Skip to content

Commit

Permalink
bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.
Browse files Browse the repository at this point in the history
  • Loading branch information
zhuizhuhaomeng committed May 1, 2024
1 parent 7b7fcbe commit 9c9495b
Show file tree
Hide file tree
Showing 4 changed files with 76 additions and 1 deletion.
36 changes: 36 additions & 0 deletions patches/nginx-CVE-2024-24989.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
Author: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed Feb 14 15:55:34 2024 +0400

QUIC: trial packet decryption in response to invalid key update.

Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal. Further, this fixes
segfault while accessing missing next keys (ticket #2585).

diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
index 88e6954cf..8223626b6 100644
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;

if (key_phase != pkt->key_phase) {
- secret = &pkt->keys->next_key.client;
- pkt->key_update = 1;
+ if (pkt->keys->next_key.client.ctx != NULL) {
+ secret = &pkt->keys->next_key.client;
+ pkt->key_update = 1;
+
+ } else {
+ /*
+ * RFC 9001, 6.3. Timing of Receive Key Generation.
+ *
+ * Trial decryption to avoid timing side-channel.
+ */
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+ "quic next key missing");
+ }
}
}

27 changes: 27 additions & 0 deletions patches/nginx-CVE-2024-24990.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
Author: Roman Arutyunyan <arut@nginx.com>
Date: Wed Feb 14 15:55:37 2024 +0400

QUIC: fixed stream cleanup (ticket #2586).

Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL). Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code. This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.

diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
index df04d0f07..178b805e4 100644
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
"quic stream id:0x%xL cleanup", qs->id);

if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
+ qs->connection = NULL;
goto failed;
}

12 changes: 12 additions & 0 deletions util/mirror-tarballs
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then
fi
fi

answer=`$root/util/ver-ge "$main_ver" 1.25.3`
if [ "$answer" = "Y" ]; then
answer=`$root/util/ver-ge "$main_ver" 1.25.4`
if [ "$answer" = "N" ]; then
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
fi
fi


echo "$info_txt applying the upstream_timeout_fields patch for nginx"
patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
echo
Expand Down
2 changes: 1 addition & 1 deletion util/ver
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash

main_ver=1.25.3
minor_ver=1
minor_ver=2
version=$main_ver.$minor_ver
echo $version

0 comments on commit 9c9495b

Please sign in to comment.