corosync: fix CVE-2025-30472

Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. References: https://nvd.nist.gov/vuln/detail/CVE-2025-30472 Upstream patches: https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
author: Jiaying Song <jiaying.song.cn@windriver.com> 2025-04-14 13:07:00 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-04-20 13:42:58 -0400
commit: 709ab51234c8cc230dc4b53b76d87c08583a808c (patch)
tree: 16cd686e3ac43b3cbeaae6a134e716dad421734f
parent: f8dddbfcbfe502cb71375a7a907e61a92e8d4474 (diff)
download: meta-openembedded-709ab51234c8cc230dc4b53b76d87c08583a808c.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch b/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch
new file mode 100644
index 0000000000..fa446624fd
--- /dev/null
+++ b/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch
@@ -0,0 +1,74 @@
+From 8a9e16384720f1837f4676baf62807a441c1e7f1 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Mon, 24 Mar 2025 12:05:08 +0100
+Subject: [PATCH] totemsrp: Check size of orf_token msg
+orf_token message is stored into preallocated array on endian convert
+so carefully crafted malicious message can lead to crash of corosync.
+Solution is to check message size beforehand.
+Upstream-Status: Backport
+[https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a]
+CVE: CVE-2025-30472
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ exec/totemsrp.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index d8e960a..1e417e5 100644
+--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
+@@ -3637,12 +3637,20 @@ static int check_orf_token_sanity(
+        const struct totemsrp_instance *instance,
+        const void *msg,
+        size_t msg_len,
+       size_t max_msg_len,
+        int endian_conversion_needed)
+ {
+        int rtr_entries;
+        const struct orf_token *token = (const struct orf_token *)msg;
+        size_t required_len;
+ 
+       if (msg_len > max_msg_len) {
+               log_printf (instance->totemsrp_log_level_security,
+                   "Received orf_token message is too long...  ignoring.");
+
+               return (-1);
+       }
+
+        if (msg_len < sizeof(struct orf_token)) {
+                log_printf (instance->totemsrp_log_level_security,
+                    "Received orf_token message is too short...  ignoring.");
+@@ -3656,6 +3664,13 @@ static int check_orf_token_sanity(
+                rtr_entries = token->rtr_list_entries;
+        }
+ 
+       if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+               log_printf (instance->totemsrp_log_level_security,
+                   "Received orf_token message rtr_entries is corrupted...  ignoring.");
+
+               return (-1);
+       }
+
+        required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
+        if (msg_len < required_len) {
+                log_printf (instance->totemsrp_log_level_security,
+@@ -3824,7 +3839,8 @@ static int message_handler_orf_token (
+        "Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
+ #endif
+ 
+-       if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+       if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+           endian_conversion_needed) == -1) {
+                return (0);
+        }
+ 
+-- 
+2.34.1
diff --git a/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb b/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb
index ec2a785277..7c5e23ca2f 100644
--- a/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb
+++ b/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb
@@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
           file://corosync.conf \
+           file://0001-totemsrp-Check-size-of-orf_token-msg.patch \
          "
 SRC_URI[sha256sum] = "20eb903eb984f6a728282c199825e442e8bba869acefd22390076ef3a33a4ded"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.(?!99)\d+(\.\d+)+)"
author	Jiaying Song <jiaying.song.cn@windriver.com>	2025-04-14 13:07:00 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-04-20 13:42:58 -0400
commit	709ab51234c8cc230dc4b53b76d87c08583a808c (patch)
tree	16cd686e3ac43b3cbeaae6a134e716dad421734f
parent	f8dddbfcbfe502cb71375a7a907e61a92e8d4474 (diff)
download	meta-openembedded-709ab51234c8cc230dc4b53b76d87c08583a808c.tar.gz

diff --git a/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch b/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch new file mode 100644 index 0000000000..fa446624fd --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/0001-totemsrp-Check-size-of-orf_token-msg.patch
@@ -0,0 +1,74 @@
		1	From 8a9e16384720f1837f4676baf62807a441c1e7f1 Mon Sep 17 00:00:00 2001
		2	From: Jan Friesse <jfriesse@redhat.com>
		3	Date: Mon, 24 Mar 2025 12:05:08 +0100
		4	Subject: [PATCH] totemsrp: Check size of orf_token msg
		5
		6	orf_token message is stored into preallocated array on endian convert
		7	so carefully crafted malicious message can lead to crash of corosync.
		8
		9	Solution is to check message size beforehand.
		10
		11	Upstream-Status: Backport
		12	[https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a]
		13
		14	CVE: CVE-2025-30472
		15
		16	Signed-off-by: Jan Friesse <jfriesse@redhat.com>
		17	Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
		18	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		19	---
		20	exec/totemsrp.c \| 18 +++++++++++++++++-
		21	1 file changed, 17 insertions(+), 1 deletion(-)
		22
		23	diff --git a/exec/totemsrp.c b/exec/totemsrp.c
		24	index d8e960a..1e417e5 100644
		25	--- a/exec/totemsrp.c
		26	+++ b/exec/totemsrp.c
		27	@@ -3637,12 +3637,20 @@ static int check_orf_token_sanity(
		28	const struct totemsrp_instance *instance,
		29	const void *msg,
		30	size_t msg_len,
		31	+ size_t max_msg_len,
		32	int endian_conversion_needed)
		33	{
		34	int rtr_entries;
		35	const struct orf_token token = (const struct orf_token )msg;
		36	size_t required_len;
		37
		38	+ if (msg_len > max_msg_len) {
		39	+ log_printf (instance->totemsrp_log_level_security,
		40	+ "Received orf_token message is too long... ignoring.");
		41	+
		42	+ return (-1);
		43	+ }
		44	+
		45	if (msg_len < sizeof(struct orf_token)) {
		46	log_printf (instance->totemsrp_log_level_security,
		47	"Received orf_token message is too short... ignoring.");
		48	@@ -3656,6 +3664,13 @@ static int check_orf_token_sanity(
		49	rtr_entries = token->rtr_list_entries;
		50	}
		51
		52	+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
		53	+ log_printf (instance->totemsrp_log_level_security,
		54	+ "Received orf_token message rtr_entries is corrupted... ignoring.");
		55	+
		56	+ return (-1);
		57	+ }
		58	+
		59	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
		60	if (msg_len < required_len) {
		61	log_printf (instance->totemsrp_log_level_security,
		62	@@ -3824,7 +3839,8 @@ static int message_handler_orf_token (
		63	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
		64	#endif
		65
		66	- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
		67	+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
		68	+ endian_conversion_needed) == -1) {
		69	return (0);
		70	}
		71
		72	--
		73	2.34.1
		74


diff --git a/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb b/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb index ec2a785277..7c5e23ca2f 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.0.3.bb
@@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd
9		9
10	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \	10	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \
11	file://corosync.conf \	11	file://corosync.conf \
		12	file://0001-totemsrp-Check-size-of-orf_token-msg.patch \
12	"	13	"
13	SRC_URI[sha256sum] = "20eb903eb984f6a728282c199825e442e8bba869acefd22390076ef3a33a4ded"	14	SRC_URI[sha256sum] = "20eb903eb984f6a728282c199825e442e8bba869acefd22390076ef3a33a4ded"
14	UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.(?!99)\d+(\.\d+)+)"	15	UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.(?!99)\d+(\.\d+)+)"