188 lines
8.3 KiB
Diff
188 lines
8.3 KiB
Diff
From adfddc25c82576458442f61efb913e44d83bcbd0 Mon Sep 17 00:00:00 2001
|
|
From: Eric Blake <eblake@redhat.com>
|
|
Date: Tue, 6 Aug 2024 13:53:00 -0500
|
|
Subject: [PATCH 2/5] nbd/server: CVE-2024-7409: Cap default max-connections to
|
|
100
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Eric Blake <eblake@redhat.com>
|
|
RH-MergeRequest: 388: nbd/server: fix CVE-2024-7409 (qemu crash on nbd-server-stop) [rhel-8.10.z]
|
|
RH-Jira: RHEL-52611
|
|
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
RH-Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
|
RH-Commit: [2/4] 1f5d88d5644c46cbb957778254a993930b9d86dc (ebblake/qemu-kvm)
|
|
|
|
Allowing an unlimited number of clients to any web service is a recipe
|
|
for a rudimentary denial of service attack: the client merely needs to
|
|
open lots of sockets without closing them, until qemu no longer has
|
|
any more fds available to allocate.
|
|
|
|
For qemu-nbd, we default to allowing only 1 connection unless more are
|
|
explicitly asked for (-e or --shared); this was historically picked as
|
|
a nice default (without an explicit -t, a non-persistent qemu-nbd goes
|
|
away after a client disconnects, without needing any additional
|
|
follow-up commands), and we are not going to change that interface now
|
|
(besides, someday we want to point people towards qemu-storage-daemon
|
|
instead of qemu-nbd).
|
|
|
|
But for qemu proper, and the newer qemu-storage-daemon, the QMP
|
|
nbd-server-start command has historically had a default of unlimited
|
|
number of connections, in part because unlike qemu-nbd it is
|
|
inherently persistent until nbd-server-stop. Allowing multiple client
|
|
sockets is particularly useful for clients that can take advantage of
|
|
MULTI_CONN (creating parallel sockets to increase throughput),
|
|
although known clients that do so (such as libnbd's nbdcopy) typically
|
|
use only 8 or 16 connections (the benefits of scaling diminish once
|
|
more sockets are competing for kernel attention). Picking a number
|
|
large enough for typical use cases, but not unlimited, makes it
|
|
slightly harder for a malicious client to perform a denial of service
|
|
merely by opening lots of connections withot progressing through the
|
|
handshake.
|
|
|
|
This change does not eliminate CVE-2024-7409 on its own, but reduces
|
|
the chance for fd exhaustion or unlimited memory usage as an attack
|
|
surface. On the other hand, by itself, it makes it more obvious that
|
|
with a finite limit, we have the problem of an unauthenticated client
|
|
holding 100 fds opened as a way to block out a legitimate client from
|
|
being able to connect; thus, later patches will further add timeouts
|
|
to reject clients that are not making progress.
|
|
|
|
This is an INTENTIONAL change in behavior, and will break any client
|
|
of nbd-server-start that was not passing an explicit max-connections
|
|
parameter, yet expects more than 100 simultaneous connections. We are
|
|
not aware of any such client (as stated above, most clients aware of
|
|
MULTI_CONN get by just fine on 8 or 16 connections, and probably cope
|
|
with later connections failing by relying on the earlier connections;
|
|
libvirt has not yet been passing max-connections, but generally
|
|
creates NBD servers with the intent for a single client for the sake
|
|
of live storage migration; meanwhile, the KubeSAN project anticipates
|
|
a large cluster sharing multiple clients [up to 8 per node, and up to
|
|
100 nodes in a cluster], but it currently uses qemu-nbd with an
|
|
explicit --shared=0 rather than qemu-storage-daemon with
|
|
nbd-server-start).
|
|
|
|
We considered using a deprecation period (declare that omitting
|
|
max-parameters is deprecated, and make it mandatory in 3 releases -
|
|
then we don't need to pick an arbitrary default); that has zero risk
|
|
of breaking any apps that accidentally depended on more than 100
|
|
connections, and where such breakage might not be noticed under unit
|
|
testing but only under the larger loads of production usage. But it
|
|
does not close the denial-of-service hole until far into the future,
|
|
and requires all apps to change to add the parameter even if 100 was
|
|
good enough. It also has a drawback that any app (like libvirt) that
|
|
is accidentally relying on an unlimited default should seriously
|
|
consider their own CVE now, at which point they are going to change to
|
|
pass explicit max-connections sooner than waiting for 3 qemu releases.
|
|
Finally, if our changed default breaks an app, that app can always
|
|
pass in an explicit max-parameters with a larger value.
|
|
|
|
It is also intentional that the HMP interface to nbd-server-start is
|
|
not changed to expose max-connections (any client needing to fine-tune
|
|
things should be using QMP).
|
|
|
|
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
Message-ID: <20240807174943.771624-12-eblake@redhat.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
[ericb: Expand commit message to summarize Dan's argument for why we
|
|
break corner-case back-compat behavior without a deprecation period]
|
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
|
(cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623)
|
|
Conflicts:
|
|
qapi/block-export.json - context (no multi-conn, older format)
|
|
Jira: https://issues.redhat.com/browse/RHEL-52611
|
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
---
|
|
block/monitor/block-hmp-cmds.c | 3 ++-
|
|
blockdev-nbd.c | 8 ++++++++
|
|
include/block/nbd.h | 7 +++++++
|
|
qapi/block-export.json | 4 ++--
|
|
4 files changed, 19 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
|
|
index 2ac4aedfff..32a666b5dc 100644
|
|
--- a/block/monitor/block-hmp-cmds.c
|
|
+++ b/block/monitor/block-hmp-cmds.c
|
|
@@ -411,7 +411,8 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
|
|
goto exit;
|
|
}
|
|
|
|
- nbd_server_start(addr, NULL, NULL, 0, &local_err);
|
|
+ nbd_server_start(addr, NULL, NULL, NBD_DEFAULT_MAX_CONNECTIONS,
|
|
+ &local_err);
|
|
qapi_free_SocketAddress(addr);
|
|
if (local_err != NULL) {
|
|
goto exit;
|
|
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
|
|
index b9e8dc78f3..4bd90bac16 100644
|
|
--- a/blockdev-nbd.c
|
|
+++ b/blockdev-nbd.c
|
|
@@ -171,6 +171,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
|
|
|
void nbd_server_start_options(NbdServerOptions *arg, Error **errp)
|
|
{
|
|
+ if (!arg->has_max_connections) {
|
|
+ arg->max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
|
|
+ }
|
|
+
|
|
nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz,
|
|
arg->max_connections, errp);
|
|
}
|
|
@@ -183,6 +187,10 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr,
|
|
{
|
|
SocketAddress *addr_flat = socket_address_flatten(addr);
|
|
|
|
+ if (!has_max_connections) {
|
|
+ max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
|
|
+ }
|
|
+
|
|
nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp);
|
|
qapi_free_SocketAddress(addr_flat);
|
|
}
|
|
diff --git a/include/block/nbd.h b/include/block/nbd.h
|
|
index b71a297249..a31c34a8a6 100644
|
|
--- a/include/block/nbd.h
|
|
+++ b/include/block/nbd.h
|
|
@@ -33,6 +33,13 @@ extern const BlockExportDriver blk_exp_nbd;
|
|
*/
|
|
#define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
|
|
|
|
+/*
|
|
+ * NBD_DEFAULT_MAX_CONNECTIONS: Number of client sockets to allow at
|
|
+ * once; must be large enough to allow a MULTI_CONN-aware client like
|
|
+ * nbdcopy to create its typical number of 8-16 sockets.
|
|
+ */
|
|
+#define NBD_DEFAULT_MAX_CONNECTIONS 100
|
|
+
|
|
/* Handshake phase structs - this struct is passed on the wire */
|
|
|
|
struct NBDOption {
|
|
diff --git a/qapi/block-export.json b/qapi/block-export.json
|
|
index c1b92ce1c1..181d7238fe 100644
|
|
--- a/qapi/block-export.json
|
|
+++ b/qapi/block-export.json
|
|
@@ -21,7 +21,7 @@
|
|
# recreated on the fly while the NBD server is active.
|
|
# If missing, it will default to denying access (since 4.0).
|
|
# @max-connections: The maximum number of connections to allow at the same
|
|
-# time, 0 for unlimited. (since 5.2; default: 0)
|
|
+# time, 0 for unlimited. (since 5.2; default: 100)
|
|
#
|
|
# Since: 4.2
|
|
##
|
|
@@ -50,7 +50,7 @@
|
|
# recreated on the fly while the NBD server is active.
|
|
# If missing, it will default to denying access (since 4.0).
|
|
# @max-connections: The maximum number of connections to allow at the same
|
|
-# time, 0 for unlimited. (since 5.2; default: 0)
|
|
+# time, 0 for unlimited. (since 5.2; default: 100)
|
|
#
|
|
# Returns: error if the server is already running.
|
|
#
|
|
--
|
|
2.39.3
|
|
|