Compare commits
No commits in common. 'c8-beta-stream-rhel' and 'c9' have entirely different histories.
c8-beta-st
...
c9
@ -1,2 +1,2 @@
|
||||
SOURCES/libguestfs.keyring
|
||||
SOURCES/libnbd-1.6.0.tar.gz
|
||||
SOURCES/libnbd-1.18.1.tar.gz
|
||||
|
@ -1,2 +1,2 @@
|
||||
1bbc40f501a7fef9eef2a39b701a71aee2fea7c4 SOURCES/libguestfs.keyring
|
||||
b14ac9349d324df71d26cf3de9fb606c56f18cb0 SOURCES/libnbd-1.6.0.tar.gz
|
||||
cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring
|
||||
4f99e6f21edffe62b394aa9c7fb68149e6d4d5e4 SOURCES/libnbd-1.18.1.tar.gz
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 486799e853aa9df034366303230a1785087a507a Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Fri, 8 Jan 2021 12:14:18 +0000
|
||||
Subject: [PATCH] copy/copy-nbd-to-sparse-file.sh: Skip test unless nbdkit
|
||||
available.
|
||||
|
||||
This test used nbdkit without checking it is available, which broke
|
||||
the test on RHEL 8 i686.
|
||||
|
||||
Fixes: commit 28fe8d9d8d1ecb491070d20f22e2f34bb147f19f
|
||||
(cherry picked from commit 781cb44b63a87f2d5f40590ab8c446ad2e7b6702)
|
||||
---
|
||||
copy/copy-nbd-to-sparse-file.sh | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/copy/copy-nbd-to-sparse-file.sh b/copy/copy-nbd-to-sparse-file.sh
|
||||
index aa2cb1b..47ff09a 100755
|
||||
--- a/copy/copy-nbd-to-sparse-file.sh
|
||||
+++ b/copy/copy-nbd-to-sparse-file.sh
|
||||
@@ -24,6 +24,7 @@ set -x
|
||||
requires cmp --version
|
||||
requires dd --version
|
||||
requires dd oflag=seek_bytes </dev/null
|
||||
+requires nbdkit --version
|
||||
requires test -r /dev/urandom
|
||||
requires test -r /dev/zero
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,88 @@
|
||||
From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Mon, 30 Oct 2023 12:50:53 -0500
|
||||
Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
|
||||
CVE-2023-5871
|
||||
|
||||
Another round of fuzz testing revealed that when a server negotiates
|
||||
extended headers and replies with a 64-bit flag value where the client
|
||||
used the 32-bit API command, we were correctly flagging the server's
|
||||
response as being an EOVERFLOW condition, but then immediately failing
|
||||
in an assertion failure instead of reporting it to the application.
|
||||
|
||||
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
||||
the creation of an intentionally malicious server:
|
||||
|
||||
| diff --git i/nbd/server.c w/nbd/server.c
|
||||
| index 859c163d19f..32e1e771a95 100644
|
||||
| --- i/nbd/server.c
|
||||
| +++ w/nbd/server.c
|
||||
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
||||
|
|
||||
| for (i = 0; i < ea->count; i++) {
|
||||
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
||||
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
||||
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
||||
| }
|
||||
| }
|
||||
|
||||
and can then be detected with the following command line:
|
||||
|
||||
$ nbdsh -c - <<\EOF
|
||||
> def f(a,b,c,d):
|
||||
> pass
|
||||
>
|
||||
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
||||
> "-r", "-f", "raw", "TODO"])
|
||||
> h.block_staus(h.get_size(), 0, f)
|
||||
> EOF
|
||||
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
||||
Aborted (core dumped)
|
||||
|
||||
whereas a fixed libnbd will give:
|
||||
|
||||
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
||||
|
||||
We can either relax the assertion (by changing to 'assert ((len |
|
||||
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
||||
to make the existing assertion reliable. This patch goes with the
|
||||
latter approach.
|
||||
|
||||
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
||||
if they were built with assertions enabled (most distros do this by
|
||||
default), meaning a malicious server has an easy way to cause a Denial
|
||||
of Service attack by triggering the assertion failure in vulnerable
|
||||
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
||||
the crash only happens for a server that sends a 64-bit status block
|
||||
reply (no known production servers do so; qemu 8.2 will be the first
|
||||
known server to support extended headers, but it is not yet released);
|
||||
and as usual, a client can use TLS to guarantee it is connecting only
|
||||
to a known-safe server. If libnbd is compiled without assertions,
|
||||
there is no crash or other mistaken behavior; and when assertions are
|
||||
enabled, the attacker cannot accomplish anything more than a denial of
|
||||
service.
|
||||
|
||||
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
generator/states-reply-chunk.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
|
||||
index 5a31c192..8ab7e8ba 100644
|
||||
--- a/generator/states-reply-chunk.c
|
||||
+++ b/generator/states-reply-chunk.c
|
||||
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
||||
break; /* Skip this and later extents; we already made progress */
|
||||
/* Expose this extent as an error; we made no progress */
|
||||
cmd->error = cmd->error ? : EOVERFLOW;
|
||||
+ flags = (uint32_t)flags;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,32 @@
|
||||
From c39e31b7a20c7dc8aa12c5fa3f1742824e1e0c76 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 9 Nov 2023 09:40:30 +0000
|
||||
Subject: [PATCH] docs: Fix incorrect xref in libnbd-release-notes for 1.18
|
||||
|
||||
LIBNBD_STRICT_AUTO_FLAG was added to nbd_set_strict_mode(3).
|
||||
|
||||
Reported-by: Vera Wu
|
||||
(cherry picked from commit 4fef3dbc07e631fce58487d25d991e83bbb424b1)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
docs/libnbd-release-notes-1.18.pod | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/docs/libnbd-release-notes-1.18.pod b/docs/libnbd-release-notes-1.18.pod
|
||||
index 935fab11..836ebe19 100644
|
||||
--- a/docs/libnbd-release-notes-1.18.pod
|
||||
+++ b/docs/libnbd-release-notes-1.18.pod
|
||||
@@ -84,8 +84,8 @@ Golang, OCaml and Python language bindings (Eric Blake).
|
||||
|
||||
L<nbd_shutdown(3)> now works correctly when in opt mode (Eric Blake).
|
||||
|
||||
-L<nbd_set_string(3)> adds C<LIBNBD_STRICT_AUTO_FLAG> which allows the
|
||||
-client to test how servers behave when the payload length flag is
|
||||
+L<nbd_set_strict_mode(3)> adds C<LIBNBD_STRICT_AUTO_FLAG> which allows
|
||||
+the client to test how servers behave when the payload length flag is
|
||||
adjusted (Eric Blake).
|
||||
|
||||
=head2 Protocol
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,57 +0,0 @@
|
||||
From 5dc2d2261224c9533d2b5ec4df6ed822de4cfc3b Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 4 Feb 2021 17:57:06 +0000
|
||||
Subject: [PATCH] generator: Refactor CONNECT.START state.
|
||||
|
||||
Small, neutral refactoring to the CONNECT.START to make the subsequent
|
||||
commit easier.
|
||||
|
||||
(cherry picked from commit cd231fd94bbfaacdd9b89e7d355ba2bbc83c2aeb)
|
||||
---
|
||||
generator/states-connect.c | 21 ++++++++++-----------
|
||||
1 file changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/generator/states-connect.c b/generator/states-connect.c
|
||||
index 392879d..03b34c7 100644
|
||||
--- a/generator/states-connect.c
|
||||
+++ b/generator/states-connect.c
|
||||
@@ -47,11 +47,12 @@ disable_nagle (int sock)
|
||||
|
||||
STATE_MACHINE {
|
||||
CONNECT.START:
|
||||
- int fd;
|
||||
+ sa_family_t family;
|
||||
+ int fd, r;
|
||||
|
||||
assert (!h->sock);
|
||||
- fd = socket (h->connaddr.ss_family,
|
||||
- SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0);
|
||||
+ family = h->connaddr.ss_family;
|
||||
+ fd = socket (family, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0);
|
||||
if (fd == -1) {
|
||||
SET_NEXT_STATE (%.DEAD);
|
||||
set_error (errno, "socket");
|
||||
@@ -65,14 +66,12 @@ STATE_MACHINE {
|
||||
|
||||
disable_nagle (fd);
|
||||
|
||||
- if (connect (fd, (struct sockaddr *) &h->connaddr,
|
||||
- h->connaddrlen) == -1) {
|
||||
- if (errno != EINPROGRESS) {
|
||||
- SET_NEXT_STATE (%.DEAD);
|
||||
- set_error (errno, "connect");
|
||||
- return 0;
|
||||
- }
|
||||
- }
|
||||
+ r = connect (fd, (struct sockaddr *) &h->connaddr, h->connaddrlen);
|
||||
+ if (r == 0 || (r == -1 && errno == EINPROGRESS))
|
||||
+ return 0;
|
||||
+ assert (r == -1);
|
||||
+ SET_NEXT_STATE (%.DEAD);
|
||||
+ set_error (errno, "connect");
|
||||
return 0;
|
||||
|
||||
CONNECT.CONNECTING:
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,48 +0,0 @@
|
||||
From f094472efcf34cea8bf1f02a1c5c9442ffc4ca53 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 4 Feb 2021 18:02:46 +0000
|
||||
Subject: [PATCH] generator: Print a better error message if connect(2) returns
|
||||
EAGAIN.
|
||||
|
||||
The new error message is:
|
||||
|
||||
nbd_connect_unix: connect: server backlog overflowed, see https://bugzilla.redhat.com/1925045: Resource temporarily unavailable
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/1925045
|
||||
Thanks: Xin Long, Lukas Doktor, Eric Blake
|
||||
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
|
||||
(cherry picked from commit 85ed74960a658a82d7b61b0be07f43d1b2dcede9)
|
||||
---
|
||||
generator/states-connect.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/generator/states-connect.c b/generator/states-connect.c
|
||||
index 03b34c7..98c26e5 100644
|
||||
--- a/generator/states-connect.c
|
||||
+++ b/generator/states-connect.c
|
||||
@@ -70,6 +70,22 @@ STATE_MACHINE {
|
||||
if (r == 0 || (r == -1 && errno == EINPROGRESS))
|
||||
return 0;
|
||||
assert (r == -1);
|
||||
+#ifdef __linux__
|
||||
+ if (errno == EAGAIN && family == AF_UNIX) {
|
||||
+ /* This can happen on Linux when connecting to a Unix domain
|
||||
+ * socket, if the server's backlog is full. Unfortunately there
|
||||
+ * is nothing good we can do on the client side when this happens
|
||||
+ * since any solution would involve sleeping or busy-waiting. The
|
||||
+ * only solution is on the server side, increasing the backlog.
|
||||
+ * But at least improve the error message.
|
||||
+ * https://bugzilla.redhat.com/1925045
|
||||
+ */
|
||||
+ SET_NEXT_STATE (%.DEAD);
|
||||
+ set_error (errno, "connect: server backlog overflowed, "
|
||||
+ "see https://bugzilla.redhat.com/1925045");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
SET_NEXT_STATE (%.DEAD);
|
||||
set_error (errno, "connect");
|
||||
return 0;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,205 @@
|
||||
From 32cb9ab9f1701b1a1a826b48f2083cb75adf1e87 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Thu, 9 Nov 2023 20:11:08 -0600
|
||||
Subject: [PATCH] tests: Check behavior of
|
||||
nbd_set_strict_mode(STRICT_AUTO_FLAG)
|
||||
|
||||
While developing extended header support for qemu 8.2, I needed a way
|
||||
to make libnbd quickly behave as a non-compliant client to test corner
|
||||
cases in qemu's server code; so I wrote commit 5c1dae9236 ("api: Add
|
||||
LIBNBD_STRICT_AUTO_FLAG to nbd_set_strict", v1.18.0) to meet my needs.
|
||||
However, I failed to codify my manual tests of that bit into a unit
|
||||
test for libnbd, until now. Most sane clients will never call
|
||||
nbd_set_strict_mode() in the first place (after all, it is explicitly
|
||||
documented as an integration tool, which is how I used it with my qemu
|
||||
code development), but it never hurts to make sure we don't break it
|
||||
even for the relatively small set of users that would ever use it.
|
||||
|
||||
The test added here runs in two parts; if you get a SKIP despite
|
||||
having qemu-nbd, then the first part ran successfully before the
|
||||
second half gave up due to lack of extended headers in qemu
|
||||
(presumably qemu 8.1 or older); if you get a PASS, then both parts
|
||||
were run. However, both parts are inherently fragile, depending on
|
||||
behavior known to be in qemu 8.2 - while it is unlikely to change in
|
||||
future qemu releases (at least as long as I continue to maintain NBD
|
||||
code there), the fact that we are intentionally violating the NBD
|
||||
protocol means a different server is within its rights to behave
|
||||
differently than qemu 8.2 did. Hence this test lives in interop/
|
||||
rather than tests/ because of its strong ties to a particular qemu.
|
||||
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
(cherry picked from commit 54d4426394c372413f55f648d4ad1d21b3395e07)
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
interop/Makefile.am | 2 +
|
||||
interop/strict-mode-auto-flag.sh | 138 +++++++++++++++++++++++++++++++
|
||||
2 files changed, 140 insertions(+)
|
||||
create mode 100755 interop/strict-mode-auto-flag.sh
|
||||
|
||||
diff --git a/interop/Makefile.am b/interop/Makefile.am
|
||||
index d6485adf..ac12d84a 100644
|
||||
--- a/interop/Makefile.am
|
||||
+++ b/interop/Makefile.am
|
||||
@@ -28,6 +28,7 @@ EXTRA_DIST = \
|
||||
structured-read.sh \
|
||||
opt-extended-headers.sh \
|
||||
block-status-payload.sh \
|
||||
+ strict-mode-auto-flag.sh \
|
||||
$(NULL)
|
||||
|
||||
TESTS_ENVIRONMENT = \
|
||||
@@ -153,6 +154,7 @@ TESTS += \
|
||||
interop-qemu-block-size.sh \
|
||||
opt-extended-headers.sh \
|
||||
block-status-payload.sh \
|
||||
+ strict-mode-auto-flag.sh \
|
||||
$(NULL)
|
||||
|
||||
interop_qemu_nbd_SOURCES = \
|
||||
diff --git a/interop/strict-mode-auto-flag.sh b/interop/strict-mode-auto-flag.sh
|
||||
new file mode 100755
|
||||
index 00000000..8f73ea73
|
||||
--- /dev/null
|
||||
+++ b/interop/strict-mode-auto-flag.sh
|
||||
@@ -0,0 +1,138 @@
|
||||
+#!/usr/bin/env bash
|
||||
+# nbd client library in userspace
|
||||
+# Copyright Red Hat
|
||||
+#
|
||||
+# This library is free software; you can redistribute it and/or
|
||||
+# modify it under the terms of the GNU Lesser General Public
|
||||
+# License as published by the Free Software Foundation; either
|
||||
+# version 2 of the License, or (at your option) any later version.
|
||||
+#
|
||||
+# This library is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# Lesser General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU Lesser General Public
|
||||
+# License along with this library; if not, write to the Free Software
|
||||
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
+
|
||||
+# Test effect of AUTO_FLAG bit in set_strict_mode()
|
||||
+
|
||||
+source ../tests/functions.sh
|
||||
+set -e
|
||||
+set -x
|
||||
+
|
||||
+requires truncate --version
|
||||
+requires qemu-nbd --version
|
||||
+requires nbdsh --version
|
||||
+
|
||||
+file="strict-mode-auto-flag.file"
|
||||
+rm -f $file
|
||||
+cleanup_fn rm -f $file
|
||||
+
|
||||
+truncate -s 1M $file
|
||||
+
|
||||
+# Unconditional part of test: behavior when extended headers are not in use
|
||||
+$VG nbdsh -c '
|
||||
+import errno
|
||||
+
|
||||
+h.set_request_extended_headers(False)
|
||||
+args = ["qemu-nbd", "-f", "raw", "'"$file"'"]
|
||||
+h.connect_systemd_socket_activation(args)
|
||||
+assert h.get_extended_headers_negotiated() is False
|
||||
+
|
||||
+# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default
|
||||
+flags = h.get_strict_mode()
|
||||
+assert flags & nbd.STRICT_AUTO_FLAG
|
||||
+assert flags & nbd.STRICT_COMMANDS
|
||||
+
|
||||
+# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client
|
||||
+# side auto-corrects the flag before passing to server
|
||||
+h.pwrite(b"1"*512, 0, 0)
|
||||
+h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+
|
||||
+# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees
|
||||
+# attempts to use the flag as invalid
|
||||
+flags = flags & ~nbd.STRICT_AUTO_FLAG
|
||||
+h.set_strict_mode(flags)
|
||||
+h.pwrite(b"3"*512, 0, 0)
|
||||
+stats = h.stats_bytes_sent()
|
||||
+try:
|
||||
+ h.pwrite(b"4"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+ assert False
|
||||
+except nbd.Error as e:
|
||||
+ assert e.errnum == errno.EINVAL
|
||||
+assert stats == h.stats_bytes_sent()
|
||||
+
|
||||
+# Warning: fragile test ahead. Without STRICT_COMMANDS, we send unexpected
|
||||
+# flag to qemu, and expect failure. For qemu <= 8.1, this is safe (those
|
||||
+# versions did not know the flag, and correctly reject unknown flags with
|
||||
+# NBD_EINVAL). For qemu 8.2, this also works (qemu knows the flag, but warns
|
||||
+# that we were not supposed to send it without extended headers). But if
|
||||
+# future qemu versions change to start silently ignoring the flag (after all,
|
||||
+# a write command obviously has a payload even without extended headers, so
|
||||
+# the flag is redundant for NBD_CMD_WRITE), then we may need to tweak this.
|
||||
+flags = flags & ~nbd.STRICT_COMMANDS
|
||||
+h.set_strict_mode(flags)
|
||||
+h.pwrite(b"5"*512, 0, 0)
|
||||
+stats = h.stats_bytes_sent()
|
||||
+try:
|
||||
+ h.pwrite(b"6"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+ print("Did newer qemu change behavior?")
|
||||
+ assert False
|
||||
+except nbd.Error as e:
|
||||
+ assert e.errnum == errno.EINVAL
|
||||
+assert stats < h.stats_bytes_sent()
|
||||
+
|
||||
+h.shutdown()
|
||||
+'
|
||||
+
|
||||
+# Conditional part of test: only run if qemu supports extended headers
|
||||
+requires nbdinfo --has extended-headers -- [ qemu-nbd -r -f raw "$file" ]
|
||||
+$VG nbdsh -c '
|
||||
+import errno
|
||||
+
|
||||
+args = ["qemu-nbd", "-f", "raw", "'"$file"'"]
|
||||
+h.connect_systemd_socket_activation(args)
|
||||
+assert h.get_extended_headers_negotiated() is True
|
||||
+
|
||||
+# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default
|
||||
+flags = h.get_strict_mode()
|
||||
+assert flags & nbd.STRICT_AUTO_FLAG
|
||||
+assert flags & nbd.STRICT_COMMANDS
|
||||
+
|
||||
+# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client
|
||||
+# side auto-corrects the flag before passing to server
|
||||
+h.pwrite(b"1"*512, 0, 0)
|
||||
+h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+
|
||||
+# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees
|
||||
+# attempts to omit the flag as invalid
|
||||
+flags = flags & ~nbd.STRICT_AUTO_FLAG
|
||||
+h.set_strict_mode(flags)
|
||||
+h.pwrite(b"3"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+stats = h.stats_bytes_sent()
|
||||
+try:
|
||||
+ h.pwrite(b"4"*512, 0, 0)
|
||||
+ assert False
|
||||
+except nbd.Error as e:
|
||||
+ assert e.errnum == errno.EINVAL
|
||||
+assert stats == h.stats_bytes_sent()
|
||||
+
|
||||
+# Warning: fragile test ahead. Without STRICT_COMMANDS, omitting the flag
|
||||
+# is a protocol violation. qemu 8.2 silently ignores the violation; but a
|
||||
+# future qemu might start failing the command, at which point we would need
|
||||
+# to tweak this part of the test.
|
||||
+flags = flags & ~nbd.STRICT_COMMANDS
|
||||
+h.set_strict_mode(flags)
|
||||
+h.pwrite(b"5"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
|
||||
+stats = h.stats_bytes_sent()
|
||||
+try:
|
||||
+ h.pwrite(b"6"*512, 0, 0)
|
||||
+except nbd.Error:
|
||||
+ print("Did newer qemu change behavior?")
|
||||
+ assert False
|
||||
+assert stats < h.stats_bytes_sent()
|
||||
+
|
||||
+h.shutdown()
|
||||
+'
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,91 @@
|
||||
From 596626369b90016f6852610c217da22668158521 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 25 Jun 2024 10:55:54 +0100
|
||||
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This version matches current qemu.
|
||||
|
||||
RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
|
||||
means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14.
|
||||
|
||||
I also unconditionally enabled the gnutls/socket.h header. This
|
||||
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
|
||||
|
||||
On RHEL 7 the configure-time test now prints:
|
||||
|
||||
checking for GNUTLS... no
|
||||
configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
|
||||
...
|
||||
Optional library features:
|
||||
TLS support ............................ no
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
|
||||
(cherry picked from commit 177fd0847723640829eff8d1ab102f8d28a7328e)
|
||||
---
|
||||
configure.ac | 5 ++---
|
||||
lib/crypto.c | 6 ------
|
||||
2 files changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 91fe004b..c0d6a472 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -178,13 +178,13 @@ AC_ARG_WITH([gnutls],
|
||||
[],
|
||||
[with_gnutls=check])
|
||||
AS_IF([test "$with_gnutls" != "no"],[
|
||||
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
|
||||
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
|
||||
printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
|
||||
AC_SUBST([GNUTLS_CFLAGS])
|
||||
AC_SUBST([GNUTLS_LIBS])
|
||||
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
|
||||
], [
|
||||
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
|
||||
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
|
||||
])
|
||||
])
|
||||
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
|
||||
@@ -210,7 +210,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
|
||||
old_LIBS="$LIBS"
|
||||
LIBS="$GNUTLS_LIBS $LIBS"
|
||||
AC_CHECK_FUNCS([\
|
||||
- gnutls_session_set_verify_cert \
|
||||
gnutls_transport_is_ktls_enabled \
|
||||
])
|
||||
LIBS="$old_LIBS"
|
||||
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||
index 22a1cfa5..d131f1d0 100644
|
||||
--- a/lib/crypto.c
|
||||
+++ b/lib/crypto.c
|
||||
@@ -28,10 +28,8 @@
|
||||
|
||||
#ifdef HAVE_GNUTLS
|
||||
#include <gnutls/gnutls.h>
|
||||
-#ifdef HAVE_GNUTLS_SOCKET_H
|
||||
#include <gnutls/socket.h>
|
||||
#endif
|
||||
-#endif
|
||||
|
||||
#include "internal.h"
|
||||
#include "nbdkit-string.h"
|
||||
@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
||||
return NULL;
|
||||
|
||||
found_certificates:
|
||||
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
|
||||
if (h->hostname && h->tls_verify_peer)
|
||||
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||
-#else
|
||||
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
|
||||
-#endif
|
||||
|
||||
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
||||
if (err < 0) {
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,59 +0,0 @@
|
||||
From ffe8f0a994c1f2656aa011353b386663d32db69e Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Mon, 1 Mar 2021 15:25:31 -0600
|
||||
Subject: [PATCH] opt_go: Tolerate unplanned server death
|
||||
|
||||
While debugging some experimental nbdkit code that was triggering an
|
||||
assertion failure in nbdkit, I noticed a secondary failure of nbdsh
|
||||
also dying from an assertion:
|
||||
|
||||
libnbd: debug: nbdsh: nbd_opt_go: transition: NEWSTYLE.OPT_GO.SEND -> DEAD
|
||||
libnbd: debug: nbdsh: nbd_opt_go: option queued, ignoring state machine failure
|
||||
nbdsh: opt.c:86: nbd_unlocked_opt_go: Assertion `nbd_internal_is_state_negotiating (get_next_state (h))' failed.
|
||||
|
||||
Although my trigger was from non-production nbdkit code, libnbd should
|
||||
never die from an assertion failure merely because a server
|
||||
disappeared at the wrong moment during an incomplete reply to
|
||||
NBD_OPT_GO or NBD_OPT_INFO. If this is assigned a CVE, a followup
|
||||
patch will add mention of it in docs/libnbd-security.pod.
|
||||
|
||||
Fixes: bbf1c51392 (api: Give aio_opt_go a completion callback)
|
||||
(cherry picked from commit fb4440de9cc76e9c14bd3ddf3333e78621f40ad0)
|
||||
---
|
||||
lib/opt.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/opt.c b/lib/opt.c
|
||||
index 2317b72..e5802f4 100644
|
||||
--- a/lib/opt.c
|
||||
+++ b/lib/opt.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* NBD client library in userspace
|
||||
- * Copyright (C) 2020 Red Hat Inc.
|
||||
+ * Copyright (C) 2020-2021 Red Hat Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
@@ -83,7 +83,8 @@ nbd_unlocked_opt_go (struct nbd_handle *h)
|
||||
|
||||
r = wait_for_option (h);
|
||||
if (r == 0 && err) {
|
||||
- assert (nbd_internal_is_state_negotiating (get_next_state (h)));
|
||||
+ assert (nbd_internal_is_state_negotiating (get_next_state (h)) ||
|
||||
+ nbd_internal_is_state_dead (get_next_state (h)));
|
||||
set_error (err, "server replied with error to opt_go request");
|
||||
return -1;
|
||||
}
|
||||
@@ -105,7 +106,8 @@ nbd_unlocked_opt_info (struct nbd_handle *h)
|
||||
|
||||
r = wait_for_option (h);
|
||||
if (r == 0 && err) {
|
||||
- assert (nbd_internal_is_state_negotiating (get_next_state (h)));
|
||||
+ assert (nbd_internal_is_state_negotiating (get_next_state (h)) ||
|
||||
+ nbd_internal_is_state_dead (get_next_state (h)));
|
||||
set_error (err, "server replied with error to opt_info request");
|
||||
return -1;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,57 @@
|
||||
From d8ec4c8ecc5244ed192f58bc3a976c4b2f9cc6d7 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 24 Jun 2024 10:48:12 +0100
|
||||
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
|
||||
CA
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The previous code checked the server certificate only when a custom
|
||||
certificate directory was set (ie. nbd_set_tls_certificates /
|
||||
?tls-certificates=DIR). In the fallback case where we use the system
|
||||
CA, we never called gnutls_session_set_verify_cert and so the server
|
||||
certificate was never checked.
|
||||
|
||||
Move the call to gnutls_session_set_verify_cert later so it is called
|
||||
on both paths.
|
||||
|
||||
If the server certificate does not match the hostname you will see:
|
||||
|
||||
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||
|
||||
Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
|
||||
(cherry picked from commit 7a6739aeca8250515a449bacd23d09bf40587dec)
|
||||
---
|
||||
lib/crypto.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||
index d131f1d0..c542ce6b 100644
|
||||
--- a/lib/crypto.c
|
||||
+++ b/lib/crypto.c
|
||||
@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
||||
return NULL;
|
||||
|
||||
found_certificates:
|
||||
- if (h->hostname && h->tls_verify_peer)
|
||||
- gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||
-
|
||||
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
||||
if (err < 0) {
|
||||
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
|
||||
@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
||||
gnutls_deinit (session);
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (h->hostname && h->tls_verify_peer)
|
||||
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||
}
|
||||
|
||||
/* Wrap the underlying socket with GnuTLS. */
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 171ffdde8be590f784086a021a7e6f36c4ecdb4b Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Fri, 12 Mar 2021 17:00:58 -0600
|
||||
Subject: [PATCH] security: Document assignment of CVE-2021-20286
|
||||
|
||||
Now that we finally have a CVE number, it's time to document
|
||||
the problem (it's low severity, but still a denial of service).
|
||||
|
||||
Fixes: fb4440de9cc7 (opt_go: Tolerate unplanned server death)
|
||||
(cherry picked from commit 40308a005eaa6b2e8f98da8952d0c0cacc51efde)
|
||||
---
|
||||
docs/libnbd-security.pod | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
|
||||
index d8ead87..0cae846 100644
|
||||
--- a/docs/libnbd-security.pod
|
||||
+++ b/docs/libnbd-security.pod
|
||||
@@ -22,6 +22,12 @@ L<https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html>
|
||||
See the full announcement here:
|
||||
L<https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html>
|
||||
|
||||
+=head2 CVE-2021-20286
|
||||
+denial of service when using L<nbd_set_opt_mode(3)>
|
||||
+
|
||||
+See the full announcement here:
|
||||
+L<https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html>
|
||||
+
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<libnbd(3)>.
|
||||
@@ -34,4 +40,4 @@ Richard W.M. Jones
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
-Copyright (C) 2019 Red Hat Inc.
|
||||
+Copyright (C) 2019-2021 Red Hat Inc.
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,163 +0,0 @@
|
||||
From 22572f8ac13e2e8daf91d227eac2f384303fb5b4 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 14:25:57 -0600
|
||||
Subject: [PATCH] copy: Pass in dummy variable rather than &errno to callback
|
||||
|
||||
In several places where asynch handlers manually call the provided
|
||||
nbd_completion_callback, the value of errno is indeterminate (for
|
||||
example, in file-ops.c:file_asynch_read(), the previous call to
|
||||
file_synch_read() already triggered exit() on error, but does not
|
||||
guarantee what is left in errno on success). As the callback should
|
||||
be paying attention to the value of *error (to be fixed in the next
|
||||
patch), we are better off ensuring that we pass in a pointer to a
|
||||
known-zero value. Besides, passing in &errno carries a risk that if
|
||||
the callback uses any other library function that alters errno prior
|
||||
to dereferncing *error, it will no longer see the value we passed in.
|
||||
Thus, it is easier to use a dummy variable on the stack than to mess
|
||||
around with errno and it's magic macro expansion into a thread-local
|
||||
storage location.
|
||||
|
||||
Note that several callsites then check if the callback returned -1,
|
||||
and if so assume that the callback has caused errno to now have a sane
|
||||
value to pass on to perror. In theory, the fact that we are no longer
|
||||
passing in &errno means that if the callback assigns into *error but
|
||||
did not otherwise affect errno (a tenuous assumption, given our
|
||||
argument above that we could not even guarantee that the callback does
|
||||
not accidentally alter errno prior to reading *error), our perror call
|
||||
would no longer reflect the intended error value from the callback.
|
||||
But in practice, since the callback never actually returned -1, nor
|
||||
even assigned into *error, the call to perror is dead code; although I
|
||||
have chosen to defer that additional cleanup to the next patch.
|
||||
|
||||
Message-Id: <20220203202558.203013-5-eblake@redhat.com>
|
||||
Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
Acked-by: Nir Soffer <nsoffer@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 794c8ce06e995ebd282e8f2b9465a06140572112)
|
||||
Conflicts:
|
||||
copy/file-ops.c - no backport of d5f65e56 ("copy: Do not use trim
|
||||
for zeroing"), so asynch_trim needed same treatment
|
||||
copy/multi-thread-copying.c - context due to missing refactoring
|
||||
copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:"
|
||||
destination."
|
||||
(cherry picked from commit 26e3dcf80815fe2db320d3046aabc2580c2f7a0d)
|
||||
---
|
||||
copy/file-ops.c | 22 +++++++++++++---------
|
||||
copy/multi-thread-copying.c | 8 +++++---
|
||||
2 files changed, 18 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/copy/file-ops.c b/copy/file-ops.c
|
||||
index 086348a..cc312b4 100644
|
||||
--- a/copy/file-ops.c
|
||||
+++ b/copy/file-ops.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* NBD client library in userspace.
|
||||
- * Copyright (C) 2020 Red Hat Inc.
|
||||
+ * Copyright (C) 2020-2022 Red Hat Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
@@ -158,10 +158,11 @@ file_asynch_read (struct rw *rw,
|
||||
struct command *command,
|
||||
nbd_completion_callback cb)
|
||||
{
|
||||
+ int dummy = 0;
|
||||
+
|
||||
file_synch_read (rw, slice_ptr (command->slice),
|
||||
command->slice.len, command->offset);
|
||||
- errno = 0;
|
||||
- if (cb.callback (cb.user_data, &errno) == -1) {
|
||||
+ if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
perror (rw->name);
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
@@ -172,10 +173,11 @@ file_asynch_write (struct rw *rw,
|
||||
struct command *command,
|
||||
nbd_completion_callback cb)
|
||||
{
|
||||
+ int dummy = 0;
|
||||
+
|
||||
file_synch_write (rw, slice_ptr (command->slice),
|
||||
command->slice.len, command->offset);
|
||||
- errno = 0;
|
||||
- if (cb.callback (cb.user_data, &errno) == -1) {
|
||||
+ if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
perror (rw->name);
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
@@ -185,10 +187,11 @@ static bool
|
||||
file_asynch_trim (struct rw *rw, struct command *command,
|
||||
nbd_completion_callback cb)
|
||||
{
|
||||
+ int dummy = 0;
|
||||
+
|
||||
if (!file_synch_trim (rw, command->offset, command->slice.len))
|
||||
return false;
|
||||
- errno = 0;
|
||||
- if (cb.callback (cb.user_data, &errno) == -1) {
|
||||
+ if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
perror (rw->name);
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
@@ -199,10 +202,11 @@ static bool
|
||||
file_asynch_zero (struct rw *rw, struct command *command,
|
||||
nbd_completion_callback cb)
|
||||
{
|
||||
+ int dummy = 0;
|
||||
+
|
||||
if (!file_synch_zero (rw, command->offset, command->slice.len))
|
||||
return false;
|
||||
- errno = 0;
|
||||
- if (cb.callback (cb.user_data, &errno) == -1) {
|
||||
+ if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
perror (rw->name);
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
|
||||
index a7aaa7d..2593ff7 100644
|
||||
--- a/copy/multi-thread-copying.c
|
||||
+++ b/copy/multi-thread-copying.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* NBD client library in userspace.
|
||||
- * Copyright (C) 2020 Red Hat Inc.
|
||||
+ * Copyright (C) 2020-2022 Red Hat Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
@@ -391,6 +391,7 @@ finished_read (void *vp, int *error)
|
||||
bool last_is_hole = false;
|
||||
uint64_t i;
|
||||
struct command *newcommand;
|
||||
+ int dummy = 0;
|
||||
|
||||
/* Iterate over whole blocks in the command, starting on a block
|
||||
* boundary.
|
||||
@@ -473,7 +474,7 @@ finished_read (void *vp, int *error)
|
||||
/* Free the original command since it has been split into
|
||||
* subcommands and the original is no longer needed.
|
||||
*/
|
||||
- free_command (command, &errno);
|
||||
+ free_command (command, &dummy);
|
||||
}
|
||||
|
||||
return 1; /* auto-retires the command */
|
||||
@@ -498,6 +499,7 @@ static void
|
||||
fill_dst_range_with_zeroes (struct command *command)
|
||||
{
|
||||
char *data;
|
||||
+ int dummy = 0;
|
||||
|
||||
if (destination_is_zero)
|
||||
goto free_and_return;
|
||||
@@ -541,7 +543,7 @@ fill_dst_range_with_zeroes (struct command *command)
|
||||
free (data);
|
||||
|
||||
free_and_return:
|
||||
- free_command (command, &errno);
|
||||
+ free_command (command, &dummy);
|
||||
}
|
||||
|
||||
static int
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,76 @@
|
||||
From af09b72a486fd870ab72170a0cba4b1d6d37894f Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 24 Jun 2024 10:31:10 +0100
|
||||
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
|
||||
not set
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Calling gnutls_session_set_verify_cert with the hostname parameter set
|
||||
to NULL is permitted:
|
||||
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
|
||||
|
||||
It means that the server's hostname in the certificate will not be
|
||||
verified but we can at least check that the certificate was signed by
|
||||
the CA. This allows the CA to be checked even for connections over
|
||||
Unix domain sockets.
|
||||
|
||||
Example:
|
||||
|
||||
$ rm -f /tmp/sock
|
||||
$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
|
||||
|
||||
Before this change:
|
||||
|
||||
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
||||
protocol: newstyle-fixed with TLS, using structured packets
|
||||
export="":
|
||||
export-size: 1073741824 (1G)
|
||||
content: data
|
||||
uri: nbds+unix:///?socket=/tmp/sock
|
||||
[etc]
|
||||
|
||||
(works because it never called gnutls_session_set_verify_cert).
|
||||
|
||||
After this change:
|
||||
|
||||
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
|
||||
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||
|
||||
(fails because system CA does not know about nbdkit's certificate
|
||||
which is signed by the CA from the nbdkit/tests/pki directory)
|
||||
|
||||
$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
|
||||
protocol: newstyle-fixed with TLS, using structured packets
|
||||
export="":
|
||||
export-size: 1073741824 (1G)
|
||||
content: data
|
||||
uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
|
||||
[etc]
|
||||
|
||||
(works because we supplied the correct CA)
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
|
||||
(cherry picked from commit 3a427e6d7a83f89299ab6fdaeeffbd9074610ecc)
|
||||
---
|
||||
lib/crypto.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/crypto.c b/lib/crypto.c
|
||||
index c542ce6b..437e24ec 100644
|
||||
--- a/lib/crypto.c
|
||||
+++ b/lib/crypto.c
|
||||
@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- if (h->hostname && h->tls_verify_peer)
|
||||
+ if (h->tls_verify_peer)
|
||||
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,318 +0,0 @@
|
||||
From 1b0b732e6a9b4979fccf6a09eb6704264edf675d Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 14:25:58 -0600
|
||||
Subject: [PATCH] copy: CVE-2022-0485: Fail nbdcopy if NBD read or write fails
|
||||
|
||||
nbdcopy has a nasty bug when performing multi-threaded copies using
|
||||
asynchronous nbd calls - it was blindly treating the completion of an
|
||||
asynchronous command as successful, rather than checking the *error
|
||||
parameter. This can result in the silent creation of a corrupted
|
||||
image in two different ways: when a read fails, we blindly wrote
|
||||
garbage to the destination; when a write fails, we did not flag that
|
||||
the destination was not written.
|
||||
|
||||
Since nbdcopy already calls exit() on a synchronous read or write
|
||||
failure to a file, doing the same for an asynchronous op to an NBD
|
||||
server is the simplest solution. A nicer solution, but more invasive
|
||||
to code and thus not done here, might be to allow up to N retries of
|
||||
the transaction (in case the read or write failure was transient), or
|
||||
even having a mode where as much data is copied as possible (portions
|
||||
of the copy that failed would be logged on stderr, and nbdcopy would
|
||||
still fail with a non-zero exit status, but this would copy more than
|
||||
just stopping at the first error, as can be done with rsync or
|
||||
ddrescue).
|
||||
|
||||
Note that since we rely on auto-retiring and do NOT call
|
||||
nbd_aio_command_completed, our completion callbacks must always return
|
||||
1 (if they do not exit() first), even when acting on *error, so as not
|
||||
leave the command allocated until nbd_close. As such, there is no
|
||||
sane way to return an error to a manual caller of the callback, and
|
||||
therefore we can drop dead code that calls perror() and exit() if the
|
||||
callback "failed". It is also worth documenting the contract on when
|
||||
we must manually call the callback during the asynch_zero callback, so
|
||||
that we do not leak or double-free the command; thankfully, all the
|
||||
existing code paths were correct.
|
||||
|
||||
The added testsuite script demonstrates several scenarios, some of
|
||||
which fail without the rest of this patch in place, and others which
|
||||
showcase ways in which sparse images can bypass errors.
|
||||
|
||||
Once backports are complete, a followup patch on the main branch will
|
||||
edit docs/libnbd-security.pod with the mailing list announcement of
|
||||
the stable branch commit ids and release versions that incorporate
|
||||
this fix.
|
||||
|
||||
Reported-by: Nir Soffer <nsoffer@redhat.com>
|
||||
Fixes: bc896eec4d ("copy: Implement multi-conn, multiple threads, multiple requests in flight.", v1.5.6)
|
||||
Fixes: https://bugzilla.redhat.com/2046194
|
||||
Message-Id: <20220203202558.203013-6-eblake@redhat.com>
|
||||
Acked-by: Richard W.M. Jones <rjones@redhat.com>
|
||||
Acked-by: Nir Soffer <nsoffer@redhat.com>
|
||||
[eblake: fix error message per Nir, tweak requires lines in unit test per Rich]
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
|
||||
(cherry picked from commit 8d444b41d09a700c7ee6f9182a649f3f2d325abb)
|
||||
Conflicts:
|
||||
copy/nbdcopy.h - copyright context
|
||||
copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:"
|
||||
destination."
|
||||
copy/copy-nbd-error.sh - no backport of d5f65e56 ("copy: Do not use
|
||||
trim for zeroing"), so one test needed an additional error-trim-rate;
|
||||
no backport of 4ff9e62d (copy: Add --request-size option") and friends, so
|
||||
this version uses larger transactions, so change error rate of 0.5 to 1;
|
||||
no backport of 0b16205e "copy: Implement "null:" destination.", so use
|
||||
nbdkit null instead
|
||||
Note that while the use of NBD_CMD_TRIM can create data corruption, it is
|
||||
not as severe as what this patch fixes, since trim corruption will only
|
||||
expose what had previously been on the disk, compared to this patch fixing
|
||||
a potential leak of nbdcopy heap contents into the destination.
|
||||
(cherry picked from commit 6c8f2f859926b82094fb5e85c446ea099700fa10)
|
||||
---
|
||||
TODO | 1 +
|
||||
copy/Makefile.am | 4 +-
|
||||
copy/copy-nbd-error.sh | 81 +++++++++++++++++++++++++++++++++++++
|
||||
copy/file-ops.c | 17 +++-----
|
||||
copy/multi-thread-copying.c | 13 ++++++
|
||||
copy/nbdcopy.h | 7 ++--
|
||||
6 files changed, 107 insertions(+), 16 deletions(-)
|
||||
create mode 100755 copy/copy-nbd-error.sh
|
||||
|
||||
diff --git a/TODO b/TODO
|
||||
index 510c219..19c21d4 100644
|
||||
--- a/TODO
|
||||
+++ b/TODO
|
||||
@@ -35,6 +35,7 @@ nbdcopy:
|
||||
- Better page cache usage, see nbdkit-file-plugin options
|
||||
fadvise=sequential cache=none.
|
||||
- Consider io_uring if there are performance bottlenecks.
|
||||
+ - Configurable retries in response to read or write failures.
|
||||
|
||||
nbdfuse:
|
||||
- If you write beyond the end of the virtual file, it returns EIO.
|
||||
diff --git a/copy/Makefile.am b/copy/Makefile.am
|
||||
index d318388..3406cd8 100644
|
||||
--- a/copy/Makefile.am
|
||||
+++ b/copy/Makefile.am
|
||||
@@ -1,5 +1,5 @@
|
||||
# nbd client library in userspace
|
||||
-# Copyright (C) 2020 Red Hat Inc.
|
||||
+# Copyright (C) 2020-2022 Red Hat Inc.
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
@@ -30,6 +30,7 @@ EXTRA_DIST = \
|
||||
copy-nbd-to-small-nbd-error.sh \
|
||||
copy-nbd-to-sparse-file.sh \
|
||||
copy-nbd-to-stdout.sh \
|
||||
+ copy-nbd-error.sh \
|
||||
copy-progress-bar.sh \
|
||||
copy-sparse.sh \
|
||||
copy-sparse-allocated.sh \
|
||||
@@ -105,6 +106,7 @@ TESTS += \
|
||||
copy-nbd-to-sparse-file.sh \
|
||||
copy-stdin-to-nbd.sh \
|
||||
copy-nbd-to-stdout.sh \
|
||||
+ copy-nbd-error.sh \
|
||||
copy-progress-bar.sh \
|
||||
copy-sparse.sh \
|
||||
copy-sparse-allocated.sh \
|
||||
diff --git a/copy/copy-nbd-error.sh b/copy/copy-nbd-error.sh
|
||||
new file mode 100755
|
||||
index 0000000..bba71db
|
||||
--- /dev/null
|
||||
+++ b/copy/copy-nbd-error.sh
|
||||
@@ -0,0 +1,81 @@
|
||||
+#!/usr/bin/env bash
|
||||
+# nbd client library in userspace
|
||||
+# Copyright (C) 2022 Red Hat Inc.
|
||||
+#
|
||||
+# This library is free software; you can redistribute it and/or
|
||||
+# modify it under the terms of the GNU Lesser General Public
|
||||
+# License as published by the Free Software Foundation; either
|
||||
+# version 2 of the License, or (at your option) any later version.
|
||||
+#
|
||||
+# This library is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# Lesser General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU Lesser General Public
|
||||
+# License along with this library; if not, write to the Free Software
|
||||
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
+
|
||||
+# Tests several scenarios of handling NBD server errors
|
||||
+# Serves as a regression test for the CVE-2022-0485 fix.
|
||||
+
|
||||
+. ../tests/functions.sh
|
||||
+
|
||||
+set -e
|
||||
+set -x
|
||||
+
|
||||
+requires nbdkit --exit-with-parent --version
|
||||
+requires nbdkit --filter=noextents null --version
|
||||
+requires nbdkit --filter=error pattern --version
|
||||
+requires nbdkit --filter=nozero memory --version
|
||||
+
|
||||
+fail=0
|
||||
+
|
||||
+# Failure to get block status should not be fatal, but merely downgrade to
|
||||
+# reading the entire image as if data
|
||||
+echo "Testing extents failures on source"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \
|
||||
+ error-extents-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1
|
||||
+
|
||||
+# Failure to read should be fatal
|
||||
+echo "Testing read failures on non-sparse source"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \
|
||||
+ error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] && fail=1
|
||||
+
|
||||
+# However, reliable block status on a sparse image can avoid the need to read
|
||||
+echo "Testing read failures on sparse source"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error null 5M \
|
||||
+ error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1
|
||||
+
|
||||
+# Failure to write data should be fatal
|
||||
+echo "Testing write data failures on arbitrary destination"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v pattern 5M ] \
|
||||
+ [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \
|
||||
+ memory 5M error-pwrite-rate=1 ] && fail=1
|
||||
+
|
||||
+# However, writing zeroes can bypass the need for normal writes
|
||||
+echo "Testing write data failures from sparse source"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
|
||||
+ [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \
|
||||
+ memory 5M error-pwrite-rate=1 ] || fail=1
|
||||
+
|
||||
+# Failure to write zeroes should be fatal
|
||||
+echo "Testing write zero failures on arbitrary destination"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
|
||||
+ [ nbdkit --exit-with-parent -v --filter=error memory 5M \
|
||||
+ error-trim-rate=1 error-zero-rate=1 ] && fail=1
|
||||
+
|
||||
+# However, assuming/learning destination is zero can skip need to write
|
||||
+echo "Testing write failures on pre-zeroed destination"
|
||||
+$VG nbdcopy --destination-is-zero -- \
|
||||
+ [ nbdkit --exit-with-parent -v null 5M ] \
|
||||
+ [ nbdkit --exit-with-parent -v --filter=error memory 5M \
|
||||
+ error-pwrite-rate=1 error-zero-rate=1 ] || fail=1
|
||||
+
|
||||
+# Likewise, when write zero is not advertised, fallback to normal write works
|
||||
+echo "Testing write zeroes to destination without zero support"
|
||||
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
|
||||
+ [ nbdkit --exit-with-parent -v --filter=nozero --filter=error memory 5M \
|
||||
+ error-zero-rate=1 ] || fail=1
|
||||
+
|
||||
+exit $fail
|
||||
diff --git a/copy/file-ops.c b/copy/file-ops.c
|
||||
index cc312b4..b19af04 100644
|
||||
--- a/copy/file-ops.c
|
||||
+++ b/copy/file-ops.c
|
||||
@@ -162,10 +162,8 @@ file_asynch_read (struct rw *rw,
|
||||
|
||||
file_synch_read (rw, slice_ptr (command->slice),
|
||||
command->slice.len, command->offset);
|
||||
- if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
- perror (rw->name);
|
||||
- exit (EXIT_FAILURE);
|
||||
- }
|
||||
+ /* file_synch_read called exit() on error */
|
||||
+ cb.callback (cb.user_data, &dummy);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -177,10 +175,8 @@ file_asynch_write (struct rw *rw,
|
||||
|
||||
file_synch_write (rw, slice_ptr (command->slice),
|
||||
command->slice.len, command->offset);
|
||||
- if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
- perror (rw->name);
|
||||
- exit (EXIT_FAILURE);
|
||||
- }
|
||||
+ /* file_synch_write called exit() on error */
|
||||
+ cb.callback (cb.user_data, &dummy);
|
||||
}
|
||||
|
||||
static bool
|
||||
@@ -206,10 +202,7 @@ file_asynch_zero (struct rw *rw, struct command *command,
|
||||
|
||||
if (!file_synch_zero (rw, command->offset, command->slice.len))
|
||||
return false;
|
||||
- if (cb.callback (cb.user_data, &dummy) == -1) {
|
||||
- perror (rw->name);
|
||||
- exit (EXIT_FAILURE);
|
||||
- }
|
||||
+ cb.callback (cb.user_data, &dummy);
|
||||
return true;
|
||||
}
|
||||
|
||||
diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
|
||||
index 2593ff7..28749ae 100644
|
||||
--- a/copy/multi-thread-copying.c
|
||||
+++ b/copy/multi-thread-copying.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <errno.h>
|
||||
#include <assert.h>
|
||||
#include <sys/stat.h>
|
||||
+#include <inttypes.h>
|
||||
|
||||
#include <pthread.h>
|
||||
|
||||
@@ -374,6 +375,12 @@ finished_read (void *vp, int *error)
|
||||
{
|
||||
struct command *command = vp;
|
||||
|
||||
+ if (*error) {
|
||||
+ fprintf (stderr, "read at offset %" PRId64 " failed: %s\n",
|
||||
+ command->offset, strerror (*error));
|
||||
+ exit (EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
if (allocated || sparse_size == 0) {
|
||||
/* If sparseness detection (see below) is turned off then we write
|
||||
* the whole command.
|
||||
@@ -552,6 +559,12 @@ free_command (void *vp, int *error)
|
||||
struct command *command = vp;
|
||||
struct buffer *buffer = command->slice.buffer;
|
||||
|
||||
+ if (*error) {
|
||||
+ fprintf (stderr, "write at offset %" PRId64 " failed: %s\n",
|
||||
+ command->offset, strerror (*error));
|
||||
+ exit (EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
if (buffer != NULL) {
|
||||
if (--buffer->refs == 0) {
|
||||
free (buffer->data);
|
||||
diff --git a/copy/nbdcopy.h b/copy/nbdcopy.h
|
||||
index 3dcc6df..9626a52 100644
|
||||
--- a/copy/nbdcopy.h
|
||||
+++ b/copy/nbdcopy.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/* NBD client library in userspace.
|
||||
- * Copyright (C) 2020 Red Hat Inc.
|
||||
+ * Copyright (C) 2020-2022 Red Hat Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
@@ -134,7 +134,8 @@ struct rw_ops {
|
||||
bool (*synch_zero) (struct rw *rw, uint64_t offset, uint64_t count);
|
||||
|
||||
/* Asynchronous I/O operations. These start the operation and call
|
||||
- * 'cb' on completion.
|
||||
+ * 'cb' on completion. 'cb' will return 1, for auto-retiring with
|
||||
+ * asynchronous libnbd calls.
|
||||
*
|
||||
* The file_ops versions are actually implemented synchronously, but
|
||||
* still call 'cb'.
|
||||
@@ -156,7 +157,7 @@ struct rw_ops {
|
||||
nbd_completion_callback cb);
|
||||
|
||||
/* Asynchronously zero. command->slice.buffer is not used. If not possible,
|
||||
- * returns false.
|
||||
+ * returns false. 'cb' must be called only if returning true.
|
||||
*/
|
||||
bool (*asynch_zero) (struct rw *rw, struct command *command,
|
||||
nbd_completion_callback cb);
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,145 @@
|
||||
From 764fc45a258c08177d01b6b6b6a0e431ee29089a Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 24 Jun 2024 11:49:07 +0100
|
||||
Subject: [PATCH] interop: Pass -DCERTS and -DPSK as strings
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Rather than implicitly defining the certificates dir or PSK file in
|
||||
interop.c, pass the actual paths from the Makefile.
|
||||
|
||||
This also allows -DCERTS=NULL which is interpreted as not calling
|
||||
nbd_set_tls_certificates at all. This makes the test added in a
|
||||
subsequent commit possible.
|
||||
|
||||
No real change here, just refactoring the tests.
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 69ab18442994c68f749e2b84b91d41031ebbb088)
|
||||
(cherry picked from commit 33d7f3aa8e3cf8c826a534107529e1d409c0c004)
|
||||
---
|
||||
interop/Makefile.am | 18 +++++++++---------
|
||||
interop/interop.c | 11 ++++++-----
|
||||
2 files changed, 15 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/interop/Makefile.am b/interop/Makefile.am
|
||||
index ac12d84a..4cdc55e9 100644
|
||||
--- a/interop/Makefile.am
|
||||
+++ b/interop/Makefile.am
|
||||
@@ -100,7 +100,7 @@ interop_nbd_server_tls_CPPFLAGS = \
|
||||
-DSERVER=\"$(NBD_SERVER)\" \
|
||||
-DSERVER_PARAMS='"-d", "-C", "nbd-server-tls.conf", "0", TMPFILE' \
|
||||
-DEXPORT_NAME='""' \
|
||||
- -DCERTS=1 \
|
||||
+ -DCERTS='"../tests/pki"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
$(NULL)
|
||||
interop_nbd_server_tls_LDADD = \
|
||||
@@ -186,7 +186,7 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \
|
||||
-DSERVER=\"$(QEMU_NBD)\" \
|
||||
-DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
|
||||
-DEXPORT_NAME='"/"' \
|
||||
- -DCERTS=1 \
|
||||
+ -DCERTS='"../tests/pki"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
$(NULL)
|
||||
interop_qemu_nbd_tls_certs_LDADD = \
|
||||
@@ -208,7 +208,7 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \
|
||||
-DSERVER=\"$(QEMU_NBD)\" \
|
||||
-DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", TMPFILE' \
|
||||
-DEXPORT_NAME='"/"' \
|
||||
- -DPSK=1 \
|
||||
+ -DPSK='"../tests/keys.psk"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
$(NULL)
|
||||
interop_qemu_nbd_tls_psk_LDADD = \
|
||||
@@ -323,7 +323,7 @@ interop_nbdkit_tls_certs_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DCERTS=1 \
|
||||
+ -DCERTS='"../tests/pki"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
$(NULL)
|
||||
interop_nbdkit_tls_certs_LDADD = \
|
||||
@@ -342,7 +342,7 @@ interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DCERTS=1 \
|
||||
+ -DCERTS='"../tests/pki"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||
$(NULL)
|
||||
interop_nbdkit_tls_certs_allow_enabled_LDADD = \
|
||||
@@ -361,7 +361,7 @@ interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DCERTS=1 \
|
||||
+ -DCERTS='"../tests/pki"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||
-DTLS_FALLBACK=1 \
|
||||
$(NULL)
|
||||
@@ -381,7 +381,7 @@ interop_nbdkit_tls_psk_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DPSK=1 \
|
||||
+ -DPSK='"../tests/keys.psk"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
$(NULL)
|
||||
interop_nbdkit_tls_psk_LDADD = \
|
||||
@@ -400,7 +400,7 @@ interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DPSK=1 \
|
||||
+ -DPSK='"../tests/keys.psk"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||
$(NULL)
|
||||
interop_nbdkit_tls_psk_allow_enabled_LDADD = \
|
||||
@@ -419,7 +419,7 @@ interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
|
||||
-DNEEDS_TMPFILE=1 \
|
||||
-DSERVER=\"$(NBDKIT)\" \
|
||||
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", TMPFILE' \
|
||||
- -DPSK=1 \
|
||||
+ -DPSK='"../tests/keys.psk"' \
|
||||
-DTLS_MODE=LIBNBD_TLS_ALLOW \
|
||||
-DTLS_FALLBACK=1 \
|
||||
$(NULL)
|
||||
diff --git a/interop/interop.c b/interop/interop.c
|
||||
index 20e101d4..d4d6671e 100644
|
||||
--- a/interop/interop.c
|
||||
+++ b/interop/interop.c
|
||||
@@ -41,7 +41,7 @@
|
||||
|
||||
#define SIZE (1024*1024)
|
||||
|
||||
-#if CERTS || PSK
|
||||
+#if defined(CERTS) || defined(PSK)
|
||||
#define TLS 1
|
||||
#ifndef TLS_MODE
|
||||
#error "TLS_MODE must be defined when using CERTS || PSK"
|
||||
@@ -149,13 +149,14 @@ main (int argc, char *argv[])
|
||||
}
|
||||
#endif
|
||||
|
||||
-#if CERTS
|
||||
- if (nbd_set_tls_certificates (nbd, "../tests/pki") == -1) {
|
||||
+#if defined(CERTS)
|
||||
+ const char *certs = CERTS;
|
||||
+ if (certs && nbd_set_tls_certificates (nbd, certs) == -1) {
|
||||
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
-#elif PSK
|
||||
- if (nbd_set_tls_psk_file (nbd, "../tests/keys.psk") == -1) {
|
||||
+#elif defined(PSK)
|
||||
+ if (nbd_set_tls_psk_file (nbd, PSK) == -1) {
|
||||
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,53 @@
|
||||
From fcb7d28e4dd2ab438c6070e7e5b1aae54cc75f28 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 24 Jun 2024 13:54:48 +0100
|
||||
Subject: [PATCH] interop: Add -DEXPECT_FAIL=1 where we expect the test to fail
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit c7a8df4f78f2c1901f5c532f262dadd6cce84750)
|
||||
(cherry picked from commit 175ee89f4a64c52cdb1412a2a72fc8c52fecaf93)
|
||||
---
|
||||
interop/interop.c | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/interop/interop.c b/interop/interop.c
|
||||
index d4d6671e..469327ee 100644
|
||||
--- a/interop/interop.c
|
||||
+++ b/interop/interop.c
|
||||
@@ -78,6 +78,7 @@ main (int argc, char *argv[])
|
||||
int64_t actual_size;
|
||||
char buf[512];
|
||||
size_t i;
|
||||
+ int r;
|
||||
|
||||
/* Check requirements or skip the test. */
|
||||
#ifdef REQUIRES
|
||||
@@ -174,10 +175,21 @@ main (int argc, char *argv[])
|
||||
#else
|
||||
#define NBD_CONNECT nbd_connect_command
|
||||
#endif
|
||||
- if (NBD_CONNECT (nbd, args) == -1) {
|
||||
+ r = NBD_CONNECT (nbd, args);
|
||||
+#if EXPECT_FAIL
|
||||
+ if (r != -1) {
|
||||
+ fprintf (stderr, "%s: expected connection to fail but it did not\n",
|
||||
+ argv[0]);
|
||||
+ exit (EXIT_FAILURE);
|
||||
+ }
|
||||
+ exit (EXIT_SUCCESS);
|
||||
+ /*NOTREACHED*/
|
||||
+#else
|
||||
+ if (r == -1) {
|
||||
fprintf (stderr, "%s\n", nbd_get_error ());
|
||||
exit (EXIT_FAILURE);
|
||||
}
|
||||
+#endif
|
||||
|
||||
#if TLS
|
||||
if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,84 @@
|
||||
From c20ac23a9a3673cca863974ec53f9129392fd447 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Mon, 24 Jun 2024 11:39:01 +0100
|
||||
Subject: [PATCH] interop: Test interop with a bad system CA
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is expected to fail now.
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 1c7db8f3337632f0395dac9b13cf03b100cf1a4a)
|
||||
(cherry picked from commit cb3519eeefa788b8fef466bf9394eefa9d6a6c18)
|
||||
---
|
||||
.gitignore | 1 +
|
||||
interop/Makefile.am | 26 ++++++++++++++++++++++++++
|
||||
2 files changed, 27 insertions(+)
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index 0b1cf764..597043e1 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -113,6 +113,7 @@ Makefile.in
|
||||
/interop/interop-nbdkit-tls-certs
|
||||
/interop/interop-nbdkit-tls-certs-allow-enabled
|
||||
/interop/interop-nbdkit-tls-certs-allow-fallback
|
||||
+/interop/interop-nbdkit-tls-certs-bad-CA
|
||||
/interop/interop-nbdkit-tls-psk
|
||||
/interop/interop-nbdkit-tls-psk-allow-enabled
|
||||
/interop/interop-nbdkit-tls-psk-allow-fallback
|
||||
diff --git a/interop/Makefile.am b/interop/Makefile.am
|
||||
index 4cdc55e9..bc974b99 100644
|
||||
--- a/interop/Makefile.am
|
||||
+++ b/interop/Makefile.am
|
||||
@@ -281,6 +281,7 @@ check_PROGRAMS += \
|
||||
interop-nbdkit-tls-certs \
|
||||
interop-nbdkit-tls-certs-allow-enabled \
|
||||
interop-nbdkit-tls-certs-allow-fallback \
|
||||
+ interop-nbdkit-tls-certs-bad-CA \
|
||||
interop-nbdkit-tls-psk \
|
||||
interop-nbdkit-tls-psk-allow-enabled \
|
||||
interop-nbdkit-tls-psk-allow-fallback \
|
||||
@@ -292,6 +293,7 @@ TESTS += \
|
||||
interop-nbdkit-tls-certs \
|
||||
interop-nbdkit-tls-certs-allow-enabled \
|
||||
interop-nbdkit-tls-certs-allow-fallback \
|
||||
+ interop-nbdkit-tls-certs-bad-CA \
|
||||
interop-nbdkit-tls-psk \
|
||||
interop-nbdkit-tls-psk-allow-enabled \
|
||||
interop-nbdkit-tls-psk-allow-fallback \
|
||||
@@ -370,6 +372,30 @@ interop_nbdkit_tls_certs_allow_fallback_LDADD = \
|
||||
$(GNUTLS_LIBS) \
|
||||
$(NULL)
|
||||
|
||||
+# In this test, nbdkit offers a server certificate signed by our CA in
|
||||
+# the tests/pki directory, but we deliberately tell libnbd to test
|
||||
+# against the system CA (-DCERTS=NULL). This is expected to fail the
|
||||
+# connection with the error:
|
||||
+# libnbd: debug: nbd1: nbd_connect_command: handle dead: nbd_connect_command: gnutls_handshake: Error in the certificate verification. (15/1)
|
||||
+interop_nbdkit_tls_certs_bad_CA_SOURCES = \
|
||||
+ interop.c \
|
||||
+ requires.c \
|
||||
+ ../tests/requires.h \
|
||||
+ $(NULL)
|
||||
+interop_nbdkit_tls_certs_bad_CA_CPPFLAGS = \
|
||||
+ $(AM_CPPFLAGS) \
|
||||
+ -DREQUIRES=' requires ("test -d ../tests/pki"); ' \
|
||||
+ -DSERVER=\"$(NBDKIT)\" \
|
||||
+ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "null"' \
|
||||
+ -DCERTS=NULL \
|
||||
+ -DTLS_MODE=LIBNBD_TLS_REQUIRE \
|
||||
+ -DEXPECT_FAIL=1 \
|
||||
+ $(NULL)
|
||||
+interop_nbdkit_tls_certs_bad_CA_LDADD = \
|
||||
+ $(top_builddir)/lib/libnbd.la \
|
||||
+ $(GNUTLS_LIBS) \
|
||||
+ $(NULL)
|
||||
+
|
||||
interop_nbdkit_tls_psk_SOURCES = \
|
||||
interop.c \
|
||||
requires.c \
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,89 @@
|
||||
From a2541de206b3560fdfadf5dfada2cac1b69c09a1 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 25 Jun 2024 11:12:56 +0100
|
||||
Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Older versions of libnbd didn't always check the server certificate.
|
||||
Since some clients might be depending on this, allow
|
||||
?tls-verify-peer=false in URIs to skip this check.
|
||||
|
||||
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401)
|
||||
(cherry picked from commit b12466821fc534fb68d5b8e695832ee03496e0af)
|
||||
---
|
||||
generator/API.ml | 5 +++++
|
||||
lib/uri.c | 32 ++++++++++++++++++++++++++++++++
|
||||
2 files changed, 37 insertions(+)
|
||||
|
||||
diff --git a/generator/API.ml b/generator/API.ml
|
||||
index c4547615..f2752f25 100644
|
||||
--- a/generator/API.ml
|
||||
+++ b/generator/API.ml
|
||||
@@ -1994,6 +1994,11 @@ Note this is not allowed by default - see next section.
|
||||
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
|
||||
this is not allowed by default - see next section.
|
||||
|
||||
+=item B<tls-verify-peer=false>
|
||||
+
|
||||
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
|
||||
+The default is C<true>.
|
||||
+
|
||||
=back
|
||||
|
||||
=head2 Disable URI features
|
||||
diff --git a/lib/uri.c b/lib/uri.c
|
||||
index 0c8e87cf..969e88be 100644
|
||||
--- a/lib/uri.c
|
||||
+++ b/lib/uri.c
|
||||
@@ -150,6 +150,31 @@ parse_uri_queries (const char *query_raw, uri_query_list *list)
|
||||
return -1;
|
||||
}
|
||||
|
||||
+/* Similar to nbdkit_parse_bool */
|
||||
+int
|
||||
+parse_bool (const char *param, const char *value)
|
||||
+{
|
||||
+ if (!strcmp (value, "1") ||
|
||||
+ !strcasecmp (value, "true") ||
|
||||
+ !strcasecmp (value, "t") ||
|
||||
+ !strcasecmp (value, "yes") ||
|
||||
+ !strcasecmp (value, "y") ||
|
||||
+ !strcasecmp (value, "on"))
|
||||
+ return 1;
|
||||
+
|
||||
+ if (!strcmp (value, "0") ||
|
||||
+ !strcasecmp (value, "false") ||
|
||||
+ !strcasecmp (value, "f") ||
|
||||
+ !strcasecmp (value, "no") ||
|
||||
+ !strcasecmp (value, "n") ||
|
||||
+ !strcasecmp (value, "off"))
|
||||
+ return 0;
|
||||
+
|
||||
+ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false",
|
||||
+ param, param);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
int
|
||||
nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
|
||||
{
|
||||
@@ -298,6 +323,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
|
||||
if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1)
|
||||
goto cleanup;
|
||||
}
|
||||
+ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
|
||||
+ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
|
||||
+ if (v == -1)
|
||||
+ goto cleanup;
|
||||
+ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1)
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Username. */
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,31 @@
|
||||
From dfa2a23c7638e325694101fe81b5330ceede68f9 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 25 Jun 2024 17:53:47 +0100
|
||||
Subject: [PATCH] docs: security: Add link to TLS server certificate checking
|
||||
announcement
|
||||
|
||||
(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf)
|
||||
(cherry picked from commit 820f45a58fda50dc7d5e126c55403e33824cffe4)
|
||||
---
|
||||
docs/libnbd-security.pod | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
|
||||
index 216efa43..c9960d8c 100644
|
||||
--- a/docs/libnbd-security.pod
|
||||
+++ b/docs/libnbd-security.pod
|
||||
@@ -45,6 +45,11 @@ negative size result from nbd_get_size(3)
|
||||
See the full announcement here:
|
||||
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
|
||||
|
||||
+=head2 multiple flaws in TLS server certificate checking
|
||||
+
|
||||
+See the full announcement here:
|
||||
+L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
|
||||
+
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<libnbd(3)>.
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 8334404ee0883dcfa90697b6fdae541ed4751b79 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 1 Aug 2024 15:17:29 +0100
|
||||
Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383
|
||||
|
||||
CVE-2024-7383 was assigned to the (already published & fixed) flaws
|
||||
found in libnbd certificate checking.
|
||||
|
||||
Reported-by: Jon Szymaniak
|
||||
Thanks: Mauro Matteo Cascella
|
||||
(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b)
|
||||
---
|
||||
docs/libnbd-security.pod | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
|
||||
index c9960d8c..ece0cf5a 100644
|
||||
--- a/docs/libnbd-security.pod
|
||||
+++ b/docs/libnbd-security.pod
|
||||
@@ -45,7 +45,8 @@ negative size result from nbd_get_size(3)
|
||||
See the full announcement here:
|
||||
L<https://listman.redhat.com/archives/libguestfs/2023-September/032711.html>
|
||||
|
||||
-=head2 multiple flaws in TLS server certificate checking
|
||||
+=head2 CVE-2024-7383
|
||||
+multiple flaws in TLS server certificate checking
|
||||
|
||||
See the full announcement here:
|
||||
L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmU2izoRHHJpY2hAYW5u
|
||||
ZXhpYS5vcmcACgkQkXOPc+G3aKA+txAAkLeWdvH2ryibEyqMeyejvh9vMgQO5I46
|
||||
LaygI8jDi+XG+rGy7imiwIxxWvyCZI3y2U5MFudLZoFi+gCyVAC+LeBxjF41NBGz
|
||||
fbgwFaQHrCbxyLlsj9OcR6M0+EPU8NXXPPGgXZNcnf7tHNZkTO0OGS9chml0wXHA
|
||||
Zx9WheHl6wbLTVIAtLWOJqzRQj80RlcPC+De1wZL+WFMPMkfF8L8K5FRNsfeTIXn
|
||||
l31d1R0g5QOMTTqBiKE2iopPmVmA5uC/adWCuqF3mzzjzCkHp+Ux/Ys99tkCETrU
|
||||
jUuHgJ+1pYjn4Lmt/HUwXQZD3L+RkNAWWQziY/3ejK31tGxZqR/XTwq5RPrc6Qs1
|
||||
/zuoWvSWJZZo9yvX1Iq2RQAaZF5724V/svm+HgaCakaK8EJEj6sntM0OhAl2pRC4
|
||||
G45Kb2o7k016WgL8plNOlrbHNxaruBcPrkFYDMoyy3KLnWaw3OYMARTD5w/Pd4dC
|
||||
CJa3tIXIKedhXw9xDtEWfxiKIHfO+LBHBMjpW9KzP/oxE2akmcJZJT+JNpsrpdzV
|
||||
O6mbVDPedWd5LQQ1bNmwzxkCsMEC9HFhVbCaTuYuSXe/By04Norns4xyEJyDXlG/
|
||||
QqFgEUS8R+V9xwYHoAPg5RUmycXubSmm64iTAQNqc46QsxeP0Va7gpbrPLe5qVk/
|
||||
irUsxdBhGIM=
|
||||
=pgmp
|
||||
-----END PGP SIGNATURE-----
|
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAl/3RFQRHHJpY2hAYW5u
|
||||
ZXhpYS5vcmcACgkQkXOPc+G3aKD9aw/+Pfg3owjJmhTcCyFvuH2lgiiBb+qL2An+
|
||||
hsoax6dM5JxzV6x1Ikgn3C8z2+dLRMowo2FrRgpzTwfaS+ngLDipSC04hKl9MhFN
|
||||
7OPLCm+L7wcP7KUk4cC0qTSHpHkApo2SP3/bD7vVBYZMYSjgUVFcRoqZlRl3N9RF
|
||||
7XNsxA2YG9bV4Ln3KbB+k2uxIKNUZIVjmEpretVbb+NTKW9C23ZHicSHYB+Eok1M
|
||||
iTN6j66rYFn0Xb+L2v7jty19tSdYOMbkdSn0KpniURAWevjjVWGqcojMqW4YuAZ5
|
||||
h2MpRfyKFyusbsbtX5bjICTu6+AgFFUALKH7ReDs1RY1cEph9XdBLVulXTggxY05
|
||||
E3I1Nns1YmjRlV6ky2Abl2e+Doc44mycINRlwL2q8+Q3TqlVVPFXoVTWxIJ6/Uae
|
||||
tqnEwWIa2wGv3KU1KLNbWTn1z6I8NM/Nj+7pMKDNnxJzFmHEjL94tmG+iNmHsF34
|
||||
vWBZ1q7h9EezxHLOPFYDjlpS+IxeuXakbpuTX2jXvi3zSAbr5WmRR1uO8dAiwu9b
|
||||
RwOHRmVQOFLAAICYTZDmxl42DpWs5Z2aP7eRwpe8/MOSRiAVepjhUD/bsdaFwmBR
|
||||
8Z7CGNzyTtt+sy5l7cPBYZ+4RdxWgFEBceBbHs06zdlD/Pui288UQVB/0e9AXYOc
|
||||
wluyWT1v7sA=
|
||||
=BaN1
|
||||
-----END PGP SIGNATURE-----
|
Loading…
Reference in new issue