From b49ad22e49b2f2bb87b3492ada99f5e805e7a15c Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Fri, 3 Nov 2023 10:59:39 +0800
Subject: [PATCH] fix CVE-2023-31122 and CVE-2023-45802

(cherry picked from commit 7b84c96fbdef9cb632d9ff83f601c746d9665fe0)
---
 ...ort-CVE-2023-31122-out-of-bound-Read.patch |  28 ++++
 ...802-improved-early-cleanup-of-stream.patch | 141 ++++++++++++++++++
 httpd.spec                                    |  10 +-
 3 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-31122-out-of-bound-Read.patch
 create mode 100644 backport-CVE-2023-45802-improved-early-cleanup-of-stream.patch

diff --git a/backport-CVE-2023-31122-out-of-bound-Read.patch b/backport-CVE-2023-31122-out-of-bound-Read.patch
new file mode 100644
index 0000000..8e2f1b5
--- /dev/null
+++ b/backport-CVE-2023-31122-out-of-bound-Read.patch
@@ -0,0 +1,28 @@
+From c41eb3b14a3d1eb2e3c42c4728cc52a22748851a Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Mon, 16 Oct 2023 06:39:44 +0000
+Subject: [PATCH] mod_macro: out of bounds Read-2
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/c41eb3b14a3d1eb2e3c42c4728cc52a22748851a
+
+---
+ modules/core/mod_macro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/core/mod_macro.c b/modules/core/mod_macro.c
+index 04af43b..cc42d0b 100644
+--- a/modules/core/mod_macro.c
++++ b/modules/core/mod_macro.c
+@@ -465,7 +465,7 @@ static const char *process_content(apr_pool_t * pool,
+     for (i = 0; i < contents->nelts; i++) {
+         const char *errmsg;
+         /* copy the line and substitute macro parameters */
+-        strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1);
++        apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN);
+         errmsg = substitute_macro_args(line, MAX_STRING_LEN,
+                                        macro, replacements, used);
+         if (errmsg) {
+-- 
+2.23.0
+
diff --git a/backport-CVE-2023-45802-improved-early-cleanup-of-stream.patch b/backport-CVE-2023-45802-improved-early-cleanup-of-stream.patch
new file mode 100644
index 0000000..dc4f37b
--- /dev/null
+++ b/backport-CVE-2023-45802-improved-early-cleanup-of-stream.patch
@@ -0,0 +1,141 @@
+From decce82a706abd78dfc32821a03ad93841d7758a Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Mon, 16 Oct 2023 09:05:00 +0000
+Subject: [PATCH] mod_http2: improved early cleanup of streams
+
+Conflict:Some features of mod_http2 are added and most code of mod_http2
+is reconstructed in the pre-patch(9767274b884). Therefore, the pre-patch
+is not integrated. As a result, We need context adaptation.
+Reference:https://github.com/apache/httpd/commit/decce82a706abd78dfc32821a03ad93841d7758a
+
+---
+ changes-entries/h2_cleanup.txt |  2 ++
+ modules/http2/h2_mplx.c        | 26 ++++++++++++++++++++++----
+ modules/http2/h2_mplx.h        |  3 ++-
+ modules/http2/h2_session.c     | 18 +++++++++++++++++-
+ modules/http2/h2_stream.c      |  2 +-
+ 5 files changed, 44 insertions(+), 7 deletions(-)
+ create mode 100644 changes-entries/h2_cleanup.txt
+
+diff --git a/changes-entries/h2_cleanup.txt b/changes-entries/h2_cleanup.txt
+new file mode 100644
+index 0000000..b483f6a
+--- /dev/null
++++ b/changes-entries/h2_cleanup.txt
+@@ -0,0 +1,2 @@
++* mod_http2: improved early cleanup of streams
++  [Stefan Eissing]
+diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
+index 62c381d..dd0f737 100644
+--- a/modules/http2/h2_mplx.c
++++ b/modules/http2/h2_mplx.c
+@@ -1150,14 +1150,32 @@ int h2_mplx_m_awaits_data(h2_mplx *m)
+     return waiting;
+ }
+ 
+-apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id)
++apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id, h2_stream *stream)
+ {
+-    h2_stream *stream;
+     apr_status_t status = APR_SUCCESS;
++    int registered;
+     
+     H2_MPLX_ENTER_ALWAYS(m);
+-    stream = h2_ihash_get(m->streams, stream_id);
+-    if (stream && stream->task) {
++    registered = (h2_ihash_get(m->streams, stream_id) != NULL);
++    if (!stream) {
++        /* a RST might arrive so late, we have already forgotten
++         * about it. Seems ok. */
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1,
++                      H2_MPLX_MSG(m, "RST on unknown stream %d"), stream_id);
++        AP_DEBUG_ASSERT(!registered);
++    }
++    else if (!registered) {
++        /* a RST on a stream that mplx has not been told about, but
++         * which the session knows. Very early and annoying. */
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1,
++                      H2_STRM_MSG(stream, "very early RST, drop"));
++        h2_stream_set_monitor(stream, NULL);
++        h2_stream_rst(stream, H2_ERR_STREAM_CLOSED);
++        h2_stream_dispatch(stream, H2_SEV_EOS_SENT);
++        m_stream_cleanup(m, stream);
++        m_be_annoyed(m);
++    }
++    else if (!reset_is_acceptable(stream)) {
+         status = m_be_annoyed(m);
+     }
+     H2_MPLX_LEAVE(m);
+diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h
+index c61629d..edcc1ee 100644
+--- a/modules/http2/h2_mplx.h
++++ b/modules/http2/h2_mplx.h
+@@ -187,7 +187,8 @@ typedef int h2_mplx_stream_cb(struct h2_stream *s, void *ctx);
+ 
+ apr_status_t h2_mplx_m_stream_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx);
+ 
+-apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id);
++apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id,
++                                  struct h2_stream *stream);
+ 
+ /**
+  * Master connection has entered idle mode.
+diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c
+index d657fce..aa2bf46 100644
+--- a/modules/http2/h2_session.c
++++ b/modules/http2/h2_session.c
+@@ -389,6 +389,10 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
+                           session->id, (int)frame->hd.stream_id,
+                           (int)frame->rst_stream.error_code);
+             stream = h2_session_stream_get(session, frame->hd.stream_id);
++            if (stream) {
++                rv = h2_stream_recv_frame(stream, NGHTTP2_RST_STREAM, frame->hd.flags,
++                    frame->h2.length + H2_FRAME_HDR_LEN);
++            }
+             if (stream && stream->initiated_on) {
+                 /* A stream reset on a request we sent it. Normal, when the
+                  * client does not want it. */
+@@ -397,7 +401,8 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
+             else {
+                 /* A stream reset on a request it sent us. Could happen in a browser
+                  * when the user navigates away or cancels loading - maybe. */
+-                h2_mplx_m_client_rst(session->mplx, frame->hd.stream_id);
++                h2_mplx_m_client_rst(session->mplx, frame->hd.stream_id,
++                                     stream);
+                 ++session->streams_reset;
+             }
+             break;
+@@ -778,6 +783,17 @@ static apr_status_t session_cleanup(h2_session *session, const char *trigger)
+                       "goodbye, clients will be confused, should not happen"));
+     }
+ 
++    if (!h2_iq_empty(session->ready_to_process)) {
++        int sid;
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++                      H2_SSSN_LOG(APLOGNO(), session,
++                      "cleanup, resetting %d streams in ready-to-process"),
++                      h2_iq_count(session->ready_to_process));
++        while ((sid = h2_iq_shift(session->ready_to_process)) > 0) {
++            h2_mplx_m_client_rst(session->mplx, sid, get_stream(session, sid));
++        }
++    }
++
+     transit(session, trigger, H2_SESSION_ST_CLEANUP);
+     h2_mplx_m_release_and_join(session->mplx, session->iowait);
+     session->mplx = NULL;
+diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c
+index eb61add..1482086 100644
+--- a/modules/http2/h2_stream.c
++++ b/modules/http2/h2_stream.c
+@@ -120,7 +120,7 @@ static int trans_on_event[][H2_SS_MAX] = {
+ { S_XXX, S_ERR,  S_ERR,  S_CL_L, S_CLS,  S_XXX,  S_XXX,  S_XXX, },/* EV_CLOSED_L*/
+ { S_ERR, S_ERR,  S_ERR,  S_CL_R, S_ERR,  S_CLS,  S_NOP,  S_NOP, },/* EV_CLOSED_R*/
+ { S_CLS, S_CLS,  S_CLS,  S_CLS,  S_CLS,  S_CLS,  S_NOP,  S_NOP, },/* EV_CANCELLED*/
+-{ S_NOP, S_XXX,  S_XXX,  S_XXX,  S_XXX,  S_CLS,  S_CLN,  S_XXX, },/* EV_EOS_SENT*/
++{ S_NOP, S_XXX,  S_XXX,  S_XXX,  S_XXX,  S_CLS,  S_CLN,  S_NOP, },/* EV_EOS_SENT*/
+ };
+ 
+ static int on_map(h2_stream_state_t state, int map[H2_SS_MAX])
+-- 
+2.23.0
+
diff --git a/httpd.spec b/httpd.spec
index 5d5ad29..1479b95 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.43
-Release:          22
+Release:          23
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -107,6 +107,8 @@ Patch53:          backport-CVE-2023-27522.patch
 Patch54:          backport-CVE-2023-25690.patch
 Patch55:          backport-CVE-2019-17567.patch
 Patch56:          backport-Add-readbuffsize-api.patch
+Patch57:          backport-CVE-2023-31122-out-of-bound-Read.patch
+Patch58:          backport-CVE-2023-45802-improved-early-cleanup-of-stream.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -543,6 +545,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 2.4.43-23
+- Type:CVE
+- ID:CVE-2023-31122, CVE-2023-45802
+- SUG:restart
+- DESC:fix CVE-2023-31122 and CVE-2023-45802
+
 * Thu Apr 6 2023 chengyechun <chengyechun1@huawei.com> - 2.4.43-22
 - Type:CVE
 - ID:CVE-2019-17567
-- 
Gitee