-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nginx: Address CVE-2024-7347 (#10190)
- Loading branch information
1 parent
966a923
commit 9be1704
Showing
2 changed files
with
83 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001 | ||
| From: Roman Arutyunyan <[email protected]> | ||
| Date: Mon, 12 Aug 2024 18:20:43 +0400 | ||
| Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom. | ||
|
|
||
| While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer | ||
| overflow could happen, which could result in incorrect seeking and a very large | ||
| value stored in "samples". This resulted in a large invalid value of | ||
| trak->end_chunk_samples. This value is further used to calculate the value of | ||
| trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing | ||
| this, a large invalid value of trak->end_chunk_samples could result in reading | ||
| memory before stsz atom start. This could potentially result in a segfault. | ||
| --- | ||
| src/http/modules/ngx_http_mp4_module.c | 7 ++++--- | ||
| 1 file changed, 4 insertions(+), 3 deletions(-) | ||
|
|
||
| diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| index 03175dea21..1cd017c274 100644 | ||
| --- a/src/http/modules/ngx_http_mp4_module.c | ||
| +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| @@ -3099,7 +3099,8 @@ static ngx_int_t | ||
| ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| ngx_http_mp4_trak_t *trak, ngx_uint_t start) | ||
| { | ||
| - uint32_t start_sample, chunk, samples, id, next_chunk, n, | ||
| + uint64_t n; | ||
| + uint32_t start_sample, chunk, samples, id, next_chunk, | ||
| prev_samples; | ||
| ngx_buf_t *data, *buf; | ||
| ngx_uint_t entries, target_chunk, chunk_samples; | ||
| @@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| "samples:%uD, id:%uD", | ||
| start_sample, chunk, next_chunk - chunk, samples, id); | ||
|
|
||
| - n = (next_chunk - chunk) * samples; | ||
| + n = (uint64_t) (next_chunk - chunk) * samples; | ||
|
|
||
| if (start_sample < n) { | ||
| goto found; | ||
| @@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", | ||
| start_sample, chunk, next_chunk - chunk, samples); | ||
|
|
||
| - n = (next_chunk - chunk) * samples; | ||
| + n = (uint64_t) (next_chunk - chunk) * samples; | ||
|
|
||
| if (start_sample > n) { | ||
| ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001 | ||
| From: Roman Arutyunyan <[email protected]> | ||
| Date: Mon, 12 Aug 2024 18:20:45 +0400 | ||
| Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom. | ||
|
|
||
| Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk | ||
| in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() | ||
| this caused buffer overread while trying to calculate trak->end_offset. | ||
| --- | ||
| src/http/modules/ngx_http_mp4_module.c | 7 +++++++ | ||
| 1 file changed, 7 insertions(+) | ||
|
|
||
| diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| index 1cd017c274..041ad263b5 100644 | ||
| --- a/src/http/modules/ngx_http_mp4_module.c | ||
| +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| @@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
|
|
||
| next_chunk = ngx_mp4_get_32value(entry->chunk); | ||
|
|
||
| + if (next_chunk < chunk) { | ||
| + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| + "unordered mp4 stsc chunks in \"%s\"", | ||
| + mp4->file.name.data); | ||
| + return NGX_ERROR; | ||
| + } | ||
| + | ||
| ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, | ||
| "sample:%uD, chunk:%uD, chunks:%uD, " | ||
| "samples:%uD, id:%uD", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,7 @@ Name: nginx | |
| # Currently on "stable" version of nginx from https://nginx.org/en/download.html. | ||
| # Note: Stable versions are even (1.20), mainline versions are odd (1.21) | ||
| Version: 1.22.1 | ||
| Release: 11%{?dist} | ||
| Release: 12%{?dist} | ||
| License: BSD-2-Clause | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -18,6 +18,7 @@ Source1: nginx.service | |
| Source2: https://github.com/nginx/njs/archive/refs/tags/%{njs_version}.tar.gz#/%{name}-njs-%{njs_version}.tar.gz | ||
| Source3: https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/%{opentelemetry_cpp_contrib_git_commit}.tar.gz#/opentelemetry-cpp-contrib-%{opentelemetry_cpp_contrib_git_commit}.tar.gz | ||
| Patch0: CVE-2023-44487.patch | ||
| Patch1: CVE-2024-7347.patch | ||
| BuildRequires: libxml2-devel | ||
| BuildRequires: libxslt-devel | ||
| BuildRequires: openssl-devel | ||
|
|
@@ -145,6 +146,9 @@ exit 0 | |
| %{_sysconfdir}/%{name}/modules/otel_ngx_module.so | ||
|
|
||
| %changelog | ||
| * Tue Aug 20 2024 Cameron Baird <[email protected]> - 1.22.1-12 | ||
| - Fix CVE-2024-7347 | ||
|
|
||
| * Thu Oct 05 2023 Dan Streetman <[email protected]> - 1.22.1-11 | ||
| - Fix CVE-2023-44487 | ||
|
|
||
|
|
||