fix CVE-2020-11100

CVE-2020-11100.patch

@@ -0,0 +1,52 @@
+From 5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 29 Mar 2020 08:53:31 +0200
+Subject: [PATCH 1/1] BUG/CRITICAL: hpack: never index a header into the
+ headroom after wrapping
+
+The HPACK header table is implemented as a wrapping list inside a contigous
+area. Headers names and values are stored from right to left while indexes
+are stored from left to right. When there's no more room to store a new one,
+we wrap to the right again, or possibly defragment it if needed. The condition
+do use the right part (called tailroom) or the left part (called headroom)
+depends on the location of the last inserted header. After wrapping happens,
+the code forces to stick to tailroom by pretending there's no more headroom,
+so that the size fit test always fails. The problem is that nothing prevents
+from storing a header with an empty name and empty value, resulting in a
+total size of zero bytes, which satisfies the condition to use the headroom.
+Doing this in a wrapped buffer results in changing the "front" header index
+and causing miscalculations on the available size and the addresses of the
+next headers. This may even allow to overwrite some parts of the index,
+opening the possibility to perform arbitrary writes into a 32-bit relative
+address space.
+
+This patch fixes the issue by making sure the headroom is considered only
+when the buffer does not wrap, instead of relying on the zero size. This
+must be backported to all versions supporting H2, which is as far as 1.8.
+
+Many thanks to Felix Wilhelm of Google Project Zero for responsibly
+reporting this problem with a reproducer and a detailed analysis.
+CVE-2020-11100 was assigned to this issue.
+---
+ src/hpack-tbl.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
+index 70d7f35..727ff7a 100644
+--- a/src/hpack-tbl.c
++++ b/src/hpack-tbl.c
+@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
+ 	 * room left in the tail to suit the protocol, but tests show that in
+ 	 * practice it almost never happens in other situations so the extra
+ 	 * test is useless and we simply fill the headroom as long as it's
+-	 * available.
++	 * available and we don't wrap.
+ 	 */
+-	if (headroom >= name.len + value.len) {
++	if (prev == dht->front && headroom >= name.len + value.len) {
+ 		/* install upfront and update ->front */
+ 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
+ 		dht->front = head;
+-- 
+1.7.10.4
+

haproxy.spec

@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          1.8.14
-Release:          4
+Release:          5
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -19,6 +19,7 @@ Source4:          %{name}.sysconfig
 Patch6000:	  CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch
 Patch6001:	  CVE-2018-20103.patch
 Patch6002:	  CVE-2018-20102.patch
+Patch6003:        CVE-2020-11100.patch
 
 BuildRequires:    gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units
 Requires(pre):    shadow-utils
@@ -125,5 +126,11 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Thu May 7 2020 cuibaobao <cuibaobao1@huawei.com> - 1.8.14-5
+- Type:cves
+- ID: CVE-2020-11100
+- SUG:restart
+- DESC: fix CVE-2020-11100
+
 * Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.14-4
 - Package init