Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871)
resolves: RHEL-15143
This commit is contained in:
Richard W.M. Jones
parent
036c9b27d0
commit
8559e9c51d
@ -0,0 +1,88 @@
|
||||
From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Mon, 30 Oct 2023 12:50:53 -0500
|
||||
Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
|
||||
CVE-2023-5871
|
||||
|
||||
Another round of fuzz testing revealed that when a server negotiates
|
||||
extended headers and replies with a 64-bit flag value where the client
|
||||
used the 32-bit API command, we were correctly flagging the server's
|
||||
response as being an EOVERFLOW condition, but then immediately failing
|
||||
in an assertion failure instead of reporting it to the application.
|
||||
|
||||
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
||||
the creation of an intentionally malicious server:
|
||||
|
||||
| diff --git i/nbd/server.c w/nbd/server.c
|
||||
| index 859c163d19f..32e1e771a95 100644
|
||||
| --- i/nbd/server.c
|
||||
| +++ w/nbd/server.c
|
||||
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
||||
|
|
||||
| for (i = 0; i < ea->count; i++) {
|
||||
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
||||
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
||||
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
||||
| }
|
||||
| }
|
||||
|
||||
and can then be detected with the following command line:
|
||||
|
||||
$ nbdsh -c - <<\EOF
|
||||
> def f(a,b,c,d):
|
||||
> pass
|
||||
>
|
||||
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
||||
> "-r", "-f", "raw", "TODO"])
|
||||
> h.block_staus(h.get_size(), 0, f)
|
||||
> EOF
|
||||
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
||||
Aborted (core dumped)
|
||||
|
||||
whereas a fixed libnbd will give:
|
||||
|
||||
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
||||
|
||||
We can either relax the assertion (by changing to 'assert ((len |
|
||||
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
||||
to make the existing assertion reliable. This patch goes with the
|
||||
latter approach.
|
||||
|
||||
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
||||
if they were built with assertions enabled (most distros do this by
|
||||
default), meaning a malicious server has an easy way to cause a Denial
|
||||
of Service attack by triggering the assertion failure in vulnerable
|
||||
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
||||
the crash only happens for a server that sends a 64-bit status block
|
||||
reply (no known production servers do so; qemu 8.2 will be the first
|
||||
known server to support extended headers, but it is not yet released);
|
||||
and as usual, a client can use TLS to guarantee it is connecting only
|
||||
to a known-safe server. If libnbd is compiled without assertions,
|
||||
there is no crash or other mistaken behavior; and when assertions are
|
||||
enabled, the attacker cannot accomplish anything more than a denial of
|
||||
service.
|
||||
|
||||
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
generator/states-reply-chunk.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
|
||||
index 5a31c19..8ab7e8b 100644
|
||||
--- a/generator/states-reply-chunk.c
|
||||
+++ b/generator/states-reply-chunk.c
|
||||
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
||||
break; /* Skip this and later extents; we already made progress */
|
||||
/* Expose this extent as an error; we made no progress */
|
||||
cmd->error = cmd->error ? : EOVERFLOW;
|
||||
+ flags = (uint32_t)flags;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.39.3
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
|
||||
Name: libnbd
|
||||
Version: 1.18.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: NBD client library in userspace
|
||||
|
||||
License: LGPL-2.0-or-later AND BSD-3-Clause
|
||||
@ -28,7 +28,8 @@ Source3: copy-patches.sh
|
||||
# Patches are stored in the upstream repository:
|
||||
# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.4/
|
||||
|
||||
# (no patches)
|
||||
# Patches.
|
||||
Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
|
||||
|
||||
%if 0%{patches_touch_autotools}
|
||||
BuildRequires: autoconf, automake, libtool
|
||||
@ -380,6 +381,10 @@ make %{?_smp_mflags} check || {
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Nov 01 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-2
|
||||
- Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871)
|
||||
resolves: RHEL-15143
|
||||
|
||||
* Tue Oct 24 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-1
|
||||
- Rebase to 1.18.1
|
||||
resolves: RHEL-14476
|
||||
|
||||
Loading…
Reference in New Issue
Block a user