Accepting request 1125731 from Virtualization

- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 4451e5b6-CVE-2023-5871.patch bsc#1216769 OBS-URL: https://build.opensuse.org/request/show/1125731 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnbd?expand=0&rev=14
2023-11-14 20:42:25 +00:00 · 2023-11-14 20:42:25 +00:00 · 5fa83b5ca0
commit 5fa83b5ca0
parent db83d7108f 1629758000
3 changed files with 90 additions and 0 deletions
--- a/4451e5b6-CVE-2023-5871.patch
+++ b/4451e5b6-CVE-2023-5871.patch
@ -0,0 +1,82 @@
+commit 4451e5b61ca07771ceef3e012223779e7a0c7701
+Author: Eric Blake <eblake@redhat.com>
+Date:   Mon Oct 30 12:50:53 2023 -0500
+
+    generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
+    
+    Another round of fuzz testing revealed that when a server negotiates
+    extended headers and replies with a 64-bit flag value where the client
+    used the 32-bit API command, we were correctly flagging the server's
+    response as being an EOVERFLOW condition, but then immediately failing
+    in an assertion failure instead of reporting it to the application.
+    
+    The following one-byte change to qemu.git at commit fd9a38fd43 allows
+    the creation of an intentionally malicious server:
+    
+    | diff --git i/nbd/server.c w/nbd/server.c
+    | index 859c163d19f..32e1e771a95 100644
+    | --- i/nbd/server.c
+    | +++ w/nbd/server.c
+    | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
+    |
+    |      for (i = 0; i < ea->count; i++) {
+    |          ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
+    | -        ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
+    | +        ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
+    |      }
+    |  }
+    
+    and can then be detected with the following command line:
+    
+    $ nbdsh -c - <<\EOF
+    > def f(a,b,c,d):
+    >   pass
+    >
+    > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
+    >   "-r", "-f", "raw", "TODO"])
+    > h.block_staus(h.get_size(), 0, f)
+    > EOF
+    nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
+    Aborted (core dumped)
+    
+    whereas a fixed libnbd will give:
+    
+    nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
+    
+    We can either relax the assertion (by changing to 'assert ((len |
+    flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
+    to make the existing assertion reliable.  This patch goes with the
+    latter approach.
+    
+    Sadly, this crash is possible in all existing 1.18.x stable releases,
+    if they were built with assertions enabled (most distros do this by
+    default), meaning a malicious server has an easy way to cause a Denial
+    of Service attack by triggering the assertion failure in vulnerable
+    clients, so we have assigned this CVE-2023-5871.  Mitigating factors:
+    the crash only happens for a server that sends a 64-bit status block
+    reply (no known production servers do so; qemu 8.2 will be the first
+    known server to support extended headers, but it is not yet released);
+    and as usual, a client can use TLS to guarantee it is connecting only
+    to a known-safe server.  If libnbd is compiled without assertions,
+    there is no crash or other mistaken behavior; and when assertions are
+    enabled, the attacker cannot accomplish anything more than a denial of
+    service.
+    
+    Reported-by: Richard W.M. Jones <rjones@redhat.com>
+    Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
+    Signed-off-by: Eric Blake <eblake@redhat.com>
+    (cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
+    Signed-off-by: Eric Blake <eblake@redhat.com>
+
+Index: libnbd-1.18.1/generator/states-reply-chunk.c
+===================================================================
+--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
+++ libnbd-1.18.1/generator/states-reply-chunk.c
+@@ -600,6 +600,7 @@ STATE_MACHINE {
+             break; /* Skip this and later extents; we already made progress */
+           /* Expose this extent as an error; we made no progress */
+           cmd->error = cmd->error ? : EOVERFLOW;
+          flags = (uint32_t)flags;
+         }
+       }
+ 
--- a/libnbd.changes
+++ b/libnbd.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Nov 13 21:15:40 UTC 2023 - James Fehlig <jfehlig@suse.com>
+
+- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
+  4451e5b6-CVE-2023-5871.patch
+  bsc#1216769
+
 -------------------------------------------------------------------
 Wed Oct 25 19:29:55 UTC 2023 - jfehlig@suse.com

--- a/libnbd.spec
+++ b/libnbd.spec
@ -25,6 +25,7 @@ Summary:        NBD client library in userspace
 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        %{name}-%{version}.tar.bz2
+Patch0:         4451e5b6-CVE-2023-5871.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes