From e3ee4f962186ff6a3563b5c61de5420dfd7f8c48 Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Fri, 10 Apr 2026 11:29:53 +0200 Subject: [PATCH] - Resolves: RHEL-163805 - Resolves: RHEL-163826 - totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) - totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) Signed-off-by: Jan Friesse --- ...p-Return-error-if-sanity-check-fails.patch | 46 +++++++++++++++ ...integer-overflow-in-memb_join_sanity.patch | 56 +++++++++++++++++++ corosync.spec | 15 ++++- 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch create mode 100644 RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch diff --git a/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch b/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch new file mode 100644 index 0000000..8fc1d7b --- /dev/null +++ b/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch @@ -0,0 +1,46 @@ +From a16614accfdb3481264d7281843fadf439d9ab1b Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index a716ae9f..372a96d1 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } +-- +2.47.3 + diff --git a/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch b/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch new file mode 100644 index 0000000..0d78101 --- /dev/null +++ b/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch @@ -0,0 +1,56 @@ +From 4082294f5094a7591e4e00658c5a605f05d644f1 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 372a96d1..67596911 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); +-- +2.47.3 + diff --git a/corosync.spec b/corosync.spec index 9b7c839..5da9d52 100644 --- a/corosync.spec +++ b/corosync.spec @@ -23,11 +23,14 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.8 -Release: 1%{?gitver}%{?dist} +Release: 1%{?gitver}%{?dist}.1 License: BSD URL: http://corosync.github.io/corosync/ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz +Patch0: RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch +Patch1: RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch + %if %{with spausedd} Source1: https://github.com/jfriesse/spausedd/releases/download/%{spausedd_version}/spausedd-%{spausedd_version}.tar.gz # VMGuestLib exists only for x86_64 architecture @@ -91,6 +94,9 @@ BuildRequires: pkgconfig(vmguestlib) %setup -q -n %{name}-%{version}%{?gittarver} %endif +%patch0 -p1 -b .RHEL-163805 +%patch1 -p1 -b .RHEL-163826 + %build %if %{with runautogen} ./autogen.sh @@ -389,6 +395,13 @@ fi %endif %changelog +* Fri Apr 10 2026 Jan Friesse - 3.1.8-1.1 +- Resolves: RHEL-163805 +- Resolves: RHEL-163826 + +- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) +- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) + * Wed Nov 15 2023 Jan Friesse - 3.1.8-1 - Resolves: RHEL-15263