rpms/haproxy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix denial of service vulnerability in mjson library (CVE-2025-11230)

Browse Source 
Resolves: RHEL-126665
This commit is contained in:
Oyvind Albrigtsen 2025-11-06 14:10:02 +01:00
parent 7b357ee235
commit 66b59faded
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
RHEL-126665-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch Normal file
View File

@ -0,0 +1,86 @@
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 29 Sep 2025 16:34:11 +0000 (+0200)
Subject: BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
X-Git-Tag: v2.4.30~6
X-Git-Url: http://git.haproxy.org/?p=haproxy-2.4.git;a=commitdiff_plain;h=2b278798cbdf4a8596149b5769ca98b325acc535;hp=d258af5a33893e52504431a46b5ab50a807280b5
BUG/CRITICAL: mjson: fix possible DoS when parsing numbers
Mjson comes with its own strtod() implementation for portability
reasons and probably also because many generic strtod() versions as
provided by operating systems do not focus on resource preservation
and may call malloc(), which is not welcome in a parser.
The strtod() implementation used here apparently originally comes from
https://gist.github.com/mattn/1890186 and seems to have purposely
omitted a few parts that were considered as not needed in this context
(e.g. skipping white spaces, or setting errno). But when subject to the
relevant test cases of the designated file above, the current function
provides the same results.
The aforementioned implementation uses pow() to calculate exponents,
but mjson authors visibly preferred not to introduce a libm dependency
and replaced it with an iterative loop in O(exp) time. The problem is
that the exponent is not bounded and that this loop can take a huge
amount of time. There's even an issue already opened on mjson about
this: https://github.com/cesanta/mjson/issues/59. In the case of
haproxy, fortunately, the watchdog will quickly stop a runaway process
but this remains a possible denial of service.
A first approach would consist in reintroducing pow() like in the
original implementation, but if haproxy is built without Lua nor
51Degrees, -lm is not used so this will not work everywhere.
Anyway here we're dealing with integer exponents, so an easy alternate
approach consists in simply using shifts and squares, to compute the
exponent in O(log(exp)) time. Not only it doesn't introduce any new
dependency, but it turns out to be even faster than the generic pow()
(85k req/s per core vs 83.5k on the same machine).
This must be backported as far as 2.4, where mjson was introduced.
Many thanks to Oula Kivalo for reporting this issue.
CVE-2025-11230 was assigned to this issue.
(cherry picked from commit 06675db4bf234ed17e14305f1d59259d2fe78b06)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
diff --git a/src/mjson.c b/src/mjson.c
index 73b7a57..2a4106b 100644
--- a/src/mjson.c
+++ b/src/mjson.c
@@ -767,11 +767,13 @@ static double mystrtod(const char *str, char **end) {
/* exponential part */
if ((*p == 'E') || (*p == 'e')) {
+ double exp, f;
int i, e = 0, neg = 0;
p++;
if (*p == '-') p++, neg++;
if (*p == '+') p++;
while (is_digit(*p)) e = e * 10 + *p++ - '0';
+ i = e;
if (neg) e = -e;
#if 0
if (d == 2.2250738585072011 && e == -308) {
@@ -785,8 +787,16 @@ static double mystrtod(const char *str, char **end) {
goto done;
}
#endif
- for (i = 0; i < e; i++) d *= 10;
- for (i = 0; i < -e; i++) d /= 10;
+ /* calculate f = 10^i */
+ exp = 10;
+ f = 1;
+ while (i > 0) {
+ if (i & 1) f *= exp;
+ exp *= exp;
+ i >>= 1;
+ }
+ if (e > 0) d *= f;
+ else if (e < 0) d /= f;
a = p;
} else if (p > str && !is_digit(*(p - 1))) {
a = str;

8
haproxy.spec
View File

@ -8,7 +8,7 @@
Name: haproxy Name: haproxy
Version: 2.8.14 Version: 2.8.14
Release: 2%{?dist} Release: 3%{?dist}
Summary: HAProxy reverse proxy for high availability environments Summary: HAProxy reverse proxy for high availability environments
License: GPLv2+ License: GPLv2+
@ -21,6 +21,7 @@ Source3: %{name}.logrotate
Source4: %{name}.sysconfig Source4: %{name}.sysconfig
Source5: %{name}.sysusers Source5: %{name}.sysusers
Source6: halog.1 Source6: halog.1
Patch0: RHEL-126665-CVE-2025-11230-fix-denial-of-service-vulnerability-in-mjson-library.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: lua-devel BuildRequires: lua-devel
@ -50,6 +51,7 @@ availability environments. Indeed, it can:
%prep %prep
%setup -q %setup -q
%autopatch -p1
%build %build
make %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}" make %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
@ -131,6 +133,10 @@ echo "d /var/lib/haproxy 0755 root root - -" > %{buildroot}%{_tmpfilesdir}/%{nam
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%changelog %changelog
* Thu Nov 6 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 2.8.14-3
- Fix denial of service vulnerability in mjson library (CVE-2025-11230)
Resolves: RHEL-126665
* Tue Oct 21 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 2.8.14-2 * Tue Oct 21 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 2.8.14-2
- Add tmpfiles.d file to make systemd-tmpfiles create/set correct - Add tmpfiles.d file to make systemd-tmpfiles create/set correct
ownership/permissions of /var/lib/haproxy ownership/permissions of /var/lib/haproxy