From: William A. Rowe Jr Date: Wed, 16 Jul 2014 20:56:51 +0000 (+0000) Subject: SECURITY: CVE-2014-0231 X-Git-Tag: 2.2.28~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd7e78dc7ab335965eb667e1f8ab0a8ef86f0ba9;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. Submitted by: Rainer Jung, Eric Covener, Yann Ylavic Backports: r1610509, r1535125 Reviewed by: covener, trawick, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611185 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 252f22ce23b..f860266b0eb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,15 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.28 + *) SECURITY: CVE-2014-0231 (cve.mitre.org) + mod_cgid: Fix a denial of service against CGI scripts that do + not consume stdin that could lead to lingering HTTPD child processes + filling up the scoreboard and eventually hanging the server. By + default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. + [Rainer Jung, Eric Covener, Yann Ylavic] + *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick] diff --git a/STATUS b/STATUS index 693e52175a0..9d55a4e706b 100644 --- a/STATUS +++ b/STATUS @@ -110,17 +110,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: *) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480. +1: breser, rpluem, ylavic - * SECURITY: CVE-2014-0231 - mod_cgid: Fix a denial of service against CGI scripts that do - not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. - [Rainer Jung, Eric Covener, Yann Ylavic] - - trunk patch: http://svn.apache.org/r1610509 - http://svn.apache.org/r1535125 - 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-cgid-script_timeout.diff - +1: covener, trawick, ylavic - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/docs/manual/mod/mod_cgid.xml b/docs/manual/mod/mod_cgid.xml index 01e660dd2ff..303c29dfa03 100644 --- a/docs/manual/mod/mod_cgid.xml +++ b/docs/manual/mod/mod_cgid.xml @@ -96,5 +96,32 @@ the cgi daemon + +CGIDScriptTimeout +The length of time to wait for more output from the +CGI program +CGIDScriptTimeout time[s|ms] +value of Timeout directive when +unset +server config +virtual hostdirectory +.htaccess +CGIDScriptTimeout defaults to zero in releases 2.4 and earlier + + + +

This directive limits the length of time to wait for more output from + the CGI program. If the time is exceeded, the request and CGI are + terminated.

+ + Example + + CGIDScriptTimeout 20 + + + + + + diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index 6f39ff6640e..f8705e3b3d8 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -93,6 +93,10 @@ static const char *sockname; static pid_t parent_pid; static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; +typedef struct { + apr_interval_time_t timeout; +} cgid_dirconf; + /* The APR other-child API doesn't tell us how the daemon exited * (SIGSEGV vs. exit(1)). The other-child maintenance function * needs to decide whether to restart the daemon after a failure @@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_t *p, void *basev, void *overridesv) return overrides->logname ? overrides : base; } +static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) +{ + cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); + return c; +} + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) + { server_rec *s = cmd->server; cgid_server_conf *conf = ap_get_module_config(s->module_config, @@ -987,7 +998,16 @@ static const char *set_script_socket(cmd_parms *cmd, void *dummy, const char *ar return NULL; } +static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) +{ + cgid_dirconf *dc = dummy; + if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { + return "CGIDScriptTimeout has wrong format"; + } + + return NULL; +} static const command_rec cgid_cmds[] = { AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, @@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] = AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, "the name of the socket to use for communication with " "the cgi daemon."), + AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, + "The amount of time to wait between successful reads from " + "the CGI script, in seconds."), + {NULL} }; @@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r) apr_file_t *tempsock; struct cleanup_script_info *info; apr_status_t rv; + cgid_dirconf *dc; if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script")) return DECLINED; conf = ap_get_module_config(r->server->module_config, &cgid_module); + dc = ap_get_module_config(r->per_dir_config, &cgid_module); + + is_included = !strcmp(r->protocol, "INCLUDED"); if ((argv0 = strrchr(r->filename, '/')) != NULL) @@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r) */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); if ((argv0 = strrchr(r->filename, '/')) != NULL) @@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r) if (rv != APR_SUCCESS) { /* silly script stopped reading, soak up remaining message */ child_stopped_reading = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "Error writing request body to script %s", + r->filename); + } } apr_brigade_cleanup(bb); @@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r) return HTTP_MOVED_TEMPORARILY; } - ap_pass_brigade(r->output_filters, bb); + rv = ap_pass_brigade(r->output_filters, bb); + if (rv != APR_SUCCESS) { + /* APLOG_ERR because the core output filter message is at error, + * but doesn't know it's passing CGI output + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client"); + } } if (nph) { @@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, request_rec *r = f->r; cgid_server_conf *conf = ap_get_module_config(r->server->module_config, &cgid_module); + cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); + struct cleanup_script_info *info; add_ssi_vars(r); @@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, * get rid of the cleanup we registered when we created the socket. */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, @@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p) module AP_MODULE_DECLARE_DATA cgid_module = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_cgid_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_cgid_config, /* server config */ merge_cgid_config, /* merge server config */