Compare commits

...

2 Commits

5 changed files with 543 additions and 13 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
SOURCES/varnish-6.0.8.tgz
SOURCES/varnish-6.0.13.tgz

View File

@ -1,2 +1,2 @@
db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz
614d305e69b01255347f33000f76ed6a4fa3c3f7 SOURCES/varnish-6.0.13.tgz

View File

@ -0,0 +1,326 @@
commit d5cc31b5e6824f8b031c045fab990f31010ee8a1
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Oct 18 17:02:33 2023 +0200
Upstream #3997 PR
Fix CVE-2023-44487
diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
index f6925f3..b237f86 100644
--- a/bin/varnishd/VSC_main.vsc
+++ b/bin/varnishd/VSC_main.vsc
@@ -586,6 +586,14 @@
Number of session closes with Error VCL_FAILURE (VCL failure)
+.. varnish_vsc:: sc_rapid_reset
+ :level: diag
+ :oneliner: Session Err RAPID_RESET
+
+ Number of times we failed an http/2 session because it hit its
+ configured limits for the number of permitted rapid stream
+ resets.
+
.. varnish_vsc:: client_resp_500
:level: diag
:group: wrk
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
index 205b96c..36a21bc 100644
--- a/bin/varnishd/http2/cache_http2.h
+++ b/bin/varnishd/http2/cache_http2.h
@@ -184,6 +184,8 @@ struct h2_sess {
h2_error error;
int open_streams;
+ double rst_budget;
+ vtim_real last_rst;
};
#define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 98f5dc4..270603a 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -43,6 +43,7 @@
#include "vtcp.h"
#include "vtim.h"
+#define H2_CUSTOM_ERRORS
#define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}};
#define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}};
#define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d)
@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
/**********************************************************************
*/
+static h2_error
+h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+{
+ vtim_real now;
+ vtim_dur d;
+
+ CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+ ASSERT_RXTHR(h2);
+ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
+
+ if (cache_param->h2_rapid_reset_limit == 0)
+ return (0);
+
+ now = VTIM_real();
+ CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
+ AN(r2->req->t_first);
+ if (now - r2->req->t_first > cache_param->h2_rapid_reset)
+ return (0);
+
+ d = now - h2->last_rst;
+ h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
+ cache_param->h2_rapid_reset_period;
+ h2->rst_budget = vmin_t(double, h2->rst_budget,
+ cache_param->h2_rapid_reset_limit);
+ h2->last_rst = now;
+
+ if (h2->rst_budget < 1.0) {
+ Lck_Lock(&h2->sess->mtx);
+ VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
+ Lck_Unlock(&h2->sess->mtx);
+ return (H2CE_RAPID_RESET);
+ }
+ h2->rst_budget -= 1.0;
+ return (0);
+}
+
static h2_error v_matchproto_(h2_rxframe_f)
h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
{
+ h2_error h2e;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
ASSERT_RXTHR(h2);
@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
return (H2CE_FRAME_SIZE_ERROR);
if (r2 == NULL)
return (0);
+ h2e = h2_rapid_reset(wrk, h2, r2);
h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
- return (0);
+ return (h2e);
}
/**********************************************************************
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index de10835..720b009 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
h2_local_settings(&h2->local_settings);
h2->remote_settings = H2_proto_settings;
h2->decode = decode;
+ h2->rst_budget = cache_param->h2_rapid_reset_limit;
+ h2->last_rst = sp->t_open;
+ AZ(isnan(h2->last_rst));
AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
new file mode 100644
index 0000000..3fee370
--- /dev/null
+++ b/bin/varnishtest/tests/r03996.vtc
@@ -0,0 +1,51 @@
+varnishtest "h2 rapid reset"
+
+barrier b1 sock 5
+
+server s1 {
+ rxreq
+ txresp
+} -start
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
+varnish v1 -cliok "param.set h2_rapid_reset 5"
+
+varnish v1 -vcl+backend {
+ import vtc;
+
+ sub vcl_recv {
+ vtc.barrier_sync("${b1_sock}");
+ }
+
+} -start
+
+client c1 {
+ stream 0 {
+ rxgoaway
+ expect goaway.err == ENHANCE_YOUR_CALM
+ } -start
+
+ stream 1 {
+ txreq
+ txrst
+ } -run
+ stream 3 {
+ txreq
+ txrst
+ } -run
+ stream 5 {
+ txreq
+ txrst
+ } -run
+ stream 7 {
+ txreq
+ txrst
+ } -run
+
+ barrier b1 sync
+ stream 0 -wait
+} -run
+
+varnish v1 -expect sc_rapid_reset == 1
diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
index 02044db..0293539 100644
--- a/include/tbl/h2_error.h
+++ b/include/tbl/h2_error.h
@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR, 10,2, "TCP connection error for CONNECT method")
H2_ERROR(ENHANCE_YOUR_CALM, 11,3, "Processing capacity exceeded")
H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable")
H2_ERROR(HTTP_1_1_REQUIRED, 13,1, "Use HTTP/1.1 for the request")
+
+#ifdef H2_CUSTOM_ERRORS
+H2_ERROR(
+ /* name */ RAPID_RESET,
+ /* val */ 11, /* ENHANCE_YOUR_CALM */
+ /* types */ 1,
+ /* descr */ "http/2 rapid reset detected"
+)
+
+# undef H2_CUSTOM_ERRORS
+#endif
+
#undef H2_ERROR
/*lint -restore */
diff --git a/include/tbl/params.h b/include/tbl/params.h
index deecd20..61748e4 100644
--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1901,6 +1901,53 @@ PARAM(
/* func */ NULL
)
+PARAM(
+ /* name */ h2_rapid_reset,
+ /* typ */ timeout,
+ /* min */ "0.000",
+ /* max */ NULL,
+ /* def */ "1.000",
+ /* units */ "seconds",
+ /* flags */ EXPERIMENTAL,
+ /* s-text */
+ "The upper threshold for how rapid an http/2 RST has to come for "
+ "it to be treated as suspect and subjected to the rate limits "
+ "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
+ /* l-text */ "",
+ /* func */ NULL
+)
+
+PARAM(
+ /* name */ h2_rapid_reset_limit,
+ /* typ */ uint,
+ /* min */ "0",
+ /* max */ NULL,
+ /* def */ "3600",
+ /* units */ NULL,
+ /* flags */ EXPERIMENTAL,
+ /* s-text */
+ "HTTP2 RST Allowance.\n"
+ "Specifies the maximum number of allowed stream resets issued by\n"
+ "a client over a time period before the connection is closed.\n"
+ "Setting this parameter to 0 disables the limit.",
+ /* l-text */ "",
+ /* func */ NULL
+)
+
+PARAM(
+ /* name */ h2_rapid_reset_period,
+ /* typ */ timeout,
+ /* min */ "1.000",
+ /* max */ NULL,
+ /* def */ "60.000",
+ /* units */ "seconds",
+ /* flags */ EXPERIMENTAL|WIZARD,
+ /* s-text */
+ "HTTP2 sliding window duration for h2_rapid_reset_limit.",
+ /* l-text */ "",
+ /* func */ NULL
+)
+
#undef PARAM
/*lint -restore */
diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
index c20e71c..de130aa 100644
--- a/include/tbl/sess_close.h
+++ b/include/tbl/sess_close.h
@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1, "Session pipe overflow")
SESS_CLOSE(RANGE_SHORT, range_short, 1, "Insufficient data for range")
SESS_CLOSE(REQ_HTTP20, req_http20, 1, "HTTP2 not accepted")
SESS_CLOSE(VCL_FAILURE, vcl_failure, 1, "VCL failure")
+SESS_CLOSE(RAPID_RESET, rapid_reset, 1, "HTTP2 rapid reset")
#undef SESS_CLOSE
/*lint -restore */
diff --git a/include/vdef.h b/include/vdef.h
index 60d833c..327d506 100644
--- a/include/vdef.h
+++ b/include/vdef.h
@@ -93,6 +93,47 @@
# define v_deprecated_
#endif
+/**********************************************************************
+ * Find the minimum or maximum values.
+ * Only evaluate the expression once and perform type checking.
+ */
+
+/* ref: https://stackoverflow.com/a/17624752 */
+
+#define VINDIRECT(a, b, c) a ## b ## c
+#define VCOMBINE(a, b, c) VINDIRECT(a, b, c)
+
+#if defined(__COUNTER__)
+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, __COUNTER__)
+#else
+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, 0)
+#endif
+
+#ifdef _lint
+#define typeof(x) __typeof__(x)
+#endif
+
+/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
+
+#define _vtake(op, ta, tb, a, b, _va, _vb) \
+ ({ \
+ ta _va = (a); \
+ tb _vb = (b); \
+ (void)(&_va == &_vb); \
+ _va op _vb ? _va : _vb; \
+})
+
+#define opmin <
+#define opmax >
+#define vtake(n, ta, tb, a, b) _vtake(op ## n, ta, tb, a, b, \
+ VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
+
+#define vmin(a, b) vtake(min, typeof(a), typeof(b), a, b)
+#define vmax(a, b) vtake(max, typeof(a), typeof(b), a, b)
+
+#define vmin_t(type, a, b) vtake(min, type, type, a, b)
+#define vmax_t(type, a, b) vtake(max, type, type, a, b)
+
/*********************************************************************
* Pointer alignment magic
*/

View File

@ -0,0 +1,206 @@
commit c344e21f23c6605caa257abbf46fd333b7015928
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Oct 18 20:42:21 2023 +0200
vcl_vrt: Skip VCL execution if the client is gone
Upstream PR #4006
diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
index b237f86..88a659f 100644
--- a/bin/varnishd/VSC_main.vsc
+++ b/bin/varnishd/VSC_main.vsc
@@ -324,6 +324,15 @@
Number of times an HTTP/2 stream was refused because the queue was
too long already. See also parameter thread_queue_limit.
+.. varnish_vsc:: req_reset
+ :group: wrk
+ :oneliner: Requests reset
+
+ Number of times a client left before the VCL processing of its
+ requests completed. For HTTP/2 sessions, either the stream was
+ reset by an RST_STREAM frame from the client, or a stream or
+ connection error occurred.
+
.. varnish_vsc:: n_object
:type: gauge
:group: wrk
diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
index 5da5e35..8546411 100644
--- a/bin/varnishd/cache/cache_transport.h
+++ b/bin/varnishd/cache/cache_transport.h
@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
typedef void vtr_req_panic_f (struct vsb *, const struct req *);
typedef void vtr_req_fail_f (struct req *, enum sess_close);
typedef void vtr_reembark_f (struct worker *, struct req *);
+typedef int vtr_poll_f (struct req *);
typedef int vtr_minimal_response_f (struct req *, uint16_t status);
struct transport {
@@ -62,6 +63,7 @@ struct transport {
vtr_sess_panic_f *sess_panic;
vtr_req_panic_f *req_panic;
vtr_reembark_f *reembark;
+ vtr_poll_f *poll;
vtr_minimal_response_f *minimal_response;
VTAILQ_ENTRY(transport) list;
diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c
index 5f3bfee..e35ae59 100644
--- a/bin/varnishd/cache/cache_vcl_vrt.c
+++ b/bin/varnishd/cache/cache_vcl_vrt.c
@@ -37,8 +37,10 @@
#include "cache_varnishd.h"
#include "vcl.h"
+#include "vtim.h"
#include "cache_director.h"
+#include "cache_transport.h"
#include "cache_vcl.h"
/*--------------------------------------------------------------------*/
@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp)
* The workspace argument is where random VCL stuff gets space from.
*/
+static int
+req_poll(struct worker *wrk, struct req *req)
+{
+
+ CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC);
+ CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC);
+
+ /* NB: Since a fail transition leads to vcl_synth, the request may be
+ * short-circuited twice.
+ */
+ if (req->req_reset) {
+ wrk->handling = VCL_RET_FAIL;
+ return (-1);
+ }
+
+ if (!FEATURE(FEATURE_VCL_REQ_RESET))
+ return (0);
+ if (req->top->transport->poll == NULL)
+ return (0);
+ if (req->top->transport->poll(req->top) >= 0)
+ return (0);
+
+ VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
+ wrk->stats->req_reset++;
+ wrk->handling = VCL_RET_FAIL;
+ req->req_reset = 1;
+ return (-1);
+}
+
static void
vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
void *specific, unsigned method, vcl_func_f *func)
@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
+ if (req_poll(wrk, req))
+ return;
VCL_Req2Ctx(&ctx, req);
}
if (bo != NULL) {
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index 720b009..1584740 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg)
h2_del_sess(wrk, h2, SC_RX_JUNK);
}
+static int v_matchproto_(vtr_poll_f)
+h2_poll(struct req *req)
+{
+ struct h2_req *r2;
+
+ CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
+ CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
+ return (r2->error ? -1 : 1);
+}
+
struct transport H2_transport = {
.name = "H2",
.magic = TRANSPORT_MAGIC,
@@ -449,4 +459,5 @@ struct transport H2_transport = {
.req_body = h2_req_body,
.req_fail = h2_req_fail,
.sess_panic = h2_sess_panic,
+ .poll = h2_poll,
};
diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
index 263d8a3..788d8f0 100644
--- a/bin/varnishd/mgt/mgt_param_bits.c
+++ b/bin/varnishd/mgt/mgt_param_bits.c
@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg)
(void)par;
if (arg != NULL && arg != JSON_FMT) {
- if (!strcmp(arg, "none")) {
+ if (!strcmp(arg, "default")) {
+ AZ(bit_tweak(vsb, mgt_param.feature_bits,
+ FEATURE_Reserved,
+ "+vcl_req_reset",
+ feature_tags, "feature bit", "+"));
+ }else if (!strcmp(arg, "none")) {
memset(mgt_param.feature_bits,
0, sizeof mgt_param.feature_bits);
} else {
@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = {
#define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d
#include "tbl/feature_bits.h"
#undef FEATURE_BIT
- , 0, "none", "" },
+ , 0, "default", "" },
{ NULL, NULL, NULL }
};
diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
index 4d01f5b..b529562 100644
--- a/doc/sphinx/reference/vsl.rst
+++ b/doc/sphinx/reference/vsl.rst
@@ -71,6 +71,11 @@ Resp
Restart
Client request is being restarted.
+Reset
+ The client closed its connection, reset its stream or caused
+ a stream error that forced Varnish to reset the stream. Request
+ processing is interrupted and considered failed.
+
Pipe handling timestamps
~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
index 23f1b01..844ecfa 100644
--- a/include/tbl/feature_bits.h
+++ b/include/tbl/feature_bits.h
@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL, http_date_postel,
"like Date:, Last-Modified:, Expires: etc."
)
+FEATURE_BIT(VCL_REQ_RESET, vcl_req_reset,
+ "Stop processing client VCL once the client is gone.",
+ "Stop processing client VCL once the client is gone. "
+ "When this happens MAIN.req_reset is incremented."
+)
+
#undef FEATURE_BIT
/*lint -restore */
diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
index 2c0dbe8..3d3f05f 100644
--- a/include/tbl/req_flags.h
+++ b/include/tbl/req_flags.h
@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass, 1, 0, "")
REQ_FLAG(waitinglist, 0, 0, "")
REQ_FLAG(want100cont, 0, 0, "")
REQ_FLAG(late100cont, 0, 0, "")
+REQ_FLAG(req_reset, 0, 0, "")
#undef REQ_FLAG
/*lint -restore */

View File

@ -18,8 +18,8 @@
Summary: High-performance HTTP accelerator
Name: varnish
Version: 6.0.8
Release: 2%{?dist}.1
Version: 6.0.13
Release: 1%{?dist}.alma.1
License: BSD
Group: System Environment/Daemons
URL: https://www.varnish-cache.org/
@ -32,12 +32,6 @@ Patch9: varnish-5.1.1.fix_python_version.patch
# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2045031
Patch100: varnish-6.0.8.CVE-2022-23959.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
Patch101: varnish-6.0.8-CVE-2022-45060.patch
Obsoletes: varnish-libs
%if %{with python3}
@ -146,9 +140,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
%patch11 -p0
%endif
%patch100 -p1
%patch101 -p1
%build
%if 0%{?rhel} == 6
export CFLAGS="%{optflags} -fPIC"
@ -380,6 +371,13 @@ fi
%changelog
* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinu.org> - 6.0.13-1.alma.1
- Update to 6.0.13
* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-3.1
- Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
- Resolves: RHEL-12814
* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
Vulnerability