!50 backport to fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438

From: @eaglegai Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-09-28 09:07:12 +00:00 · 2021-09-28 09:07:12 +00:00 · 779ff240be
commit 779ff240be
parent dbe9174d4f 759d0554eb
5 changed files with 276 additions and 1 deletions
--- a/backport-001-CVE-2021-40438.patch
+++ b/backport-001-CVE-2021-40438.patch
@ -0,0 +1,55 @@
 From 496c863776c68bd08cdbeb7d8fa5935ba63b76c2 Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Fri, 3 Sep 2021 16:52:38 +0000
 Subject: [PATCH] Merge r1892814, r1892853 from trunk:
 mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
 The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to
 strstr(,"unix:") since it's at the start of the string.
 mod_proxy: Follow up to r1892814.
 Save some few cycles in ap_proxy_de_socketfy() too.
 Submitted by: ylavic
 Reviewed by: ylavic, covener, rpluem
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892874 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/proxy/mod_proxy.c            | 2 +-
 modules/proxy/proxy_util.c           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 changes-entries/fix_uds_filename.txt
 diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
 index 60634d344c7..354bb8f660f 100644
 --- a/modules/proxy/mod_proxy.c
 +++ b/modules/proxy/mod_proxy.c
@@ -1975,7 +1975,7 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
      * the UDS path... ignore it
      */
     if (!ap_cstr_casecmpn(url, "unix:", 5) &&
 -        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
 +        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
         /* move past the 'unix:...|' UDS path info */
         const char *ret, *c;
 diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
 index 3c4ea72aba7..812c32f3584 100644
 --- a/modules/proxy/proxy_util.c
 +++ b/modules/proxy/proxy_util.c
@@ -2281,8 +2281,8 @@ static void fix_uds_filename(request_rec *r, char **url)
     if (!r || !r->filename) return;
     if (!strncmp(r->filename, "proxy:", 6) &&
 -            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
 -            (ptr = ap_strchr(ptr2, '|'))) {
 +            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
 +            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
         apr_uri_t urisock;
         apr_status_t rv;
         *ptr = '\0';
--- a/backport-002-CVE-2021-40438.patch
+++ b/backport-002-CVE-2021-40438.patch
@ -0,0 +1,115 @@
 From d4901cb32133bc0e59ad193a29d1665597080d67 Mon Sep 17 00:00:00 2001
 From: Ruediger Pluem <rpluem@apache.org>
 Date: Wed, 8 Sep 2021 07:00:09 +0000
 Subject: [PATCH] Merge r1892986, r1892987 from trunk:
 mod_proxy: Follow up to r1892814.
 * modules/proxy/proxy_util.c(fix_uds_filename):
  Sanity checks on the configured UDS path, fail with 500 if invalid since
  continuing through proxy processing wouldn't work as expected.
 mod_proxy: Follow up to r1892986: APLOGNO()
 Stefan get out of this body! :)
 Submitted by: ylavic
 Reviewed by: rpluem, ylavic, covener
 Github: closes #265
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893101 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/proxy/proxy_util.c | 55 +++++++++++++++++++++++---------------
 1 files changed, 34 insertions(+), 21 deletions(-)
 --- a/modules/proxy/proxy_util.c
 +++ b/modules/proxy/proxy_util.c
@@ -2088,33 +2088,42 @@ static int ap_proxy_retry_worker(const c
  * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
  * as required.  
  */
 -static void fix_uds_filename(request_rec *r, char **url) 
 +static int fix_uds_filename(request_rec *r, char **url) 
 {
 -    char *ptr, *ptr2;
 -    if (!r || !r->filename) return;
 +    char *uds_url = r->filename + 6, *origin_url;
     if (!strncmp(r->filename, "proxy:", 6) &&
 -            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
 -            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
 +            !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
 +            (origin_url = ap_strchr(uds_url + 5, '|'))) {
 +        char *uds_path = NULL;
 +        apr_size_t url_len;
         apr_uri_t urisock;
         apr_status_t rv;
 -        *ptr = '\0';
 -        rv = apr_uri_parse(r->pool, ptr2, &urisock);
 -        if (rv == APR_SUCCESS) {
 -            char *rurl = ptr+1;
 -            char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path);
 -            apr_table_setn(r->notes, "uds_path", sockpath);
 -            *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */
 -            /* r->filename starts w/ "proxy:", so add after that */
 -            memmove(r->filename+6, rurl, strlen(rurl)+1);
 -            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
 -                    "*: rewrite of url due to UDS(%s): %s (%s)",
 -                    sockpath, *url, r->filename);
 +
 +        *origin_url = '\0';
 +        rv = apr_uri_parse(r->pool, uds_url, &urisock);
 +        *origin_url++ = '|';
 +
 +        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
 +            uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
         }
 -        else {
 -            *ptr = '|';
 +        if (!uds_path) {
 +            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
 +                    "Invalid proxy UDS filename (%s)", r->filename);
 +            return 0;
         }
 +        apr_table_setn(r->notes, "uds_path", uds_path);
 +
 +        /* Remove the UDS path from *url and r->filename */
 +        url_len = strlen(origin_url);
 +        *url = apr_pstrmemdup(r->pool, origin_url, url_len);
 +        memcpy(uds_url, *url, url_len + 1);
 +
 +        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
 +                "*: rewrite of url due to UDS(%s): %s (%s)",
 +                uds_path, *url, r->filename);
     }
 +    return 1;
 }
 PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
@@ -2132,7 +2141,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                           "%s: found worker %s for %s",
                           (*worker)->s->scheme, (*worker)->s->name, *url);
             *balancer = NULL;
 -            fix_uds_filename(r, url);
 +            if (!fix_uds_filename(r, url)) {
 +                return HTTP_INTERNAL_SERVER_ERROR;
 +            }
             access_status = OK;
         }
         else if (r->proxyreq == PROXYREQ_PROXY) {
@@ -2163,7 +2174,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                  * regarding the Connection header in the request.
                  */
                 apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
 -                fix_uds_filename(r, url);
 +                if (!fix_uds_filename(r, url)) {
 +                    return HTTP_INTERNAL_SERVER_ERROR;
 +                }
             }
         }
     }
--- a/backport-CVE-2021-34798.patch
+++ b/backport-CVE-2021-34798.patch
@ -0,0 +1,33 @@
 From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Tue, 7 Sep 2021 16:05:31 +0000
 Subject: [PATCH] Merge r1878092 from trunk:
 Fix a NULL pointer dereference
 * server/scoreboard.c (ap_increment_counts): In certain cases like certain
  invalid requests r->method might be NULL here. r->method_number defaults
  to M_GET and hence is M_GET in these cases.
 Submitted by: rpluem
 Reviewed by: covener, ylavic, jfclere
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/scoreboard.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/server/scoreboard.c b/server/scoreboard.c
 index b40b45df590..12dd56abead 100644
 --- a/server/scoreboard.c
 +++ b/server/scoreboard.c
@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
     if (pfn_ap_logio_get_last_bytes != NULL) {
         bytes = pfn_ap_logio_get_last_bytes(r->connection);
     }
 -    else if (r->method_number == M_GET && r->method[0] == 'H') {
 +    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
         bytes = 0;
     }
     else {
--- a/backport-CVE-2021-36160.patch
+++ b/backport-CVE-2021-36160.patch
@ -0,0 +1,62 @@
 From b364cad72b48dd40fbc2850e525b845406520f0b Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Thu, 2 Sep 2021 09:53:43 +0000
 Subject: [PATCH] mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
 When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
 worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
 directly from the given URL.
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
 ---
 changes-entries/uwsgi_path_info.txt |  1 +
 modules/proxy/mod_proxy_uwsgi.c     | 22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)
 create mode 100644 changes-entries/uwsgi_path_info.txt
 diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
 index 7723d7b5c4f..971eaa59dc0 100644
 --- a/modules/proxy/mod_proxy_uwsgi.c
 +++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -456,11 +456,8 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
                          const char *proxyname, apr_port_t proxyport)
 {
     int status;
 -    int delta = 0;
 -    int decode_status;
     proxy_conn_rec *backend = NULL;
     apr_pool_t *p = r->pool;
 -    size_t w_len;
     char server_portstr[32];
     char *u_path_info;
     apr_uri_t *uri;
@@ -472,23 +469,14 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
     uri = apr_palloc(r->pool, sizeof(*uri));
 -    /* ADD PATH_INFO */
 -#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
 -    w_len = strlen(worker->s->name);
 -#else
 -    w_len = strlen(worker->name);
 -#endif
 -    u_path_info = r->filename + 6 + w_len;
 -    if (u_path_info[0] != '/') {
 -        delta = 1;
 -    }
 -    decode_status = ap_unescape_url(url + w_len - delta);
 -    if (decode_status) {
 +    /* ADD PATH_INFO (unescaped) */
 +    u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
 +    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
 -                      "unable to decode uri: %s", url + w_len - delta);
 +                      "unable to decode uwsgi uri: %s", url);
         return HTTP_INTERNAL_SERVER_ERROR;
     }
 -    apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta);
 +    apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
     /* Create space for state information */
--- a/httpd.spec
+++ b/httpd.spec
@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.48
-Release:          1
+Release:          2
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -69,6 +69,10 @@ Patch16:          httpd-2.4.43-gettid.patch
 Patch17:          httpd-2.4.43-r1861793+.patch
 Patch18:          httpd-2.4.43-r1828172+.patch 
 Patch19:          httpd-2.4.46-htcacheclean-dont-break.patch 
 Patch20:          backport-CVE-2021-34798.patch
 Patch21:          backport-CVE-2021-36160.patch
 Patch22:          backport-001-CVE-2021-40438.patch
 Patch23:          backport-002-CVE-2021-40438.patch
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@ -501,6 +505,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Tue Sep 28 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-2
 - Type:cves
 - ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438
 - SUG:restart
 - DESC:fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438
 * Tue Jul 13 2021 gaihuiying<gaihuiying1@huawei.com> - 2.4.48-1
 - Type:requirement
 - ID:NA