diff options
author | Meenali Gupta <meenali.gupta@windriver.com> | 2023-12-21 03:45:50 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-01-07 13:15:11 -0500 |
commit | 8e1f0fa6bfac0e96fedc666fe9066f92c85afb27 (patch) | |
tree | d83eeed37ab8c062c196497de76c373503a0cfe5 | |
parent | b0d67900ae9e8911f734c25c0674fe55df8cd188 (diff) | |
download | meta-openembedded-mickledore.tar.gz |
nginx: fix CVE-2023-44487mickledore-nextmickledore
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly,
as exploited in the wild in August through October 2023.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch | 80 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx.inc | 1 |
2 files changed, 81 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch new file mode 100644 index 000000000..02db1503d --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 95d09cafae12d4b314df32027b97e828ecf798de Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Dounin <mdounin@mdounin.ru> | ||
3 | Date: Tue, 10 Oct 2023 15:13:39 +0300 | ||
4 | Subject: [PATCH] nginx: HTTP/2: per-iteration stream handling limit. | ||
5 | |||
6 | To ensure that attempts to flood servers with many streams are detected | ||
7 | early, a limit of no more than 2 * max_concurrent_streams new streams per one | ||
8 | event loop iteration was introduced. This limit is applied even if | ||
9 | max_concurrent_streams is not yet reached - for example, if corresponding | ||
10 | streams are handled synchronously or reset. | ||
11 | |||
12 | Further, refused streams are now limited to maximum of max_concurrent_streams | ||
13 | and 100, similarly to priority_limit initial value, providing some tolerance | ||
14 | to clients trying to open several streams at the connection start, yet | ||
15 | low tolerance to flooding attempts. | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] | ||
18 | CVE: CVE-2023-44487 | ||
19 | |||
20 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
21 | --- | ||
22 | src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ | ||
23 | src/http/v2/ngx_http_v2.h | 2 ++ | ||
24 | 2 files changed, 17 insertions(+) | ||
25 | |||
26 | diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c | ||
27 | index ea3f27c..1116e56 100644 | ||
28 | --- a/src/http/v2/ngx_http_v2.c | ||
29 | +++ b/src/http/v2/ngx_http_v2.c | ||
30 | @@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) | ||
31 | ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); | ||
32 | |||
33 | h2c->blocked = 1; | ||
34 | + h2c->new_streams = 0; | ||
35 | |||
36 | if (c->close) { | ||
37 | c->close = 0; | ||
38 | @@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, | ||
39 | goto rst_stream; | ||
40 | } | ||
41 | |||
42 | + if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { | ||
43 | + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | ||
44 | + "client sent too many streams at once"); | ||
45 | + | ||
46 | + status = NGX_HTTP_V2_REFUSED_STREAM; | ||
47 | + goto rst_stream; | ||
48 | + } | ||
49 | + | ||
50 | if (!h2c->settings_ack | ||
51 | && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) | ||
52 | && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) | ||
53 | @@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, | ||
54 | |||
55 | rst_stream: | ||
56 | |||
57 | + if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { | ||
58 | + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | ||
59 | + "client sent too many refused streams"); | ||
60 | + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); | ||
61 | + } | ||
62 | + | ||
63 | if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { | ||
64 | return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); | ||
65 | } | ||
66 | diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h | ||
67 | index 4e25293..b9daf92 100644 | ||
68 | --- a/src/http/v2/ngx_http_v2.h | ||
69 | +++ b/src/http/v2/ngx_http_v2.h | ||
70 | @@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s { | ||
71 | ngx_uint_t processing; | ||
72 | ngx_uint_t frames; | ||
73 | ngx_uint_t idle; | ||
74 | + ngx_uint_t new_streams; | ||
75 | + ngx_uint_t refused_streams; | ||
76 | ngx_uint_t priority_limit; | ||
77 | |||
78 | ngx_uint_t pushing; | ||
79 | -- | ||
80 | 2.40.0 | ||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 8078b7621..72a7bb0c1 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc | |||
@@ -23,6 +23,7 @@ SRC_URI = " \ | |||
23 | file://nginx.service \ | 23 | file://nginx.service \ |
24 | file://nginx-fix-pidfile.patch \ | 24 | file://nginx-fix-pidfile.patch \ |
25 | file://0001-configure-libxslt-conf.patch \ | 25 | file://0001-configure-libxslt-conf.patch \ |
26 | file://CVE-2023-44487.patch \ | ||
26 | " | 27 | " |
27 | 28 | ||
28 | inherit siteinfo update-rc.d useradd systemd | 29 | inherit siteinfo update-rc.d useradd systemd |