File 4451e5b6-CVE-2023-5871.patch of Package libnbd

Overview Repositories Revisions Requests Users Attributes Meta

File 4451e5b6-CVE-2023-5871.patch of Package libnbd

commit 4451e5b61ca07771ceef3e012223779e7a0c7701
Author: Eric Blake <eblake@redhat.com>
Date:   Mon Oct 30 12:50:53 2023 -0500

generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
    
    Another round of fuzz testing revealed that when a server negotiates
    extended headers and replies with a 64-bit flag value where the client
    used the 32-bit API command, we were correctly flagging the server's
    response as being an EOVERFLOW condition, but then immediately failing
    in an assertion failure instead of reporting it to the application.
    
    The following one-byte change to qemu.git at commit fd9a38fd43 allows
    the creation of an intentionally malicious server:
    
    | diff --git i/nbd/server.c w/nbd/server.c
    | index 859c163d19f..32e1e771a95 100644
    | --- i/nbd/server.c
    | +++ w/nbd/server.c
    | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
    |
    |      for (i = 0; i < ea->count; i++) {
    |          ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
    | -        ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
    | +        ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
    |      }
    |  }
    
    and can then be detected with the following command line:
    
    $ nbdsh -c - <<\EOF
    > def f(a,b,c,d):
    >   pass
    >
    > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
    >   "-r", "-f", "raw", "TODO"])
    > h.block_staus(h.get_size(), 0, f)
    > EOF
    nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
    Aborted (core dumped)
    
    whereas a fixed libnbd will give:
    
    nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
    
    We can either relax the assertion (by changing to 'assert ((len |
    flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
    to make the existing assertion reliable.  This patch goes with the
    latter approach.
    
    Sadly, this crash is possible in all existing 1.18.x stable releases,
    if they were built with assertions enabled (most distros do this by
    default), meaning a malicious server has an easy way to cause a Denial
    of Service attack by triggering the assertion failure in vulnerable
    clients, so we have assigned this CVE-2023-5871.  Mitigating factors:
    the crash only happens for a server that sends a 64-bit status block
    reply (no known production servers do so; qemu 8.2 will be the first
    known server to support extended headers, but it is not yet released);
    and as usual, a client can use TLS to guarantee it is connecting only
    to a known-safe server.  If libnbd is compiled without assertions,
    there is no crash or other mistaken behavior; and when assertions are
    enabled, the attacker cannot accomplish anything more than a denial of
    service.
    
    Reported-by: Richard W.M. Jones <rjones@redhat.com>
    Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
    Signed-off-by: Eric Blake <eblake@redhat.com>
    (cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
    Signed-off-by: Eric Blake <eblake@redhat.com>

Index: libnbd-1.18.1/generator/states-reply-chunk.c
===================================================================
--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
+++ libnbd-1.18.1/generator/states-reply-chunk.c
@@ -600,6 +600,7 @@ STATE_MACHINE {
             break; /* Skip this and later extents; we already made progress */
           /* Expose this extent as an error; we made no progress */
           cmd->error = cmd->error ? : EOVERFLOW;
+          flags = (uint32_t)flags;
         }
       }

Places

File 4451e5b6-CVE-2023-5871.patch of Package libnbd

Places