Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871) resolves: RHEL-15143

resolves: RHEL-14476

.libnbd.metadata

@@ -0,0 +1,2 @@
+4f99e6f21edffe62b394aa9c7fb68149e6d4d5e4 libnbd-1.18.1.tar.gz
+f9a431cb1f235dabb4482f961da8d19a9e3719c8 libnbd-1.18.1.tar.gz.sig

0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch

@@ -0,0 +1,88 @@
+From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Mon, 30 Oct 2023 12:50:53 -0500
+Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
+ CVE-2023-5871
+
+Another round of fuzz testing revealed that when a server negotiates
+extended headers and replies with a 64-bit flag value where the client
+used the 32-bit API command, we were correctly flagging the server's
+response as being an EOVERFLOW condition, but then immediately failing
+in an assertion failure instead of reporting it to the application.
+
+The following one-byte change to qemu.git at commit fd9a38fd43 allows
+the creation of an intentionally malicious server:
+
+| diff --git i/nbd/server.c w/nbd/server.c
+| index 859c163d19f..32e1e771a95 100644
+| --- i/nbd/server.c
+| +++ w/nbd/server.c
+| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
+|
+|      for (i = 0; i < ea->count; i++) {
+|          ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
+| -        ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
+| +        ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
+|      }
+|  }
+
+and can then be detected with the following command line:
+
+$ nbdsh -c - <<\EOF
+> def f(a,b,c,d):
+>   pass
+>
+> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
+>   "-r", "-f", "raw", "TODO"])
+> h.block_staus(h.get_size(), 0, f)
+> EOF
+nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
+Aborted (core dumped)
+
+whereas a fixed libnbd will give:
+
+nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
+
+We can either relax the assertion (by changing to 'assert ((len |
+flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
+to make the existing assertion reliable.  This patch goes with the
+latter approach.
+
+Sadly, this crash is possible in all existing 1.18.x stable releases,
+if they were built with assertions enabled (most distros do this by
+default), meaning a malicious server has an easy way to cause a Denial
+of Service attack by triggering the assertion failure in vulnerable
+clients, so we have assigned this CVE-2023-5871.  Mitigating factors:
+the crash only happens for a server that sends a 64-bit status block
+reply (no known production servers do so; qemu 8.2 will be the first
+known server to support extended headers, but it is not yet released);
+and as usual, a client can use TLS to guarantee it is connecting only
+to a known-safe server.  If libnbd is compiled without assertions,
+there is no crash or other mistaken behavior; and when assertions are
+enabled, the attacker cannot accomplish anything more than a denial of
+service.
+
+Reported-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ generator/states-reply-chunk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
+index 5a31c19..8ab7e8b 100644
+--- a/generator/states-reply-chunk.c
++++ b/generator/states-reply-chunk.c
+@@ -600,6 +600,7 @@ STATE_MACHINE {
+             break; /* Skip this and later extents; we already made progress */
+           /* Expose this extent as an error; we made no progress */
+           cmd->error = cmd->error ? : EOVERFLOW;
++          flags = (uint32_t)flags;
+         }
+       }
+ 
+-- 
+2.39.3
+

copy-patches.sh

@@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh
 
-rhel_version=9.3
+rhel_version=9.4
 
 # Check we're in the right directory.
 if [ ! -f libnbd.spec ]; then

libnbd.spec

@@ -1,6 +1,3 @@
-# Do this until the feature is fixed in Fedora.
-%undefine _package_note_flags
-
 # If we should verify tarball signature with GPGv2.
 %global verify_tarball_signature 1
 
@@ -8,14 +5,14 @@
 %global patches_touch_autotools %{nil}
 
 # The source directory.
-%global source_directory 1.16-stable
+%global source_directory 1.18-stable
 
 Name:           libnbd
-Version:        1.16.0
-Release:        1%{?dist}
+Version:        1.18.1
+Release:        2%{?dist}
 Summary:        NBD client library in userspace
 
-License:        LGPLv2+
+License:        LGPL-2.0-or-later AND BSD-3-Clause
 URL:            https://gitlab.com/nbdkit/libnbd
 
 Source0:        http://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz
@@ -29,9 +26,10 @@ Source2:       libguestfs.keyring
 Source3:        copy-patches.sh
 
 # Patches are stored in the upstream repository:
-# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.3/
+# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.4/
 
-# (no patches)
+# Patches.
+Patch0001:     0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
 
 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool
@@ -60,10 +58,12 @@ BuildRequires:  ubdsrv-devel >= 1.0-3.rc6
 # For the Python 3 bindings.
 BuildRequires:  python3-devel
 
+%ifnarch %{ix86}
 # For the OCaml bindings.
 BuildRequires:  ocaml
 BuildRequires:  ocaml-findlib-devel
 BuildRequires:  ocaml-ocamldoc
+%endif
 
 # Only for building the examples.
 BuildRequires:  glib2-devel
@@ -98,6 +98,11 @@ BuildRequires:  nbdkit-sh-plugin
 BuildRequires:  nbdkit-sparse-random-plugin
 %endif
 
+%ifnarch %{ix86}
+# The OCaml runtime system does not provide this symbol
+%global __ocaml_requires_opts -x Stdlib__Callback
+%endif
+
 
 %description
 NBD — Network Block Device — is a protocol for accessing Block Devices
@@ -122,7 +127,6 @@ The key features are:
 
 %package devel
 Summary:        Development headers for %{name}
-License:        LGPLv2+ and BSD
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 
 
@@ -130,6 +134,7 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 This package contains development headers for %{name}.
 
 
+%ifnarch %{ix86}
 %package -n ocaml-%{name}
 Summary:        OCaml language bindings for %{name}
 Requires:       %{name}%{?_isa} = %{version}-%{release}
@@ -148,6 +153,7 @@ Requires:       ocaml-%{name}%{?_isa} = %{version}-%{release}
 This package contains OCaml language development package for
 %{name}.  Install this if you want to compile OCaml software which
 uses %{name}.
+%endif
 
 
 %package -n python3-%{name}
@@ -166,7 +172,6 @@ python3-%{name} contains Python 3 bindings for %{name}.
 
 %package -n nbdfuse
 Summary:        FUSE support for %{name}
-License:        LGPLv2+ and BSD
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Recommends:     fuse3
 
@@ -178,7 +183,6 @@ This package contains FUSE support for %{name}.
 %if !0%{?rhel}
 %package -n nbdublk
 Summary:        Userspace NBD block device
-License:        LGPLv2+
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Recommends:     kernel >= 6.0.0
 Recommends:     %{_sbindir}/ublk
@@ -220,9 +224,14 @@ autoreconf -i
     --with-tls-priority=@LIBNBD,SYSTEM \
     PYTHON=%{__python3} \
     --enable-python \
+%ifnarch %{ix86}
     --enable-ocaml \
+%else
+    --disable-ocaml \
+%endif
     --enable-fuse \
-    --disable-golang
+    --disable-golang \
+    --disable-rust
 
 make %{?_smp_mflags}
 
@@ -236,6 +245,11 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 # Delete the golang man page since we're not distributing the bindings.
 rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-golang.3*
 
+%ifarch %{ix86}
+# Delete the OCaml man page on i686.
+rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-ocaml.3*
+%endif
+
 %if 0%{?rhel}
 # Delete nbdublk on RHEL.
 rm $RPM_BUILD_ROOT%{_datadir}/bash-completion/completions/nbdublk
@@ -308,12 +322,12 @@ make %{?_smp_mflags} check || {
 %{_mandir}/man3/nbd_*.3*
 
 
+%ifnarch %{ix86}
 %files -n ocaml-%{name}
-%{_libdir}/ocaml/nbd
-%exclude %{_libdir}/ocaml/nbd/*.a
-%exclude %{_libdir}/ocaml/nbd/*.cmxa
-%exclude %{_libdir}/ocaml/nbd/*.cmx
-%exclude %{_libdir}/ocaml/nbd/*.mli
+%dir %{_libdir}/ocaml/nbd
+%{_libdir}/ocaml/nbd/META
+%{_libdir}/ocaml/nbd/*.cma
+%{_libdir}/ocaml/nbd/*.cmi
 %{_libdir}/ocaml/stublibs/dllmlnbd.so
 %{_libdir}/ocaml/stublibs/dllmlnbd.so.owner
 
@@ -321,13 +335,16 @@ make %{?_smp_mflags} check || {
 %files -n ocaml-%{name}-devel
 %doc ocaml/examples/*.ml
 %license ocaml/examples/LICENSE-FOR-EXAMPLES
-%{_libdir}/ocaml/nbd/*.a
+%ifarch %{ocaml_native_compiler}
 %{_libdir}/ocaml/nbd/*.cmxa
 %{_libdir}/ocaml/nbd/*.cmx
+%endif
+%{_libdir}/ocaml/nbd/*.a
 %{_libdir}/ocaml/nbd/*.mli
 %{_mandir}/man3/libnbd-ocaml.3*
 %{_mandir}/man3/NBD.3*
 %{_mandir}/man3/NBD.*.3*
+%endif
 
 
 %files -n python3-%{name}
@@ -364,6 +381,14 @@ make %{?_smp_mflags} check || {
 
 
 %changelog
+* Wed Nov 01 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-2
+- Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871)
+  resolves: RHEL-15143
+
+* Tue Oct 24 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-1
+- Rebase to 1.18.1
+  resolves: RHEL-14476
+
 * Tue Apr 18 2023 Richard W.M. Jones <rjones@redhat.com> - 1.16.0-1
 - Rebase to 1.16.0
   resolves: rhbz#2168628

sources

@@ -1,2 +1,2 @@
-SHA512 (libnbd-1.16.0.tar.gz) = 4ca366c819adf1f775412dd53d9b76859e6ca49a479f0b3e8f5fddfc54f27bfa43f4eed3edc2d367f6a646cfd87824323a6aafb5c3627e18b97ed44efc417150
-SHA512 (libnbd-1.16.0.tar.gz.sig) = fe5c0a6568130fd1cd5bb9481638767476858623cda86f905bb70608a4da38aab3ac2cb6243358df228dccd56abfedb68d2101885d3b140d97fc03ee702b03b2
+SHA512 (libnbd-1.18.1.tar.gz) = f4262666be55d580550e053355f14f80d352bf869ae7241e9fa032a9b5cd9e027eb89a536871c1206422413fc7ed745da7d612b3e1413f76ec17168705fbf12c
+SHA512 (libnbd-1.18.1.tar.gz.sig) = 57798aa8b8c0973c0e13f431a6735e13a5aa546190e5de9cb43f78d54c5438df70bdf6e875282a3c4221c222a1517c64bb311e769f7c1a3e61d5b1a4e7f75e2d