- Resolves: RHEL-163805

- Resolves: RHEL-163826 - totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) - totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) Signed-off-by: Jan Friesse <jfriesse@redhat.com>
2026-04-10 11:29:53 +02:00 · 2026-04-10 11:29:53 +02:00 · e3ee4f9621
commit e3ee4f9621
parent d3fc4049a2
3 changed files with 116 additions and 1 deletions
--- a/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch
+++ b/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch
@ -0,0 +1,46 @@
+From a16614accfdb3481264d7281843fadf439d9ab1b Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:00:39 +0200
+Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previously, the check_memb_commit_token_sanity function correctly
+checked the minimum message length. However, if the message was too
+short, it incorrectly returned a success code (0) instead of the
+expected failure code (-1).
+
+This commit ensures the appropriate error code is returned when the
+message length sanity check fails.
+
+Fixes: CVE-2026-35091
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index a716ae9f..372a96d1 100644
+--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
+@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_commit_token message is too short...  ignoring.");
+ 
+-		return (0);
+		return (-1);
+ 	}
+ 
+-	addr_entries= mct_msg->addr_entries;
+	addr_entries = mct_msg->addr_entries;
+ 	if (endian_conversion_needed) {
+ 		addr_entries = swab32(addr_entries);
+ 	}
+-- 
+2.47.3
+
--- a/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
+++ b/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
@ -0,0 +1,56 @@
+From 4082294f5094a7591e4e00658c5a605f05d644f1 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:44:06 +0200
+Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit addresses an integer overflow (wraparound) vulnerability
+in the check_memb_join_sanity function.
+
+Previously, the 32-bit unsigned network values proc_list_entries and
+failed_list_entries were added together before being promoted to
+size_t. This allowed the addition to wrap around in 32-bit arithmetic
+(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
+calculation that was incorrectly small.
+
+The solution is to cast the list entries to size_t and verify that
+neither exceeds the maximum allowed value before the addition occurs.
+
+Fixes: CVE-2026-35092
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 372a96d1..67596911 100644
+--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
+@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity(
+ 		failed_list_entries = swab32(failed_list_entries);
+ 	}
+ 
+-	required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
+	if (proc_list_entries > PROCESSOR_COUNT_MAX ||
+	    failed_list_entries > PROCESSOR_COUNT_MAX) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received memb_join message list_entries exceeds the maximum "
+		    "allowed value...  ignoring.");
+
+		return (-1);
+	}
+
+	required_len = sizeof(struct memb_join) +
+	  (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_join message is too short...  ignoring.");
+-- 
+2.47.3
+
--- a/corosync.spec
+++ b/corosync.spec
@ -23,11 +23,14 @@
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 3.1.8
-Release: 1%{?gitver}%{?dist}
+Release: 1%{?gitver}%{?dist}.1
 License: BSD
 URL: http://corosync.github.io/corosync/
 Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz

+Patch0: RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch
+Patch1: RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
+
 %if %{with spausedd}
 Source1: https://github.com/jfriesse/spausedd/releases/download/%{spausedd_version}/spausedd-%{spausedd_version}.tar.gz
 # VMGuestLib exists only for x86_64 architecture
@ -91,6 +94,9 @@ BuildRequires: pkgconfig(vmguestlib)
 %setup -q -n %{name}-%{version}%{?gittarver}
 %endif

+%patch0 -p1 -b .RHEL-163805
+%patch1 -p1 -b .RHEL-163826
+
 %build
 %if %{with runautogen}
 ./autogen.sh
@ -389,6 +395,13 @@ fi
 %endif

 %changelog
+* Fri Apr 10 2026 Jan Friesse <jfriesse@redhat.com> - 3.1.8-1.1
+- Resolves: RHEL-163805
+- Resolves: RHEL-163826
+
+- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091)
+- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092)
+
 * Wed Nov 15 2023 Jan Friesse <jfriesse@redhat.com> - 3.1.8-1
 - Resolves: RHEL-15263