Accepting request 1125731 from Virtualization
- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 4451e5b6-CVE-2023-5871.patch bsc#1216769 OBS-URL: https://build.opensuse.org/request/show/1125731 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnbd?expand=0&rev=14
This commit is contained in:
Ana Guerrero
Git OBS Bridge
commit
5fa83b5ca0
82
4451e5b6-CVE-2023-5871.patch
Normal file
82
4451e5b6-CVE-2023-5871.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
commit 4451e5b61ca07771ceef3e012223779e7a0c7701
|
||||||
|
Author: Eric Blake <eblake@redhat.com>
|
||||||
|
Date: Mon Oct 30 12:50:53 2023 -0500
|
||||||
|
|
||||||
|
generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
|
||||||
|
|
||||||
|
Another round of fuzz testing revealed that when a server negotiates
|
||||||
|
extended headers and replies with a 64-bit flag value where the client
|
||||||
|
used the 32-bit API command, we were correctly flagging the server's
|
||||||
|
response as being an EOVERFLOW condition, but then immediately failing
|
||||||
|
in an assertion failure instead of reporting it to the application.
|
||||||
|
|
||||||
|
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
||||||
|
the creation of an intentionally malicious server:
|
||||||
|
|
||||||
|
| diff --git i/nbd/server.c w/nbd/server.c
|
||||||
|
| index 859c163d19f..32e1e771a95 100644
|
||||||
|
| --- i/nbd/server.c
|
||||||
|
| +++ w/nbd/server.c
|
||||||
|
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
||||||
|
|
|
||||||
|
| for (i = 0; i < ea->count; i++) {
|
||||||
|
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
||||||
|
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
||||||
|
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
||||||
|
| }
|
||||||
|
| }
|
||||||
|
|
||||||
|
and can then be detected with the following command line:
|
||||||
|
|
||||||
|
$ nbdsh -c - <<\EOF
|
||||||
|
> def f(a,b,c,d):
|
||||||
|
> pass
|
||||||
|
>
|
||||||
|
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
||||||
|
> "-r", "-f", "raw", "TODO"])
|
||||||
|
> h.block_staus(h.get_size(), 0, f)
|
||||||
|
> EOF
|
||||||
|
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
||||||
|
Aborted (core dumped)
|
||||||
|
|
||||||
|
whereas a fixed libnbd will give:
|
||||||
|
|
||||||
|
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
||||||
|
|
||||||
|
We can either relax the assertion (by changing to 'assert ((len |
|
||||||
|
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
||||||
|
to make the existing assertion reliable. This patch goes with the
|
||||||
|
latter approach.
|
||||||
|
|
||||||
|
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
||||||
|
if they were built with assertions enabled (most distros do this by
|
||||||
|
default), meaning a malicious server has an easy way to cause a Denial
|
||||||
|
of Service attack by triggering the assertion failure in vulnerable
|
||||||
|
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
||||||
|
the crash only happens for a server that sends a 64-bit status block
|
||||||
|
reply (no known production servers do so; qemu 8.2 will be the first
|
||||||
|
known server to support extended headers, but it is not yet released);
|
||||||
|
and as usual, a client can use TLS to guarantee it is connecting only
|
||||||
|
to a known-safe server. If libnbd is compiled without assertions,
|
||||||
|
there is no crash or other mistaken behavior; and when assertions are
|
||||||
|
enabled, the attacker cannot accomplish anything more than a denial of
|
||||||
|
service.
|
||||||
|
|
||||||
|
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
||||||
|
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
||||||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||||
|
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
|
||||||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||||
|
|
||||||
|
Index: libnbd-1.18.1/generator/states-reply-chunk.c
|
||||||
|
===================================================================
|
||||||
|
--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
|
||||||
|
+++ libnbd-1.18.1/generator/states-reply-chunk.c
|
||||||
|
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
||||||
|
break; /* Skip this and later extents; we already made progress */
|
||||||
|
/* Expose this extent as an error; we made no progress */
|
||||||
|
cmd->error = cmd->error ? : EOVERFLOW;
|
||||||
|
+ flags = (uint32_t)flags;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 13 21:15:40 UTC 2023 - James Fehlig <jfehlig@suse.com>
|
||||||
|
|
||||||
|
- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
|
||||||
|
4451e5b6-CVE-2023-5871.patch
|
||||||
|
bsc#1216769
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 25 19:29:55 UTC 2023 - jfehlig@suse.com
|
Wed Oct 25 19:29:55 UTC 2023 - jfehlig@suse.com
|
||||||
|
|
||||||
|
|||||||
@ -25,6 +25,7 @@ Summary: NBD client library in userspace
|
|||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
URL: https://gitlab.com/nbdkit/libnbd
|
URL: https://gitlab.com/nbdkit/libnbd
|
||||||
Source0: %{name}-%{version}.tar.bz2
|
Source0: %{name}-%{version}.tar.bz2
|
||||||
|
Patch0: 4451e5b6-CVE-2023-5871.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user