.7.10.4
--- a/haproxy.spec
+++ b/haproxy.spec
@ -5,7 +5,7 @@
 Name:             haproxy
 Version:          1.8.14
-Release:          4
+Release:          5
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 License:          GPLv2+
@ -19,6 +19,7 @@ Source4:          %{name}.sysconfig
 Patch6000:	  CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch
 Patch6001:	  CVE-2018-20103.patch
 Patch6002:	  CVE-2018-20102.patch
 Patch6003:        CVE-2020-11100.patch
 BuildRequires:    gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units
 Requires(pre):    shadow-utils
@ -125,5 +126,11 @@ exit 0
 %{_mandir}/man1/*
 %changelog
 * Thu May 7 2020 cuibaobao <cuibaobao1@huawei.com> - 1.8.14-5
 - Type:cves
 - ID: CVE-2020-11100
 - SUG:restart
 - DESC: fix CVE-2020-11100
 * Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.14-4
 - Package init