qemu-kvm/kvm-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch

From faac5261d5a9af155950c4e7779c5a4721562824 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Thu, 8 Aug 2024 16:05:08 -0500
Subject: [PATCH 3/5] nbd/server: CVE-2024-7409: Drop non-negotiating clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Eric Blake <eblake@redhat.com>
RH-MergeRequest: 388: nbd/server: fix CVE-2024-7409 (qemu crash on nbd-server-stop) [rhel-8.10.z]
RH-Jira: RHEL-52611
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Richard W.M. Jones <rjones@redhat.com>
RH-Commit: [3/4] 8c39829f8efbded9af018a4b915af266a55a793a (ebblake/qemu-kvm)

A client that opens a socket but does not negotiate is merely hogging
qemu's resources (an open fd and a small amount of memory); and a
malicious client that can access the port where NBD is listening can
attempt a denial of service attack by intentionally opening and
abandoning lots of unfinished connections.  The previous patch put a
default bound on the number of such ongoing connections, but once that
limit is hit, no more clients can connect (including legitimate ones).
The solution is to insist that clients complete handshake within a
reasonable time limit, defaulting to 10 seconds.  A client that has
not successfully completed NBD_OPT_GO by then (including the case of
where the client didn't know TLS credentials to even reach the point
of NBD_OPT_GO) is wasting our time and does not deserve to stay
connected.  Later patches will allow fine-tuning the limit away from
the default value (including disabling it for doing integration
testing of the handshake process itself).

Note that this patch in isolation actually makes it more likely to see
qemu SEGV after nbd-server-stop, as any client socket still connected
when the server shuts down will now be closed after 10 seconds rather
than at the client's whims.  That will be addressed in the next patch.

For a demo of this patch in action:
$ qemu-nbd -f raw -r -t -e 10 file &
$ nbdsh --opt-mode -c '
H = list()
for i in range(20):
  print(i)
  H.insert(i, nbd.NBD())
  H[i].set_opt_mode(True)
  H[i].connect_uri("nbd://localhost")
'
$ kill $!

where later connections get to start progressing once earlier ones are
forcefully dropped for taking too long, rather than hanging.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20240807174943.771624-13-eblake@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
[eblake: rebase to changes earlier in series, reduce scope of timer]
Signed-off-by: Eric Blake <eblake@redhat.com>

(cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0)
Conflicts:
	nbd/server.c - context with different aiocontext locking
        nbd/trace-events - context with no client-connection.c
Jira: https://issues.redhat.com/browse/RHEL-52611
Signed-off-by: Eric Blake <eblake@redhat.com>
---
 nbd/server.c     | 28 +++++++++++++++++++++++++++-
 nbd/trace-events |  1 +
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/nbd/server.c b/nbd/server.c
index cc1b6838bf..1265068f70 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -2701,22 +2701,48 @@ static void nbd_client_receive_next_request(NBDClient *client)
     }
 }
 
+static void nbd_handshake_timer_cb(void *opaque)
+{
+    QIOChannel *ioc = opaque;
+
+    trace_nbd_handshake_timer_cb();
+    qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
+}
+
 static coroutine_fn void nbd_co_client_start(void *opaque)
 {
     NBDClient *client = opaque;
     Error *local_err = NULL;
+    QEMUTimer *handshake_timer = NULL;
 
     qemu_co_mutex_init(&client->send_lock);
 
-    /* TODO - utilize client->handshake_max_secs */
+    /*
+     * Create a timer to bound the time spent in negotiation. If the
+     * timer expires, it is likely nbd_negotiate will fail because the
+     * socket was shutdown.
+     */
+    if (client->handshake_max_secs > 0) {
+        handshake_timer = aio_timer_new(qemu_get_aio_context(),
+                                        QEMU_CLOCK_REALTIME,
+                                        SCALE_NS,
+                                        nbd_handshake_timer_cb,
+                                        client->sioc);
+        timer_mod(handshake_timer,
+                  qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +
+                  client->handshake_max_secs * NANOSECONDS_PER_SECOND);
+    }
+
     if (nbd_negotiate(client, &local_err)) {
         if (local_err) {
             error_report_err(local_err);
         }
+        timer_free(handshake_timer);
         client_close(client, false);
         return;
     }
 
+    timer_free(handshake_timer);
     nbd_client_receive_next_request(client);
 }
 
diff --git a/nbd/trace-events b/nbd/trace-events
index c4919a2dd5..553546f1f2 100644
--- a/nbd/trace-events
+++ b/nbd/trace-events
@@ -73,3 +73,4 @@ nbd_co_receive_request_decode_type(uint64_t handle, uint16_t type, const char *n
 nbd_co_receive_request_payload_received(uint64_t handle, uint32_t len) "Payload received: handle = %" PRIu64 ", len = %" PRIu32
 nbd_co_receive_align_compliance(const char *op, uint64_t from, uint32_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx32 ", align=0x%" PRIx32
 nbd_trip(void) "Reading request"
+nbd_handshake_timer_cb(void) "client took too long to negotiate"
-- 
2.39.3
* Wed Aug 21 2024 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-52.el8 - kvm-nbd-server-Plumb-in-new-args-to-nbd_client_add.patch [RHEL-52611] - kvm-nbd-server-CVE-2024-7409-Cap-default-max-connections.patch [RHEL-52611] - kvm-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch [RHEL-52611] - kvm-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch [RHEL-52611] - kvm-vnc-increase-max-display-size.patch [RHEL-50854] - Resolves: RHEL-52611 (CVE-2024-7409 virt:rhel/qemu-kvm: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure [rhel-8.10.z]) - Resolves: RHEL-50854 (vnc: increase max display size to 4K) 2024-08-21 06:35:14 +00:00			`From faac5261d5a9af155950c4e7779c5a4721562824 Mon Sep 17 00:00:00 2001`
			`From: Eric Blake <eblake@redhat.com>`
			`Date: Thu, 8 Aug 2024 16:05:08 -0500`
			`Subject: [PATCH 3/5] nbd/server: CVE-2024-7409: Drop non-negotiating clients`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`RH-Author: Eric Blake <eblake@redhat.com>`
			`RH-MergeRequest: 388: nbd/server: fix CVE-2024-7409 (qemu crash on nbd-server-stop) [rhel-8.10.z]`
			`RH-Jira: RHEL-52611`
			`RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>`
			`RH-Acked-by: Richard W.M. Jones <rjones@redhat.com>`
			`RH-Commit: [3/4] 8c39829f8efbded9af018a4b915af266a55a793a (ebblake/qemu-kvm)`

			`A client that opens a socket but does not negotiate is merely hogging`
			`qemu's resources (an open fd and a small amount of memory); and a`
			`malicious client that can access the port where NBD is listening can`
			`attempt a denial of service attack by intentionally opening and`
			`abandoning lots of unfinished connections. The previous patch put a`
			`default bound on the number of such ongoing connections, but once that`
			`limit is hit, no more clients can connect (including legitimate ones).`
			`The solution is to insist that clients complete handshake within a`
			`reasonable time limit, defaulting to 10 seconds. A client that has`
			`not successfully completed NBD_OPT_GO by then (including the case of`
			`where the client didn't know TLS credentials to even reach the point`
			`of NBD_OPT_GO) is wasting our time and does not deserve to stay`
			`connected. Later patches will allow fine-tuning the limit away from`
			`the default value (including disabling it for doing integration`
			`testing of the handshake process itself).`

			`Note that this patch in isolation actually makes it more likely to see`
			`qemu SEGV after nbd-server-stop, as any client socket still connected`
			`when the server shuts down will now be closed after 10 seconds rather`
			`than at the client's whims. That will be addressed in the next patch.`

			`For a demo of this patch in action:`
			`$ qemu-nbd -f raw -r -t -e 10 file &`
			`$ nbdsh --opt-mode -c '`
			`H = list()`
			`for i in range(20):`
			`print(i)`
			`H.insert(i, nbd.NBD())`
			`H[i].set_opt_mode(True)`
			`H[i].connect_uri("nbd://localhost")`
			`'`
			`$ kill $!`

			`where later connections get to start progressing once earlier ones are`
			`forcefully dropped for taking too long, rather than hanging.`

			`Suggested-by: Daniel P. Berrangé <berrange@redhat.com>`
			`Signed-off-by: Eric Blake <eblake@redhat.com>`
			`Message-ID: <20240807174943.771624-13-eblake@redhat.com>`
			`Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>`
			`[eblake: rebase to changes earlier in series, reduce scope of timer]`
			`Signed-off-by: Eric Blake <eblake@redhat.com>`

			`(cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0)`
			`Conflicts:`
			`nbd/server.c - context with different aiocontext locking`
			`nbd/trace-events - context with no client-connection.c`
			`Jira: https://issues.redhat.com/browse/RHEL-52611`
			`Signed-off-by: Eric Blake <eblake@redhat.com>`
			`---`
			`nbd/server.c \| 28 +++++++++++++++++++++++++++-`
			`nbd/trace-events \| 1 +`
			`2 files changed, 28 insertions(+), 1 deletion(-)`

			`diff --git a/nbd/server.c b/nbd/server.c`
			`index cc1b6838bf..1265068f70 100644`
			`--- a/nbd/server.c`
			`+++ b/nbd/server.c`
			`@@ -2701,22 +2701,48 @@ static void nbd_client_receive_next_request(NBDClient *client)`
			`}`
			`}`

			`+static void nbd_handshake_timer_cb(void *opaque)`
			`+{`
			`+ QIOChannel *ioc = opaque;`
			`+`
			`+ trace_nbd_handshake_timer_cb();`
			`+ qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);`
			`+}`
			`+`
			`static coroutine_fn void nbd_co_client_start(void *opaque)`
			`{`
			`NBDClient *client = opaque;`
			`Error *local_err = NULL;`
			`+ QEMUTimer *handshake_timer = NULL;`

			`qemu_co_mutex_init(&client->send_lock);`

			`- /* TODO - utilize client->handshake_max_secs */`
			`+ /*`
			`+ * Create a timer to bound the time spent in negotiation. If the`
			`+ * timer expires, it is likely nbd_negotiate will fail because the`
			`+ * socket was shutdown.`
			`+ */`
			`+ if (client->handshake_max_secs > 0) {`
			`+ handshake_timer = aio_timer_new(qemu_get_aio_context(),`
			`+ QEMU_CLOCK_REALTIME,`
			`+ SCALE_NS,`
			`+ nbd_handshake_timer_cb,`
			`+ client->sioc);`
			`+ timer_mod(handshake_timer,`
			`+ qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +`
			`+ client->handshake_max_secs * NANOSECONDS_PER_SECOND);`
			`+ }`
			`+`
			`if (nbd_negotiate(client, &local_err)) {`
			`if (local_err) {`
			`error_report_err(local_err);`
			`}`
			`+ timer_free(handshake_timer);`
			`client_close(client, false);`
			`return;`
			`}`

			`+ timer_free(handshake_timer);`
			`nbd_client_receive_next_request(client);`
			`}`

			`diff --git a/nbd/trace-events b/nbd/trace-events`
			`index c4919a2dd5..553546f1f2 100644`
			`--- a/nbd/trace-events`
			`+++ b/nbd/trace-events`
			`@@ -73,3 +73,4 @@ nbd_co_receive_request_decode_type(uint64_t handle, uint16_t type, const char *n`
			`nbd_co_receive_request_payload_received(uint64_t handle, uint32_t len) "Payload received: handle = %" PRIu64 ", len = %" PRIu32`
			`nbd_co_receive_align_compliance(const char *op, uint64_t from, uint32_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx32 ", align=0x%" PRIx32`
			`nbd_trip(void) "Reading request"`
			`+nbd_handshake_timer_cb(void) "client took too long to negotiate"`
			`--`
			`2.39.3`