You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 lines
3.6 KiB
89 lines
3.6 KiB
8 months ago
|
From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001
|
||
|
From: Eric Blake <eblake@redhat.com>
|
||
|
Date: Mon, 30 Oct 2023 12:50:53 -0500
|
||
|
Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
|
||
|
CVE-2023-5871
|
||
|
|
||
|
Another round of fuzz testing revealed that when a server negotiates
|
||
|
extended headers and replies with a 64-bit flag value where the client
|
||
|
used the 32-bit API command, we were correctly flagging the server's
|
||
|
response as being an EOVERFLOW condition, but then immediately failing
|
||
|
in an assertion failure instead of reporting it to the application.
|
||
|
|
||
|
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
||
|
the creation of an intentionally malicious server:
|
||
|
|
||
|
| diff --git i/nbd/server.c w/nbd/server.c
|
||
|
| index 859c163d19f..32e1e771a95 100644
|
||
|
| --- i/nbd/server.c
|
||
|
| +++ w/nbd/server.c
|
||
|
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
||
|
|
|
||
|
| for (i = 0; i < ea->count; i++) {
|
||
|
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
||
|
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
||
|
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
||
|
| }
|
||
|
| }
|
||
|
|
||
|
and can then be detected with the following command line:
|
||
|
|
||
|
$ nbdsh -c - <<\EOF
|
||
|
> def f(a,b,c,d):
|
||
|
> pass
|
||
|
>
|
||
|
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
||
|
> "-r", "-f", "raw", "TODO"])
|
||
|
> h.block_staus(h.get_size(), 0, f)
|
||
|
> EOF
|
||
|
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
||
|
Aborted (core dumped)
|
||
|
|
||
|
whereas a fixed libnbd will give:
|
||
|
|
||
|
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
||
|
|
||
|
We can either relax the assertion (by changing to 'assert ((len |
|
||
|
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
||
|
to make the existing assertion reliable. This patch goes with the
|
||
|
latter approach.
|
||
|
|
||
|
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
||
|
if they were built with assertions enabled (most distros do this by
|
||
|
default), meaning a malicious server has an easy way to cause a Denial
|
||
|
of Service attack by triggering the assertion failure in vulnerable
|
||
|
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
||
|
the crash only happens for a server that sends a 64-bit status block
|
||
|
reply (no known production servers do so; qemu 8.2 will be the first
|
||
|
known server to support extended headers, but it is not yet released);
|
||
|
and as usual, a client can use TLS to guarantee it is connecting only
|
||
|
to a known-safe server. If libnbd is compiled without assertions,
|
||
|
there is no crash or other mistaken behavior; and when assertions are
|
||
|
enabled, the attacker cannot accomplish anything more than a denial of
|
||
|
service.
|
||
|
|
||
|
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
||
|
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||
|
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
|
||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||
|
---
|
||
|
generator/states-reply-chunk.c | 1 +
|
||
|
1 file changed, 1 insertion(+)
|
||
|
|
||
|
diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
|
||
|
index 5a31c19..8ab7e8b 100644
|
||
|
--- a/generator/states-reply-chunk.c
|
||
|
+++ b/generator/states-reply-chunk.c
|
||
|
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
||
|
break; /* Skip this and later extents; we already made progress */
|
||
|
/* Expose this extent as an error; we made no progress */
|
||
|
cmd->error = cmd->error ? : EOVERFLOW;
|
||
|
+ flags = (uint32_t)flags;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.39.3
|
||
|
|