diff --git a/RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch b/RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch new file mode 100644 index 0000000..17b4c3e --- /dev/null +++ b/RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch @@ -0,0 +1,68 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 962d0e2a..364528ce 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + +-- +2.47.0 + diff --git a/corosync.spec b/corosync.spec index b2b0ec9..32333ba 100644 --- a/corosync.spec +++ b/corosync.spec @@ -12,16 +12,15 @@ %bcond_without runautogen %bcond_without userflags -%global gitver %{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}} -%global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}} - Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.9 -Release: 1%{?gitver}%{?dist} +Release: 1%{?dist}.1 License: BSD-3-Clause URL: http://corosync.github.io/corosync/ -Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz +Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz + +Patch0: RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -68,9 +67,10 @@ Requires: libxslt BuildRequires: readline-devel %endif BuildRequires: make +BuildRequires: git %prep -%setup -q -n %{name}-%{version}%{?gittarver} +%autosetup -S git_am %build %if %{with runautogen} @@ -116,7 +116,7 @@ BuildRequires: make %if %{with dbus} mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d -install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf +install -m 644 %{_builddir}/%{name}-%{version}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf %endif ## tree fixup @@ -289,6 +289,11 @@ network splits) %endif %changelog +* Fri Mar 28 2025 Jan Friesse - 3.1.9-1.1 +- Resolves: RHEL-84612 + +- totemsrp: Check size of orf_token msg (fixes CVE-2025-30472) + * Fri Nov 15 2024 Jan Friesse - 3.1.9-1 - Resolves: RHEL-65701