From 9c9495b6f9277018e683bbee42ce2f6a0edf248d Mon Sep 17 00:00:00 2001 From: lijunlong Date: Wed, 1 May 2024 10:11:04 +0800 Subject: [PATCH] bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990. --- patches/nginx-CVE-2024-24989.patch | 36 ++++++++++++++++++++++++++++++ patches/nginx-CVE-2024-24990.patch | 27 ++++++++++++++++++++++ util/mirror-tarballs | 12 ++++++++++ util/ver | 2 +- 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 patches/nginx-CVE-2024-24989.patch create mode 100644 patches/nginx-CVE-2024-24990.patch diff --git a/patches/nginx-CVE-2024-24989.patch b/patches/nginx-CVE-2024-24989.patch new file mode 100644 index 0000000..aa2936c --- /dev/null +++ b/patches/nginx-CVE-2024-24989.patch @@ -0,0 +1,36 @@ +commit 5902baf680609f884a1e11ff2b82a0bffb3724cc +Author: Sergey Kandaurov +Date: Wed Feb 14 15:55:34 2024 +0400 + + QUIC: trial packet decryption in response to invalid key update. + + Inspired by RFC 9001, Section 6.3, trial packet decryption with the current + keys is now used to avoid a timing side-channel signal. Further, this fixes + segfault while accessing missing next keys (ticket #2585). + +diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c +index 88e6954cf..8223626b6 100644 +--- a/src/event/quic/ngx_event_quic_protection.c ++++ b/src/event/quic/ngx_event_quic_protection.c +@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn) + key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; + + if (key_phase != pkt->key_phase) { +- secret = &pkt->keys->next_key.client; +- pkt->key_update = 1; ++ if (pkt->keys->next_key.client.ctx != NULL) { ++ secret = &pkt->keys->next_key.client; ++ pkt->key_update = 1; ++ ++ } else { ++ /* ++ * RFC 9001, 6.3. Timing of Receive Key Generation. ++ * ++ * Trial decryption to avoid timing side-channel. ++ */ ++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0, ++ "quic next key missing"); ++ } + } + } + diff --git a/patches/nginx-CVE-2024-24990.patch b/patches/nginx-CVE-2024-24990.patch new file mode 100644 index 0000000..4ba4d30 --- /dev/null +++ b/patches/nginx-CVE-2024-24990.patch @@ -0,0 +1,27 @@ +commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c +Author: Roman Arutyunyan +Date: Wed Feb 14 15:55:37 2024 +0400 + + QUIC: fixed stream cleanup (ticket #2586). + + Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls + ngx_quic_shutdown_stream() after which it resets the pointer from quic stream + to the connection (sc->connection = NULL). Previously if this call failed, + sc->connection retained the old value, while the connection was freed by the + application code. This resulted later in a second attempt to close the freed + connection, which lead to allocator double free error. + + The fix is to reset the sc->connection pointer in case of error. + +diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c +index df04d0f07..178b805e4 100644 +--- a/src/event/quic/ngx_event_quic_streams.c ++++ b/src/event/quic/ngx_event_quic_streams.c +@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data) + "quic stream id:0x%xL cleanup", qs->id); + + if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) { ++ qs->connection = NULL; + goto failed; + } + diff --git a/util/mirror-tarballs b/util/mirror-tarballs index f1f8791..5f6d845 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then fi fi +answer=`$root/util/ver-ge "$main_ver" 1.25.3` +if [ "$answer" = "Y" ]; then + answer=`$root/util/ver-ge "$main_ver" 1.25.4` + if [ "$answer" = "N" ]; then + echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)" + patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1 + echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)" + patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1 + fi +fi + + echo "$info_txt applying the upstream_timeout_fields patch for nginx" patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1 echo diff --git a/util/ver b/util/ver index 93ea32a..fb86902 100755 --- a/util/ver +++ b/util/ver @@ -1,7 +1,7 @@ #!/bin/bash main_ver=1.25.3 -minor_ver=1 +minor_ver=2 version=$main_ver.$minor_ver echo $version