- Resolves: RHEL-84612
- totemsrp: Check size of orf_token msg (fixes CVE-2025-30472) Signed-off-by: Jan Friesse <jfriesse@redhat.com>
This commit is contained in:
Jan Friesse
parent
51c1cc57cf
commit
a8682db887
68
RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch
Normal file
68
RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
|
||||
From: Jan Friesse <jfriesse@redhat.com>
|
||||
Date: Mon, 24 Mar 2025 12:05:08 +0100
|
||||
Subject: [PATCH] totemsrp: Check size of orf_token msg
|
||||
|
||||
orf_token message is stored into preallocated array on endian convert
|
||||
so carefully crafted malicious message can lead to crash of corosync.
|
||||
|
||||
Solution is to check message size beforehand.
|
||||
|
||||
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
||||
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
|
||||
---
|
||||
exec/totemsrp.c | 18 +++++++++++++++++-
|
||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
|
||||
index 962d0e2a..364528ce 100644
|
||||
--- a/exec/totemsrp.c
|
||||
+++ b/exec/totemsrp.c
|
||||
@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
|
||||
const struct totemsrp_instance *instance,
|
||||
const void *msg,
|
||||
size_t msg_len,
|
||||
+ size_t max_msg_len,
|
||||
int endian_conversion_needed)
|
||||
{
|
||||
int rtr_entries;
|
||||
const struct orf_token *token = (const struct orf_token *)msg;
|
||||
size_t required_len;
|
||||
|
||||
+ if (msg_len > max_msg_len) {
|
||||
+ log_printf (instance->totemsrp_log_level_security,
|
||||
+ "Received orf_token message is too long... ignoring.");
|
||||
+
|
||||
+ return (-1);
|
||||
+ }
|
||||
+
|
||||
if (msg_len < sizeof(struct orf_token)) {
|
||||
log_printf (instance->totemsrp_log_level_security,
|
||||
"Received orf_token message is too short... ignoring.");
|
||||
@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
|
||||
rtr_entries = token->rtr_list_entries;
|
||||
}
|
||||
|
||||
+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
|
||||
+ log_printf (instance->totemsrp_log_level_security,
|
||||
+ "Received orf_token message rtr_entries is corrupted... ignoring.");
|
||||
+
|
||||
+ return (-1);
|
||||
+ }
|
||||
+
|
||||
required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
|
||||
if (msg_len < required_len) {
|
||||
log_printf (instance->totemsrp_log_level_security,
|
||||
@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
|
||||
"Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
|
||||
#endif
|
||||
|
||||
- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
|
||||
+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
|
||||
+ endian_conversion_needed) == -1) {
|
||||
return (0);
|
||||
}
|
||||
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -12,16 +12,15 @@
|
||||
%bcond_without runautogen
|
||||
%bcond_without userflags
|
||||
|
||||
%global gitver %{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}
|
||||
%global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
|
||||
|
||||
Name: corosync
|
||||
Summary: The Corosync Cluster Engine and Application Programming Interfaces
|
||||
Version: 3.1.9
|
||||
Release: 1%{?gitver}%{?dist}
|
||||
Release: 1%{?dist}.1
|
||||
License: BSD-3-Clause
|
||||
URL: http://corosync.github.io/corosync/
|
||||
Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
|
||||
Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0: RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch
|
||||
|
||||
# Runtime bits
|
||||
# The automatic dependency overridden in favor of explicit version lock
|
||||
@ -68,9 +67,10 @@ Requires: libxslt
|
||||
BuildRequires: readline-devel
|
||||
%endif
|
||||
BuildRequires: make
|
||||
BuildRequires: git
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}%{?gittarver}
|
||||
%autosetup -S git_am
|
||||
|
||||
%build
|
||||
%if %{with runautogen}
|
||||
@ -116,7 +116,7 @@ BuildRequires: make
|
||||
|
||||
%if %{with dbus}
|
||||
mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d
|
||||
install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf
|
||||
install -m 644 %{_builddir}/%{name}-%{version}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf
|
||||
%endif
|
||||
|
||||
## tree fixup
|
||||
@ -289,6 +289,11 @@ network splits)
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Mar 28 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1.1
|
||||
- Resolves: RHEL-84612
|
||||
|
||||
- totemsrp: Check size of orf_token msg (fixes CVE-2025-30472)
|
||||
|
||||
* Fri Nov 15 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1
|
||||
- Resolves: RHEL-65701
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user