CVE-2022-43548

2022-11-09 18:31:33 +08:00 · 2022-11-09 18:31:33 +08:00 · 835d3dd113
commit 835d3dd113
parent 0ca2b75e6e
4 changed files with 402 additions and 1 deletions
--- a/CVE-2022-43548-pre-1.patch
+++ b/CVE-2022-43548-pre-1.patch
@ -0,0 +1,131 @@
+From 1aa5036c31ac2a9b2a2528af454675ad412f1464 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
+Date: Fri, 27 May 2022 21:18:49 +0000
+Subject: [PATCH] src: fix IPv4 validation in inspector_socket
+
+Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com>
+
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com>
+PR-URL: https://github.com/nodejs-private/node-private/pull/320
+CVE-ID: CVE-2022-32212
+---
+ src/inspector_socket.cc              | 18 +++++--
+ test/cctest/test_inspector_socket.cc | 74 ++++++++++++++++++++++++++++
+ 2 files changed, 87 insertions(+), 5 deletions(-)
+
+diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
+index 1650c3fe01de..79b50e6a452d 100644
+--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
+@@ -164,14 +164,22 @@ static std::string TrimPort(const std::string& host) {
+ static bool IsIPAddress(const std::string& host) {
+   if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
+     return true;
+-  int quads = 0;
+  uint_fast16_t accum = 0;
+  uint_fast8_t quads = 0;
+  bool empty = true;
+  auto endOctet = [&accum, &quads, &empty](bool final = false) {
+    return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
+           (empty = true) && !(accum = 0);
+  };
+   for (char c : host) {
+-    if (c == '.')
+-      quads++;
+-    else if (!isdigit(c))
+    if (isdigit(c)) {
+      if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
+      empty = false;
+    } else if (c != '.' || !endOctet()) {
+       return false;
+    }
+   }
+-  return quads == 3;
+  return endOctet(true);
+ }
+ 
+ // Constants for hybi-10 frame format.
+diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
+index dc8cd962141e..c740d961d9b7 100644
+--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
+@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedForUPGRADE) {
+   expect_failure_no_delegate(UPGRADE_REQUEST);
+ }
+ 
+TEST_F(InspectorSocketTest, HostIPChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 10.0.2.555:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostNegativeIPChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 10.0.-23.255:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) {
+  const std::string INVALID_HOST_IP_REQUEST =
+      "GET /json HTTP/1.1\r\n"
+      "Host: 127.0.0.4294967296:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) {
+  const std::string INVALID_HOST_IP_REQUEST =
+      "GET /json HTTP/1.1\r\n"
+      "Host: 127.0.0.18446744073709552000:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: .0.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127..0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.0.:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.0.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+ }  // anonymous namespace
--- a/CVE-2022-43548-pre-2.patch
+++ b/CVE-2022-43548-pre-2.patch
@ -0,0 +1,48 @@
+From b358fb27a4253c6827378a64163448c04301e19c Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Wed, 13 Jul 2022 13:20:22 -0300
+Subject: [PATCH] src: fix IPv4 non routable validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Tobias Nießen <tniessen@tnie.de>
+Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
+PR-URL: https://github.com/nodejs-private/node-private/pull/337
+CVE-ID: CVE-2022-32212, CVE-2018-7160
+---
+ src/inspector_socket.cc              | 1 +
+ test/cctest/test_inspector_socket.cc | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
+index 79b50e6a452d..ab1cdf1fa5bd 100644
+--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
+@@ -164,6 +164,7 @@ static std::string TrimPort(const std::string& host) {
+ static bool IsIPAddress(const std::string& host) {
+   if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
+     return true;
+  if (host.front() == '0') return false;
+   uint_fast16_t accum = 0;
+   uint_fast8_t quads = 0;
+   bool empty = true;
+diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
+index c740d961d9b7..6ae92c4b27e2 100644
+--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
+@@ -925,4 +925,12 @@ TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
+   expect_handshake_failure();
+ }
+ 
+TEST_F(InspectorSocketTest, HostIPNonRoutable) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 0.0.0.0:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+ }  // anonymous namespace
--- a/CVE-2022-43548.patch
+++ b/CVE-2022-43548.patch
@ -0,0 +1,216 @@
+From 2b433af094fb79cf80f086038b7f36342cb6826f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
+Date: Sun, 25 Sep 2022 12:34:05 +0000
+Subject: [PATCH] inspector: harden IP address validation again
+
+Use inet_pton() to parse IP addresses, which restricts IP addresses
+to a small number of well-defined formats. In particular, octal and
+hexadecimal number formats are not allowed, and neither are leading
+zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.
+
+Refs: https://hackerone.com/reports/1710652
+CVE-ID: CVE-2022-43548
+PR-URL: https://github.com/nodejs-private/node-private/pull/354
+Reviewed-by: Michael Dawson <midawson@redhat.com>
+Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
+Reviewed-by: Rich Trott <rtrott@gmail.com>
+---
+ src/inspector_socket.cc              | 78 +++++++++++++++++++++------
+ test/cctest/test_inspector_socket.cc | 80 ++++++++++++++++++++++++++++
+ 2 files changed, 142 insertions(+), 16 deletions(-)
+
+diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
+index 8cabdaec2821..a28bd557c8ab 100644
+--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
+@@ -6,6 +6,7 @@
+ 
+ #include "openssl/sha.h"  // Sha-1 hash
+ 
+#include <algorithm>
+ #include <cstring>
+ #include <map>
+ 
+@@ -162,25 +163,70 @@ static std::string TrimPort(const std::string& host) {
+ }
+ 
+ static bool IsIPAddress(const std::string& host) {
+-  if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
+-    return true;
+-  if (host.front() == '0') return false;
+-  uint_fast16_t accum = 0;
+-  uint_fast8_t quads = 0;
+-  bool empty = true;
+-  auto endOctet = [&accum, &quads, &empty](bool final = false) {
+-    return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
+-           (empty = true) && !(accum = 0);
+-  };
+-  for (char c : host) {
+-    if (isdigit(c)) {
+-      if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
+-      empty = false;
+-    } else if (c != '.' || !endOctet()) {
+  // TODO(tniessen): add CVEs to the following bullet points
+  // To avoid DNS rebinding attacks, we are aware of the following requirements:
+  // * the host name must be an IP address,
+  // * the IP address must be routable, and
+  // * the IP address must be formatted unambiguously.
+
+  // The logic below assumes that the string is null-terminated, so ensure that
+  // we did not somehow end up with null characters within the string.
+  if (host.find('\0') != std::string::npos) return false;
+
+  // All IPv6 addresses must be enclosed in square brackets, and anything
+  // enclosed in square brackets must be an IPv6 address.
+  if (host.length() >= 4 && host.front() == '[' && host.back() == ']') {
+    // INET6_ADDRSTRLEN is the maximum length of the dual format (including the
+    // terminating null character), which is the longest possible representation
+    // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd
+    if (host.length() - 2 >= INET6_ADDRSTRLEN) return false;
+
+    // Annoyingly, libuv's implementation of inet_pton() deviates from other
+    // implementations of the function in that it allows '%' in IPv6 addresses.
+    if (host.find('%') != std::string::npos) return false;
+
+    // Parse the IPv6 address to ensure it is syntactically valid.
+    char ipv6_str[INET6_ADDRSTRLEN];
+    std::copy(host.begin() + 1, host.end() - 1, ipv6_str);
+    ipv6_str[host.length()] = '\0';
+    unsigned char ipv6[sizeof(struct in6_addr)];
+    if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false;
+
+    // The only non-routable IPv6 address is ::/128. It should not be necessary
+    // to explicitly reject it because it will still be enclosed in square
+    // brackets and not even macOS should make DNS requests in that case, but
+    // history has taught us that we cannot be careful enough.
+    // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and
+    // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses
+    // (other than ::/128) that represent non-routable IPv4 addresses. However,
+    // this translation assumes that the host is interpreted as an IPv6 address
+    // in the first place, at which point DNS rebinding should not be an issue.
+    if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) {
+       return false;
+     }
+
+    // It is a syntactically valid and routable IPv6 address enclosed in square
+    // brackets. No client should be able to misinterpret this.
+    return true;
+   }
+-  return endOctet(true);
+
+  // Anything not enclosed in square brackets must be an IPv4 address. It is
+  // important here that inet_pton() accepts only the so-called dotted-decimal
+  // notation, which is a strict subset of the so-called numbers-and-dots
+  // notation that is allowed by inet_aton() and inet_addr(). This subset does
+  // not allow hexadecimal or octal number formats.
+  unsigned char ipv4[sizeof(struct in_addr)];
+  if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false;
+
+  // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make
+  // DNS requests for this IP address, so we need to explicitly reject it. In
+  // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and
+  // Section 3.2.1.3 of RFC 1122).
+  // Note that inet_pton() stores the IPv4 address in network byte order.
+  if (ipv4[0] == 0) return false;
+
+  // It is a routable IPv4 address in dotted-decimal notation.
+  return true;
+ }
+ 
+ // Constants for hybi-10 frame format.
+diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
+index 6ae92c4b27e2..b351a23002c9 100644
+--- a/test/cctest/test_inspector_socket.cc
+++ b/test/cctest/test_inspector_socket.cc
+@@ -925,6 +925,54 @@ TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
+   expect_handshake_failure();
+ }
+ 
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetStartChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 08.1.1.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetMidChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 1.09.1.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetEndChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 1.1.1.009:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroStartChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 01.1.1.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroMidChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 1.1.001.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpLeadingZeroEndChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 1.1.1.01:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+ TEST_F(InspectorSocketTest, HostIPNonRoutable) {
+   const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                               "Host: 0.0.0.0:9229\r\n\r\n";
+@@ -933,4 +981,36 @@ TEST_F(InspectorSocketTest, HostIPNonRoutable) {
+   expect_handshake_failure();
+ }
+ 
+TEST_F(InspectorSocketTest, HostIPv6NonRoutable) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: [::]:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv6NonRoutableDual) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: [::0.0.0.0]:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv4InSquareBrackets) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: [127.0.0.1]:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIPv6InvalidAbbreviation) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: [:::1]:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+ }  // anonymous namespace
--- a/nodejs.spec
+++ b/nodejs.spec
@ -1,5 +1,5 @@
 %bcond_with bootstrap
-%global baserelease 1
+%global baserelease 2
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global nodejs_epoch 1
 %global nodejs_major 12
@ -83,6 +83,9 @@ Patch0001: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
 Patch0003: 0004-Make-AARCH64-compile-on-64KB-physical-pages.patch
 Patch00010: 0005-use-getauxval-in-node_main_cc.patch
+Patch00011: CVE-2022-43548-pre-1.patch
+Patch00012: CVE-2022-43548-pre-2.patch
+Patch00013: CVE-2022-43548.patch

 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -485,6 +488,9 @@ end
 %{_pkgdocdir}/npm/docs

 %changelog
+* Wed Nov 16 2022 liyuxiang <liyuxiang@ncti-gba.cn> 1:12.22.11-2
+- fix CVE-2022-43548
+
 * Mon Mar 28 2022 wangkai <wangkai385@huawei.com> 1:12.22.11-1
 - Update to 12.22.11, fix some cves.