diff --git a/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch b/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch deleted file mode 100644 index e52dcd8..0000000 --- a/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6 Mon Sep 17 00:00:00 2001 -From: Eric Blake -Date: Mon, 30 Oct 2023 12:50:53 -0500 -Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS, - CVE-2023-5871 - -Another round of fuzz testing revealed that when a server negotiates -extended headers and replies with a 64-bit flag value where the client -used the 32-bit API command, we were correctly flagging the server's -response as being an EOVERFLOW condition, but then immediately failing -in an assertion failure instead of reporting it to the application. - -The following one-byte change to qemu.git at commit fd9a38fd43 allows -the creation of an intentionally malicious server: - -| diff --git i/nbd/server.c w/nbd/server.c -| index 859c163d19f..32e1e771a95 100644 -| --- i/nbd/server.c -| +++ w/nbd/server.c -| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) -| -| for (i = 0; i < ea->count; i++) { -| ea->extents[i].length = cpu_to_be64(ea->extents[i].length); -| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); -| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); -| } -| } - -and can then be detected with the following command line: - -$ nbdsh -c - <<\EOF -> def f(a,b,c,d): -> pass -> -> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", -> "-r", "-f", "raw", "TODO"]) -> h.block_staus(h.get_size(), 0, f) -> EOF -nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. -Aborted (core dumped) - -whereas a fixed libnbd will give: - -nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type - -We can either relax the assertion (by changing to 'assert ((len | -flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags -to make the existing assertion reliable. This patch goes with the -latter approach. - -Sadly, this crash is possible in all existing 1.18.x stable releases, -if they were built with assertions enabled (most distros do this by -default), meaning a malicious server has an easy way to cause a Denial -of Service attack by triggering the assertion failure in vulnerable -clients, so we have assigned this CVE-2023-5871. Mitigating factors: -the crash only happens for a server that sends a 64-bit status block -reply (no known production servers do so; qemu 8.2 will be the first -known server to support extended headers, but it is not yet released); -and as usual, a client can use TLS to guarantee it is connecting only -to a known-safe server. If libnbd is compiled without assertions, -there is no crash or other mistaken behavior; and when assertions are -enabled, the attacker cannot accomplish anything more than a denial of -service. - -Reported-by: Richard W.M. Jones -Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) -Signed-off-by: Eric Blake ---- - generator/states-reply-chunk.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c -index 5a31c19..8ab7e8b 100644 ---- a/generator/states-reply-chunk.c -+++ b/generator/states-reply-chunk.c -@@ -600,6 +600,7 @@ STATE_MACHINE { - break; /* Skip this and later extents; we already made progress */ - /* Expose this extent as an error; we made no progress */ - cmd->error = cmd->error ? : EOVERFLOW; -+ flags = (uint32_t)flags; - } - } - --- -2.41.0 - diff --git a/libnbd.spec b/libnbd.spec index 84cc0a1..57428cc 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -25,9 +25,6 @@ Source2: libguestfs.keyring # Maintainer script which helps with handling patches. Source3: copy-patches.sh -# CVE-2023-5871 -Patch: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch - %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool %endif