haproxy patch for CVE-2018-20102 and CVE-2018-20103

Change-Id: I96754985e0fb47f42dddfb3f1ad398785a0eebc3 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6810 Tested-by: gerrit-photon <[email protected]> Reviewed-by: Anish Swaminathan <[email protected]> (cherry picked from commit b2a5a5a) Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6869 Tested-by: michellew <[email protected]>
piotrkmx · Mar 15, 2019 · 625d12d · 625d12d
1 parent 38cf758
commit 625d12d
Show file tree

Hide file tree

Showing 3 changed files with 127 additions and 1 deletion.
diff --git a/SPECS/haproxy/haproxy.spec b/SPECS/haproxy/haproxy.spec
@@ -1,14 +1,16 @@
 Summary:        A fast, reliable HA, load balancing, and proxy solution.
 Name:           haproxy
 Version:        1.8.14
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPL
 URL:            http://www.haproxy.org
 Group:          Applications/System
 Vendor:         VMware, Inc.
 Distribution:   Photon
 Source0:        http://www.haproxy.org/download/1.8/src/%{name}-%{version}.tar.gz
 %define sha1 haproxy=589c6f933d73e8d6ba5307c8304cafb80e968481
+Patch0:         haproxy_CVE_2018_20102.patch
+Patch1:         haproxy_CVE_2018_20103.patch
 BuildRequires:  openssl-devel
 BuildRequires:  pcre-devel
 BuildRequires:  lua-devel
@@ -30,6 +32,8 @@ Requires:       %{name} = %{version}-%{release}
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 make %{?_smp_mflags} TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 \
@@ -58,6 +62,9 @@ install -vDm644 examples/transparent_proxy.cfg  %{buildroot}/%{_sysconfdir}/hapr
 %{_mandir}/*
 
 %changelog
+*   Thu Feb 28 2019 Priyesh Padmavilasom <[email protected]> 1.8.14-2
+-   Patch for CVE_2018_20102
+-   Patch for CVE_2018_20103
 *   Tue Dec 04 2018 Ajay Kaher <[email protected]> 1.8.14-1
 -   Update to version 1.8.14
 *   Thu Oct 25 2018 Srivatsa S. Bhat (VMware) <[email protected]> 1.8.13-2

diff --git a/SPECS/haproxy/haproxy_CVE_2018_20102.patch b/SPECS/haproxy/haproxy_CVE_2018_20102.patch
@@ -0,0 +1,35 @@
+From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <[email protected]>
+Date: Wed, 5 Dec 2018 17:56:29 +0100
+Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in
+ dns_validate_dns_response()
+
+We need to make sure that the record length is not making us read
+past the end of the data we received.
+Before this patch we could for example read the 16 bytes
+corresponding to an AAAA record from the non-initialized part of
+the buffer, possibly accessing anything that was left on the stack,
+or even past the end of the 8193-byte buffer, depending on the
+value of accepted_payload_size.
+
+To be backported to 1.8, probably also 1.7.
+---
+ src/dns.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/dns.c b/src/dns.c
+index fead261..c1396f5 100644
+--- a/src/dns.c
++++ b/src/dns.c
+@@ -810,6 +810,11 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
+ 		/* Move forward 2 bytes for data len */
+ 		reader += 2;
+
++		if (reader + dns_answer_record->data_len >= bufend) {
++			pool_free(dns_answer_item_pool, dns_answer_record);
++			return DNS_RESP_INVALID;
++		}
++
+ 		/* Analyzing record content */
+ 		switch (dns_answer_record->type) {
+ 			case DNS_RTYPE_A:
diff --git a/SPECS/haproxy/haproxy_CVE_2018_20103.patch b/SPECS/haproxy/haproxy_CVE_2018_20103.patch
@@ -0,0 +1,84 @@
+From 58df5aea0a0c926b2238f65908f5e9f83d1cca25 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <[email protected]>
+Date: Wed, 5 Dec 2018 17:52:54 +0100
+Subject: [PATCH] BUG: dns: Prevent stack-exhaustion via recursion loop in
+ dns_read_name
+
+When a compressed pointer is encountered, dns_read_name() will call
+itself with the pointed-to offset in the packet.
+With a specially crafted packet, it was possible to trigger an
+infinite-loop recursion by making the pointer points to itself.
+While it would be possible to handle that particular case differently
+by making sure that the target is different from the current offset,
+it would still be possible to craft a packet with a very long chain
+of valid pointers, always pointing backwards. To prevent a stack
+exhaustion in that case, this patch restricts the number of recursive
+calls to 100, which should be more than enough.
+
+To be backported to 1.8, probably also 1.7.
+---
+ src/dns.c |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/dns.c b/src/dns.c
+index 2a53c03..50fc16e 100644
+--- a/src/dns.c
++++ b/src/dns.c
+@@ -394,7 +394,7 @@ static inline unsigned short dns_response_get_query_id(unsigned char *resp)
+  */
+ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
+ 		  unsigned char *name, char *destination, int dest_len,
+-		  int *offset)
++		  int *offset, unsigned int depth)
+ {
+ 	int nb_bytes = 0, n = 0;
+ 	int label_len;
+@@ -408,8 +408,11 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
+ 			if ((buffer + reader[1]) > reader)
+ 				goto err;
+
++			if (depth++ > 100)
++				goto err;
++
+ 			n = dns_read_name(buffer, bufend, buffer + reader[1],
+-					  dest, dest_len - nb_bytes, offset);
++					  dest, dest_len - nb_bytes, offset, depth);
+ 			if (n == 0)
+ 				goto err;
+
+@@ -695,7 +698,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
+ 		 * one query per response and the first one can't be compressed
+ 		 * (using the 0x0c format) */
+ 		offset = 0;
+-		len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset);
++		len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0);
+
+ 		if (len == 0)
+ 			return DNS_RESP_INVALID;
+@@ -732,7 +735,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
+ 			return (DNS_RESP_INVALID);
+
+ 		offset = 0;
+-		len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
++		len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
+
+ 		if (len == 0) {
+ 			pool_free(dns_answer_item_pool, dns_answer_record);
+@@ -829,7 +832,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
+ 				}
+
+ 				offset = 0;
+-				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
++				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
+ 				if (len == 0) {
+ 					pool_free(dns_answer_item_pool, dns_answer_record);
+ 					return DNS_RESP_INVALID;
+@@ -859,7 +862,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
+ 				dns_answer_record->port = read_n16(reader);
+ 				reader += sizeof(uint16_t);
+ 				offset = 0;
+-				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
++				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
+ 				if (len == 0) {
+ 					pool_free(dns_answer_item_pool, dns_answer_record);
+ 					return DNS_RESP_INVALID;