Remove patch upstream
This commit is contained in:
parent
d6a8129e57
commit
cacc31d129
@ -1,86 +0,0 @@
|
|||||||
From 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Blake <eblake@redhat.com>
|
|
||||||
Date: Mon, 30 Oct 2023 12:50:53 -0500
|
|
||||||
Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
|
|
||||||
CVE-2023-5871
|
|
||||||
|
|
||||||
Another round of fuzz testing revealed that when a server negotiates
|
|
||||||
extended headers and replies with a 64-bit flag value where the client
|
|
||||||
used the 32-bit API command, we were correctly flagging the server's
|
|
||||||
response as being an EOVERFLOW condition, but then immediately failing
|
|
||||||
in an assertion failure instead of reporting it to the application.
|
|
||||||
|
|
||||||
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
|
||||||
the creation of an intentionally malicious server:
|
|
||||||
|
|
||||||
| diff --git i/nbd/server.c w/nbd/server.c
|
|
||||||
| index 859c163d19f..32e1e771a95 100644
|
|
||||||
| --- i/nbd/server.c
|
|
||||||
| +++ w/nbd/server.c
|
|
||||||
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
|
||||||
|
|
|
||||||
| for (i = 0; i < ea->count; i++) {
|
|
||||||
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
|
||||||
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
|
||||||
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
|
||||||
| }
|
|
||||||
| }
|
|
||||||
|
|
||||||
and can then be detected with the following command line:
|
|
||||||
|
|
||||||
$ nbdsh -c - <<\EOF
|
|
||||||
> def f(a,b,c,d):
|
|
||||||
> pass
|
|
||||||
>
|
|
||||||
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
|
||||||
> "-r", "-f", "raw", "TODO"])
|
|
||||||
> h.block_staus(h.get_size(), 0, f)
|
|
||||||
> EOF
|
|
||||||
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
|
||||||
Aborted (core dumped)
|
|
||||||
|
|
||||||
whereas a fixed libnbd will give:
|
|
||||||
|
|
||||||
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
|
||||||
|
|
||||||
We can either relax the assertion (by changing to 'assert ((len |
|
|
||||||
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
|
||||||
to make the existing assertion reliable. This patch goes with the
|
|
||||||
latter approach.
|
|
||||||
|
|
||||||
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
|
||||||
if they were built with assertions enabled (most distros do this by
|
|
||||||
default), meaning a malicious server has an easy way to cause a Denial
|
|
||||||
of Service attack by triggering the assertion failure in vulnerable
|
|
||||||
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
|
||||||
the crash only happens for a server that sends a 64-bit status block
|
|
||||||
reply (no known production servers do so; qemu 8.2 will be the first
|
|
||||||
known server to support extended headers, but it is not yet released);
|
|
||||||
and as usual, a client can use TLS to guarantee it is connecting only
|
|
||||||
to a known-safe server. If libnbd is compiled without assertions,
|
|
||||||
there is no crash or other mistaken behavior; and when assertions are
|
|
||||||
enabled, the attacker cannot accomplish anything more than a denial of
|
|
||||||
service.
|
|
||||||
|
|
||||||
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
|
||||||
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
|
||||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
||||||
---
|
|
||||||
generator/states-reply-chunk.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
|
|
||||||
index 5a31c19..8ab7e8b 100644
|
|
||||||
--- a/generator/states-reply-chunk.c
|
|
||||||
+++ b/generator/states-reply-chunk.c
|
|
||||||
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
|
||||||
break; /* Skip this and later extents; we already made progress */
|
|
||||||
/* Expose this extent as an error; we made no progress */
|
|
||||||
cmd->error = cmd->error ? : EOVERFLOW;
|
|
||||||
+ flags = (uint32_t)flags;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -25,9 +25,6 @@ Source2: libguestfs.keyring
|
|||||||
# Maintainer script which helps with handling patches.
|
# Maintainer script which helps with handling patches.
|
||||||
Source3: copy-patches.sh
|
Source3: copy-patches.sh
|
||||||
|
|
||||||
# CVE-2023-5871
|
|
||||||
Patch: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
|
|
||||||
|
|
||||||
%if 0%{patches_touch_autotools}
|
%if 0%{patches_touch_autotools}
|
||||||
BuildRequires: autoconf, automake, libtool
|
BuildRequires: autoconf, automake, libtool
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user