From f7b7f4f0c93e444f92c4f8dbd55ba5c00dfd34bc Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Thu, 9 Apr 2026 09:54:50 +0200 Subject: [PATCH] - Resolves: RHEL-163817 - Resolves: RHEL-163838 - totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) - totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) Signed-off-by: Jan Friesse --- ...p-Return-error-if-sanity-check-fails.patch | 46 +++++++++++++++ ...integer-overflow-in-memb_join_sanity.patch | 56 +++++++++++++++++++ corosync.spec | 12 +++- 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 RHEL-163817-totemsrp-Return-error-if-sanity-check-fails.patch create mode 100644 RHEL-163838-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch diff --git a/RHEL-163817-totemsrp-Return-error-if-sanity-check-fails.patch b/RHEL-163817-totemsrp-Return-error-if-sanity-check-fails.patch new file mode 100644 index 0000000..8fc1d7b --- /dev/null +++ b/RHEL-163817-totemsrp-Return-error-if-sanity-check-fails.patch @@ -0,0 +1,46 @@ +From a16614accfdb3481264d7281843fadf439d9ab1b Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index a716ae9f..372a96d1 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } +-- +2.47.3 + diff --git a/RHEL-163838-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch b/RHEL-163838-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch new file mode 100644 index 0000000..0d78101 --- /dev/null +++ b/RHEL-163838-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch @@ -0,0 +1,56 @@ +From 4082294f5094a7591e4e00658c5a605f05d644f1 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 372a96d1..67596911 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); +-- +2.47.3 + diff --git a/corosync.spec b/corosync.spec index 01c9683..ecd6e11 100644 --- a/corosync.spec +++ b/corosync.spec @@ -15,11 +15,14 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.10 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3-Clause URL: http://corosync.github.io/corosync/ Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}%{?gittarver}.tar.gz +Patch0: RHEL-163817-totemsrp-Return-error-if-sanity-check-fails.patch +Patch1: RHEL-163838-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch + # Runtime bits # The automatic dependency overridden in favor of explicit version lock Requires: corosynclib%{?_isa} = %{version}-%{release} @@ -289,6 +292,13 @@ network splits) %endif %changelog +* Thu Apr 09 2026 Jan Friesse - 3.1.10-2 +- Resolves: RHEL-163817 +- Resolves: RHEL-163838 + +- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) +- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) + * Tue Nov 18 2025 Jan Friesse - 3.1.10-1 - Resolves: RHEL-122942