Skip to content

Commit

Permalink
Merge branch 'main' into 2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
jslobodzian committed Nov 27, 2024
2 parents ecea7b4 + 381cbeb commit 95e87e1
Show file tree
Hide file tree
Showing 18 changed files with 561 additions and 24 deletions.
5 changes: 4 additions & 1 deletion SPECS-SIGNED/hvloader-signed/hvloader-signed.spec
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
Summary: Signed HvLoader.efi for %{buildarch} systems
Name: hvloader-signed-%{buildarch}
Version: 1.0.1
Release: 5%{?dist}
Release: 6%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -69,6 +69,9 @@ popd
/boot/efi/HvLoader.efi

%changelog
* Mon Nov 25 2024 Zhichun Wan <zhichunwan@microsoft.com> - 1.0.1-6
- Update version for consistency with hvloader spec

* Wed Jun 19 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-5
- Update version for consistency with hvloader spec

Expand Down
94 changes: 94 additions & 0 deletions SPECS/cmake/CVE-2024-2398.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
From c9adb2114e9d9d4a50ff273234c2a1f8518aafd1 Mon Sep 17 00:00:00 2001
From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Date: Wed, 20 Nov 2024 22:38:53 +0000
Subject: [PATCH] http2: push headers better cleanup

Original patch: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6
---
Utilities/cmcurl/lib/http2.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/Utilities/cmcurl/lib/http2.c b/Utilities/cmcurl/lib/http2.c
index f194c18b..50b8cd54 100644
--- a/Utilities/cmcurl/lib/http2.c
+++ b/Utilities/cmcurl/lib/http2.c
@@ -116,6 +116,15 @@ static int http2_getsock(struct Curl_easy *data,
return bitmap;
}

+static void free_push_headers(struct HTTP *stream)
+{
+ size_t i;
+ for(i = 0; i<stream->push_headers_used; i++)
+ free(stream->push_headers[i]);
+ Curl_safefree(stream->push_headers);
+ stream->push_headers_used = 0;
+}
+
/*
* http2_stream_free() free HTTP2 stream related data
*/
@@ -123,11 +132,7 @@ static void http2_stream_free(struct HTTP *http)
{
if(http) {
Curl_dyn_free(&http->header_recvbuf);
- for(; http->push_headers_used > 0; --http->push_headers_used) {
- free(http->push_headers[http->push_headers_used - 1]);
- }
- free(http->push_headers);
- http->push_headers = NULL;
+ free_push_headers(http);
}
}

@@ -559,7 +564,6 @@ static int push_promise(struct Curl_easy *data,
struct curl_pushheaders heads;
CURLMcode rc;
struct http_conn *httpc;
- size_t i;
/* clone the parent */
struct Curl_easy *newhandle = duphandle(data);
if(!newhandle) {
@@ -595,11 +599,7 @@ static int push_promise(struct Curl_easy *data,
Curl_set_in_callback(data, false);

/* free the headers again */
- for(i = 0; i<stream->push_headers_used; i++)
- free(stream->push_headers[i]);
- free(stream->push_headers);
- stream->push_headers = NULL;
- stream->push_headers_used = 0;
+ free_push_headers(stream);

if(rv) {
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
@@ -1033,10 +1033,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
stream->push_headers_alloc) {
char **headp;
stream->push_headers_alloc *= 2;
- headp = Curl_saferealloc(stream->push_headers,
- stream->push_headers_alloc * sizeof(char *));
+ headp = realloc(stream->push_headers,
+ stream->push_headers_alloc * sizeof(char *));
if(!headp) {
- stream->push_headers = NULL;
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers = headp;
@@ -1204,11 +1204,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
Curl_dyn_free(&http->trailer_recvbuf);
if(http->push_headers) {
/* if they weren't used and then freed before */
- for(; http->push_headers_used > 0; --http->push_headers_used) {
- free(http->push_headers[http->push_headers_used - 1]);
- }
- free(http->push_headers);
- http->push_headers = NULL;
+ free_push_headers(http);
}

if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
--
2.34.1

108 changes: 108 additions & 0 deletions SPECS/cmake/CVE-2024-28182.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
From 875373fb67097281d4a4ff461e531b9bef947818 Mon Sep 17 00:00:00 2001
From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Date: Thu, 21 Nov 2024 14:11:36 +0000
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame

Original patch: https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
---
Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
Utilities/cmnghttp2/lib/nghttp2_helper.c | 2 ++
Utilities/cmnghttp2/lib/nghttp2_session.c | 8 ++++++++
Utilities/cmnghttp2/lib/nghttp2_session.h | 10 ++++++++++
4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
index e4e1d4fc..a140199a 100644
--- a/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/Utilities/cmnghttp2/lib/includes/nghttp2/nghttp2.h
@@ -428,7 +428,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;

/**
diff --git a/Utilities/cmnghttp2/lib/nghttp2_helper.c b/Utilities/cmnghttp2/lib/nghttp2_helper.c
index 91136a61..f150ab54 100644
--- a/Utilities/cmnghttp2/lib/nghttp2_helper.c
+++ b/Utilities/cmnghttp2/lib/nghttp2_helper.c
@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_code) {
case NGHTTP2_ERR_FLOODED:
return "Flooding was detected in this HTTP/2 session, and it must be "
"closed";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c
index a3c0b708..f02e3f95 100644
--- a/Utilities/cmnghttp2/lib/nghttp2_session.c
+++ b/Utilities/cmnghttp2/lib/nghttp2_session.c
@@ -463,6 +463,7 @@ static int session_new(nghttp2_session **session_ptr,

(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;

if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6297,6 +6298,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6418,6 +6421,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */

+
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;

diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.h b/Utilities/cmnghttp2/lib/nghttp2_session.h
index b75294c3..f53acac7 100644
--- a/Utilities/cmnghttp2/lib/nghttp2_session.h
+++ b/Utilities/cmnghttp2/lib/nghttp2_session.h
@@ -107,6 +107,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33

+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -277,6 +281,12 @@ struct nghttp2_session {
/* The maximum length of header block to send. Calculated by the
same way as nghttp2_hd_deflate_bound() does. */
size_t max_send_header_block_length;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.34.1

121 changes: 121 additions & 0 deletions SPECS/cmake/CVE-2024-7264.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
From e5daecf74dd60974e7ae91e432032e6cfdaaf15e Mon Sep 17 00:00:00 2001
From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Date: Thu, 21 Nov 2024 14:52:49 +0000
Subject: [PATCH 1/2] x509asn1: clean up GTime2str

Original patch: https://github.com/curl/curl/commit/3c914bc680155b321
---
Utilities/cmcurl/lib/x509asn1.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c
index 281c9724..b1160102 100644
--- a/Utilities/cmcurl/lib/x509asn1.c
+++ b/Utilities/cmcurl/lib/x509asn1.c
@@ -469,7 +469,7 @@ static const char *GTime2str(const char *beg, const char *end)
/* Convert an ASN.1 Generalized time to a printable string.
Return the dynamically allocated string, or NULL if an error occurs. */

- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
+ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
;

/* Get seconds digits. */
@@ -488,17 +488,22 @@ static const char *GTime2str(const char *beg, const char *end)
return NULL;
}

- /* Scan for timezone, measure fractional seconds. */
+ /* timezone follows optional fractional seconds. */
tzp = fracp;
- fracl = 0;
+ fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
- fracp++;
- do
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+ tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
+ while(tzp < end && ISDIGIT(*tzp))
tzp++;
- while(tzp < end && *tzp >= '0' && *tzp <= '9');
- /* Strip leading zeroes in fractional seconds. */
- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
- ;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ fracl = tzp - fracp - 1; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+ while(fracl && fracp[fracl - 1] == '0')
+ fracl--;
}

/* Process timezone. */
--
2.34.1

From 13e627cf5b98be84a8cead6e4518932dba7f2cb7 Mon Sep 17 00:00:00 2001
From: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Date: Thu, 21 Nov 2024 15:02:39 +0000
Subject: [PATCH 2/2] x509asn1: fixes for gtime2str

Original patch: https://github.com/curl/curl/commit/27959ecce75cdb2
---
Utilities/cmcurl/lib/x509asn1.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/Utilities/cmcurl/lib/x509asn1.c b/Utilities/cmcurl/lib/x509asn1.c
index b1160102..ceb03e2a 100644
--- a/Utilities/cmcurl/lib/x509asn1.c
+++ b/Utilities/cmcurl/lib/x509asn1.c
@@ -493,12 +493,13 @@ static const char *GTime2str(const char *beg, const char *end)
fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
/* Have fractional seconds, e.g. "[.,]\d+". How many? */
- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
while(tzp < end && ISDIGIT(*tzp))
tzp++;
if(tzp == fracp) /* never looped, no digit after [.,] */
return CURLE_BAD_FUNCTION_ARGUMENT;
- fracl = tzp - fracp - 1; /* number of fractional sec digits */
+ fracl = tzp - fracp; /* number of fractional sec digits */
DEBUGASSERT(fracl > 0);
/* Strip trailing zeroes in fractional seconds.
* May reduce fracl to 0 if only '0's are present. */
@@ -507,18 +508,24 @@ static const char *GTime2str(const char *beg, const char *end)
}

/* Process timezone. */
- if(tzp >= end)
- ; /* Nothing to do. */
+ if(tzp >= end) {
+ tzp = "";
+ tzl = 0;
+ }
else if(*tzp == 'Z') {
- tzp = " GMT";
- end = tzp + 4;
+ sep = " ";
+ tzp = "GMT";
+ tzl = 3;
+ }
+ else if((*tzp == '+') || (*tzp == '-')) {
+ sep = " UTC";
+ tzl = end - tzp;
}
else {
sep = " ";
- tzp++;
+ tzl = end - tzp;
}

- tzl = end - tzp;
return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
beg, beg + 4, beg + 6,
beg + 8, beg + 10, sec1, sec2,
--
2.34.1

9 changes: 8 additions & 1 deletion SPECS/cmake/cmake.spec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Cmake
Name: cmake
Version: 3.21.4
Release: 13%{?dist}
Release: 14%{?dist}
License: BSD AND LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -29,6 +29,9 @@ Patch14: CVE-2023-27538.patch
Patch15: CVE-2023-27535.patch
Patch16: CVE-2023-23916.patch
Patch17: CVE-2023-46218.patch
Patch18: CVE-2024-2398.patch
Patch19: CVE-2024-28182.patch
Patch20: CVE-2024-7264.patch
BuildRequires: bzip2
BuildRequires: bzip2-devel
BuildRequires: curl
Expand Down Expand Up @@ -94,6 +97,10 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
%{_prefix}/doc/%{name}-*/*

%changelog
* Thu Nov 21 2024 Vince Perri <viperri@microsoft.com> - 3.21.4-14
- Patch CVE-2024-2398 and CVE-2024-7264 (bundled curl)
- Patch CVE-2024-28182 (bundled nghttp2)

* Thu Nov 14 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 3.21.4-13
- Patch CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-2023-27538, CVE-2023-23916 and CVE-2023-46218.

Expand Down
Loading

0 comments on commit 95e87e1

Please sign in to comment.