* Mon Sep 02 2024 Miroslav Rezanina <mrezanin@redhat.com> - 9.0.0-10

- kvm-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch [RHEL-52617] - Resolves: RHEL-52617 (CVE-2024-7409 qemu-kvm: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure [rhel-9.5])
2024-09-02 09:12:27 -04:00 · 2024-09-02 09:12:27 -04:00 · 72caf15fff
commit 72caf15fff
parent 3599dddc66
2 changed files with 109 additions and 1 deletions
--- a/kvm-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
+++ b/kvm-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
@ -0,0 +1,101 @@
+From 6f60c86c5dd747ba68cb4a11084e7b021769e70b Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 22 Aug 2024 09:35:29 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing
+ server
+
+RH-Author: Eric Blake <eblake@redhat.com>
+RH-MergeRequest: 266: nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
+RH-Jira: RHEL-52617
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Hanna Czenczek <hreitz@redhat.com>
+RH-Commit: [1/1] e6e12c985cd13dd14336d98ab0719c789b5e914d (ebblake/centos-qemu-kvm)
+
+Commit 3e7ef738 plugged the use-after-free of the global nbd_server
+object, but overlooked a use-after-free of nbd_server->listener.
+Although this race is harder to hit, notice that our shutdown path
+first drops the reference count of nbd_server->listener, then triggers
+actions that can result in a pending client reaching the
+nbd_blockdev_client_closed() callback, which in turn calls
+qio_net_listener_set_client_func on a potentially stale object.
+
+If we know we don't want any more clients to connect, and have already
+told the listener socket to shut down, then we should not be trying to
+update the listener socket's associated function.
+
+Reproducer:
+
+> #!/usr/bin/python3
+>
+> import os
+> from threading import Thread
+>
+> def start_stop():
+>     while 1:
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
+"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
+>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
+>
+> def nbd_list():
+>     while 1:
+>         os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
+>
+> def test():
+>     sst = Thread(target=start_stop)
+>     sst.start()
+>     nlt = Thread(target=nbd_list)
+>     nlt.start()
+>
+>     sst.join()
+>     nlt.join()
+>
+> test()
+
+Fixes: CVE-2024-7409
+Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
+CC: qemu-stable@nongnu.org
+Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240822143617.800419-2-eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+(cherry picked from commit 3874f5f73c441c52f1c699c848d463b0eda01e4c)
+Jira: https://issues.redhat.com/browse/RHEL-52617
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ blockdev-nbd.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index f73409ae49..b36f41b7c5 100644
+--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
+@@ -92,10 +92,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+ 
+ static void nbd_update_server_watch(NBDServerData *s)
+ {
+-    if (!s->max_connections || s->connections < s->max_connections) {
+-        qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
+-    } else {
+-        qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+    if (s->listener) {
+        if (!s->max_connections || s->connections < s->max_connections) {
+            qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
+                                             NULL);
+        } else {
+            qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+        }
+     }
+ }
+ 
+@@ -113,6 +116,7 @@ static void nbd_server_free(NBDServerData *server)
+      */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
+    server->listener = NULL;
+     QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
+         qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
+                              NULL);
+-- 
+2.39.3
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -149,7 +149,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 9.0.0
-Release: 9%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 10%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -430,6 +430,8 @@ Patch135: kvm-nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
 Patch136: kvm-nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
 # For RHEL-52250 - fsfreeze hooks break on the systems first restorecon
 Patch137: kvm-qemu-guest-agent-Update-the-logfile-path-of-qga-fsfr.patch
+# For RHEL-52617 - CVE-2024-7409 qemu-kvm: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure [rhel-9.5]
+Patch138: kvm-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch

 %if %{have_clang}
 BuildRequires: clang
@ -1496,6 +1498,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif

 %changelog
+* Mon Sep 02 2024 Miroslav Rezanina <mrezanin@redhat.com> - 9.0.0-10
+- kvm-nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch [RHEL-52617]
+- Resolves: RHEL-52617
+  (CVE-2024-7409 qemu-kvm: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure [rhel-9.5])
+
 * Mon Aug 26 2024 Miroslav Rezanina <mrezanin@redhat.com> - 9.0.0-9
 - kvm-qemu-guest-agent-Update-the-logfile-path-of-qga-fsfr.patch [RHEL-52250]
 - Resolves: RHEL-52250