Sync from SUSE:SLFO:Main libnbd revision b51af95e7a5b33021ebf2926287d929a

This commit is contained in:
Adrian Schröter 2024-08-09 18:36:41 +02:00
parent b189bc15ea
commit fb9f82446d
7 changed files with 103 additions and 92 deletions

View File

@ -1,82 +0,0 @@
commit 4451e5b61ca07771ceef3e012223779e7a0c7701
Author: Eric Blake <eblake@redhat.com>
Date: Mon Oct 30 12:50:53 2023 -0500
generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
Another round of fuzz testing revealed that when a server negotiates
extended headers and replies with a 64-bit flag value where the client
used the 32-bit API command, we were correctly flagging the server's
response as being an EOVERFLOW condition, but then immediately failing
in an assertion failure instead of reporting it to the application.
The following one-byte change to qemu.git at commit fd9a38fd43 allows
the creation of an intentionally malicious server:
| diff --git i/nbd/server.c w/nbd/server.c
| index 859c163d19f..32e1e771a95 100644
| --- i/nbd/server.c
| +++ w/nbd/server.c
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
| for (i = 0; i < ea->count; i++) {
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
| }
| }
and can then be detected with the following command line:
$ nbdsh -c - <<\EOF
> def f(a,b,c,d):
> pass
>
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
> "-r", "-f", "raw", "TODO"])
> h.block_staus(h.get_size(), 0, f)
> EOF
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
Aborted (core dumped)
whereas a fixed libnbd will give:
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
We can either relax the assertion (by changing to 'assert ((len |
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
to make the existing assertion reliable. This patch goes with the
latter approach.
Sadly, this crash is possible in all existing 1.18.x stable releases,
if they were built with assertions enabled (most distros do this by
default), meaning a malicious server has an easy way to cause a Denial
of Service attack by triggering the assertion failure in vulnerable
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
the crash only happens for a server that sends a 64-bit status block
reply (no known production servers do so; qemu 8.2 will be the first
known server to support extended headers, but it is not yet released);
and as usual, a client can use TLS to guarantee it is connecting only
to a known-safe server. If libnbd is compiled without assertions,
there is no crash or other mistaken behavior; and when assertions are
enabled, the attacker cannot accomplish anything more than a denial of
service.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
Signed-off-by: Eric Blake <eblake@redhat.com>
Index: libnbd-1.18.1/generator/states-reply-chunk.c
===================================================================
--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
+++ libnbd-1.18.1/generator/states-reply-chunk.c
@@ -600,6 +600,7 @@ STATE_MACHINE {
break; /* Skip this and later extents; we already made progress */
/* Expose this extent as an error; we made no progress */
cmd->error = cmd->error ? : EOVERFLOW;
+ flags = (uint32_t)flags;
}
}

View File

@ -1,7 +1,7 @@
<services> <services>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="manual">
<param name="filename">libnbd</param> <param name="filename">libnbd</param>
<param name="revision">v1.18.1</param> <param name="revision">v1.18.5</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="submodules">disable</param> <param name="submodules">disable</param>
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param> <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
@ -10,9 +10,9 @@
<param name="versionrewrite-replacement">\1</param> <param name="versionrewrite-replacement">\1</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>
</service> </service>
<service name="recompress" mode="disabled"> <service name="recompress" mode="manual">
<param name="file">*.tar</param> <param name="file">*.tar</param>
<param name="compression">bz2</param> <param name="compression">bz2</param>
</service> </service>
<service name="set_version" mode="disabled"/> <service name="set_version" mode="manual"/>
</services> </services>

View File

@ -1,4 +1,4 @@
<servicedata> <servicedata>
<service name="tar_scm"> <service name="tar_scm">
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param> <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
<param name="changesrevision">ebadf0df2122edb99361c66f78ac1f90f1500f96</param></service></servicedata> <param name="changesrevision">dcd1fc77f129cde770b8bf0a18ce23f72ed5c903</param></service></servicedata>

BIN
libnbd-1.18.1.tar.bz2 (Stored with Git LFS)

Binary file not shown.

BIN
libnbd-1.18.5.tar.bz2 (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -1,3 +1,97 @@
-------------------------------------------------------------------
Mon Aug 05 17:02:18 UTC 2024 - jfehlig@suse.com
- Update to version 1.18.5:
* CVE-2024-7383 (bsc#1228872)
* Drop upstream patch 4451e5b6-CVE-2023-5871.patch
* Version 1.18.5.
* docs: security: Add link to TLS server certificate checking announcement
* lib/uri.c: Allow tls-verify-peer to be overridden in URIs
* interop: Test interop with a bad system CA
* interop: Add -DEXPECT_FAIL=1 where we expect the test to fail
* interop: Pass -DCERTS and -DPSK as strings
* lib/crypto.c: Allow CA verification even if h->hostname is not set
* lib/crypto.c: Check server certificate even when using system CA
* build: Move to minimum gnutls >= 3.5.18
* nbdfuse: Can't use ?tls-certificates or ?tls-psk-file
* ci: Fix MacOS builds
* tests: Fix CI on Fedora 40
* Include <stdint.h> in code which uses standard C int types
* common/include, ublk: Include <inttypes.h> in code which uses PRI* or SCN*
* Include <stdbool.h> in code which uses bool/true/false
* ublk/nbdublk.c: Include <errno.h>
* copy, lib, ublk: Include <assert.h> which was missing in a few places
* tests: Remove extra whitespace
* copy/copy-nbd-to-small-block-error.sh: Use different pidfiles
* copy: Use verbose nbdcopy in test
* copy: Fix "destination size is smaller than source size" error
* ci: refresh with latest 'lcitool manifest'
* ci: import lcitool project package list definitions
* podwrapper: nbd-server(1), nbd-client(8) are not local man pages
* Version 1.18.4.
* tests/connect-uri: Remove -DPIDFILE, generate it implicitly
* rust: Make the struct Cookie internal field fully public
* interop/block-status-64.c: Fix skip path under valgrind
* Revert "valgrind: Add suppression for liblzma bug"
* ocaml: Add ocamlfind -package to ocamldoc invocation
* info/can.c: Assert that 'can' variable is set
* info: Fix error message
* info: Add note that --can/--is/--has are synonyms
* info: Handle failure of call to file
* fuzzing: Add a comment that the libfuzzer test is unmaintained
* Version 1.18.3.
* tests/opt-info.c: Free string returned by nbd_get_export_name
* valgrind: Add suppression for liblzma bug
* info: Try harder to report contents from nbd-server
* copy: Add test for server without meta context support
* api: Fix nbd_can_meta_context for server that lacks meta contexts
* copy, info: Treat can_meta_context failures as unsupported
* configure: Copy bash-completions test from nbdkit
* podwrapper: Ignore check on older versions of Perl
* podwrapper: Allow = (POD directive) followed by bare URL
* podwrapper: Check for bare URLs and suggest replacement with L<> links
* podwrapper: Move long lines and cross-reference checks earlier
* tests: Missed another C test which didn't use NBDKIT
* tests: Use $NBDKIT instead of plain 'nbdkit'
* tests: Use 'source ./function.sh' consistently in this directory
* ocaml/tests: Add replacement for Bytes.set_int64_be
* ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x}
* build: Define the minimum required version of OCaml as 4.05
* generator: Remove definition of sort_uniq
* configure: Annotate OCaml tests by version of OCaml
* ci: Skip certain deadlocking nbd-server tests on Alpine 3.19
* docs: Clarify description of block size constraints
* ocaml: tests: Compute srcdir centrally in Ocaml_test_config module
* ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit
* python: tests: Use $NBDKIT instead of hard coding nbdkit
* python: Various fixes to the Python tests and test wrapper
* tests: Use wait_for_pidfile instead of open-coded loops
* tests: Define NBD_SERVER in config.h and use it for requires tests
* tests: Define QEMU_NBD in config.h and use it for requires tests
* maint: Be more consistent about using ./configure-defined @NBDKIT@
* maint: Be more consistent about using ./configure-defined @QEMU_NBD@
* interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh
* interop: Use nbd-server FORCEDTLS mode
* interop: Test write, flush and zero operations
* interop: Add nbd-server flush flag
* interop: Remove -DNEEDS_TMPFILE
* maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s'
* tests: connect-uri: Choose random port for TCP connections at runtime
* tests: connect-uri: Change how Unix domain sockets are generated
* docs: Fix accidental double line in SECURITY file
* bash: Make nbdfuse and nbdublk installation conditional
* Version 1.18.2.
* ocaml: Nullify custom block before releasing runtime lock
* ocaml: Use Gc.finalize instead of a C finalizer
* ci: Update to latest lcitool
* rust: Avoid compiler warning about unused import
* docs: Mention CVE-2023-5871
* New mailing list archives
* fuzzing: We need to disable Rust bindings when building fuzzer version
* tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG)
* docs: Fix incorrect xref in libnbd-release-notes for 1.18
* generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 13 21:15:40 UTC 2023 - James Fehlig <jfehlig@suse.com> Mon Nov 13 21:15:40 UTC 2023 - James Fehlig <jfehlig@suse.com>

View File

@ -19,13 +19,12 @@
%define sover 0 %define sover 0
Name: libnbd Name: libnbd
Version: 1.18.1 Version: 1.18.5
Release: 0 Release: 0
Summary: NBD client library in userspace Summary: NBD client library in userspace
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
URL: https://gitlab.com/nbdkit/libnbd URL: https://gitlab.com/nbdkit/libnbd
Source0: %{name}-%{version}.tar.bz2 Source0: %{name}-%{version}.tar.bz2
Patch0: 4451e5b6-CVE-2023-5871.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes