nginx.git/src/event, branch release-1.27.0 nginx QUIC: ngx_quic_buffer_t use-after-free protection. 2024-05-28T13:19:21+00:00 Roman Arutyunyan arut@nginx.com 2024-05-28T13:19:21+00:00 9ddc6a08f4c83db5acc0a74c223ddf75a44b726d Previously the last chain field of ngx_quic_buffer_t could still reference freed chains and buffers after calling ngx_quic_free_buffer(). While normally an ngx_quic_buffer_t object should not be used after freeing, resetting last_chain field would prevent a potential use-after-free. 
Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.
QUIC: ignore CRYPTO frames after handshake completion. 2024-05-28T13:19:08+00:00 Roman Arutyunyan arut@nginx.com 2024-05-28T13:19:08+00:00 6f8c520f497edfe26f46ef6da6699174df5b3da4 Sending handshake-level CRYPTO frames after the client's Finished message could lead to memory disclosure and a potential segfault, if those frames are sent in one packet with the Finished frame. 
Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.
QUIC: client transport parameter data length checking. 2024-05-28T13:17:19+00:00 Sergey Kandaurov pluknet@nginx.com 2024-05-28T13:17:19+00:00 683e304e8bfe881ef983a0f9ef5e724eec2bd974 






SSL: fixed possible configuration overwrite loading "engine:" keys.
2024-05-03T16:29:01+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-05-03T16:29:01+00:00

6f7494081ae8a56664afb480eff583d639b60ab4

When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.





When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.







QUIC: fixed close timer processing with early data.
2024-04-10T06:38:10+00:00

Vladimir Khomutov
vl@wbsrv.ru

2024-04-10T06:38:10+00:00

92f99685717e857de9ffa96993601a90803eb0d8

The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and stream-related timeouts are managed by application layer.





The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and stream-related timeouts are managed by application layer.







QUIC: fixed stream cleanup (ticket #2586).
2024-02-14T11:55:37+00:00

Roman Arutyunyan
arut@nginx.com

2024-02-14T11:55:37+00:00

5818f8a6693b3c0d95021f2ee58b69dcf848911c

Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL).  Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code.  This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.





Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL).  Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code.  This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.







QUIC: trial packet decryption in response to invalid key update.
2024-02-14T11:55:34+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-02-14T11:55:34+00:00

5902baf680609f884a1e11ff2b82a0bffb3724cc

Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal.  Further, this fixes
segfault while accessing missing next keys (ticket #2585).





Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
keys is now used to avoid a timing side-channel signal.  Further, this fixes
segfault while accessing missing next keys (ticket #2585).







QUIC: fixed unsent MTU probe acknowledgement.
2024-02-14T12:56:28+00:00

Roman Arutyunyan
arut@nginx.com

2024-02-14T12:56:28+00:00

ed47f72a85fb6279e2ba5d431f64ea4db695cf4e

Previously if an MTU probe send failed early in ngx_quic_frame_sendto()
due to allocation error or congestion control, the application level packet
number was not increased, but was still saved as MTU probe packet number.
Later when a packet with this number was acknowledged, the unsent MTU probe
was acknowledged as well.  This could result in discovering a bigger MTU than
supported by the path, which could lead to EMSGSIZE (Message too long) errors
while sending further packets.

The problem existed since PMTUD was introduced in 58afcd72446f (1.25.2).
Back then only the unlikely memory allocation error could trigger it.  However
in efcdaa66df2e congestion control was added to ngx_quic_frame_sendto() which
can now trigger the issue with a higher probability.





Previously if an MTU probe send failed early in ngx_quic_frame_sendto()
due to allocation error or congestion control, the application level packet
number was not increased, but was still saved as MTU probe packet number.
Later when a packet with this number was acknowledged, the unsent MTU probe
was acknowledged as well.  This could result in discovering a bigger MTU than
supported by the path, which could lead to EMSGSIZE (Message too long) errors
while sending further packets.

The problem existed since PMTUD was introduced in 58afcd72446f (1.25.2).
Back then only the unlikely memory allocation error could trigger it.  However
in efcdaa66df2e congestion control was added to ngx_quic_frame_sendto() which
can now trigger the issue with a higher probability.







SSL: fixed $ssl_curves allocation error handling.
2024-01-30T15:18:31+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-01-30T15:18:31+00:00

2a10e48620d430bc2d44f36249c33fb1813aa507












Upstream: fixed usage of closed sockets with filter finalization.
2024-01-30T00:20:10+00:00

Maxim Dounin
mdounin@mdounin.ru

2024-01-30T00:20:10+00:00

6f2059147f20d1bd2cd6ff01ea71bf31ec9c2845

When filter finalization is triggered when working with an upstream server,
and error_page redirects request processing to some simple handler,
ngx_http_request_finalize() triggers request termination when the response
is sent.  In particular, via the upstream cleanup handler, nginx will close
the upstream connection and the corresponding socket.

Still, this can happen to be with ngx_event_pipe() on stack.  While
the code will set p->downstream_error due to NGX_ERROR returned from the
output filter chain by filter finalization, otherwise the error will be
ignored till control returns to ngx_http_upstream_process_request().
And event pipe might try reading from the (already closed) socket, resulting
in "readv() failed (9: Bad file descriptor) while reading upstream" errors
(or even segfaults with SSL).

Such errors were seen with the following configuration:

    location /t2 {
        proxy_pass http://127.0.0.1:8080/big;

        image_filter_buffer 10m;
        image_filter   resize  150 100;
        error_page     415   = /empty;
    }

    location /empty {
        return 204;
    }

    location /big {
        # big enough static file
    }

Fix is to clear p->upstream in ngx_http_upstream_finalize_request(),
and ensure that p->upstream is checked in ngx_event_pipe_read_upstream()
and when handling events at ngx_event_pipe() exit.





When filter finalization is triggered when working with an upstream server,
and error_page redirects request processing to some simple handler,
ngx_http_request_finalize() triggers request termination when the response
is sent.  In particular, via the upstream cleanup handler, nginx will close
the upstream connection and the corresponding socket.

Still, this can happen to be with ngx_event_pipe() on stack.  While
the code will set p->downstream_error due to NGX_ERROR returned from the
output filter chain by filter finalization, otherwise the error will be
ignored till control returns to ngx_http_upstream_process_request().
And event pipe might try reading from the (already closed) socket, resulting
in "readv() failed (9: Bad file descriptor) while reading upstream" errors
(or even segfaults with SSL).

Such errors were seen with the following configuration:

    location /t2 {
        proxy_pass http://127.0.0.1:8080/big;

        image_filter_buffer 10m;
        image_filter   resize  150 100;
        error_page     415   = /empty;
    }

    location /empty {
        return 204;
    }

    location /big {
        # big enough static file
    }

Fix is to clear p->upstream in ngx_http_upstream_finalize_request(),
and ensure that p->upstream is checked in ngx_event_pipe_read_upstream()
and when handling events at ngx_event_pipe() exit.