nbdkit: patch CVE-2025-47712

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712 Pick the patch from the project's repository which explicitly mentions this vulnerability ID. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-28 14:39:28 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-08 22:03:02 +0100
commit: 2ab2b6060992367a4a2b603a6068078f9d32e443 (patch)
tree: 53dcc9f58c6b598d21da71e37c775c00afa9965d /meta-networking
parent: 4a97186719ef0367b5841d7b92e4672b83d91db8 (diff)
download: meta-openembedded-2ab2b6060992367a4a2b603a6068078f9d32e443.tar.gz
2 files changed, 163 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
new file mode 100644
index 0000000000..84b0ad89f2
--- /dev/null
+++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
@@ -0,0 +1,162 @@
+From 4290f04d6fd9321fffcf09c0507a4f394e19f087 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 22 Apr 2025 19:53:39 -0500
+Subject: [PATCH] blocksize: Fix 32-bit overflow in .extents [CVE-2025-47712]
+If the original request is larger than 2**32 - minblock, then we were
+calling nbdkit_extents_aligned() with a count that rounded up then
+overflowed to 0 instead of the intended 4G because of overflowing a
+32-bit type, which in turn causes an assertion failure:
+nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
+The fix is to force the rounding to be in a 64-bit type from the
+get-go.
+The ability for a well-behaved client to cause the server to die from
+an assertion failure can be used as a denial of service attack against
+other clients.  Mitigations: if you requrire the use of TLS, then you
+can ensure that you only have trusted clients that won't trigger a
+block status call that large.  Also, the problem only occurs when
+using the blocksize filter, although setting the filter's maxlen
+parameter to a smaller value than its default of 2**32-1 does not
+help.
+Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+CVE: CVE-2025-47712
+Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ filters/blocksize/blocksize.c            |  5 +-
+ tests/Makefile.am                        |  2 +
+ tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
+ 3 files changed, 88 insertions(+), 2 deletions(-)
+ create mode 100755 tests/test-blocksize-extents-overflow.sh
+diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
+index 03da4971..b06f78b3 100644
+--- a/filters/blocksize/blocksize.c
+++ b/filters/blocksize/blocksize.c
+@@ -474,8 +474,9 @@ blocksize_extents (nbdkit_next *next,
+     return -1;
+   }
+ 
+-  if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
+-                                         h->maxlen),
+  if (nbdkit_extents_aligned (next,
+                              MIN (ROUND_UP ((uint64_t) count, h->minblock),
+                                   h->maxlen),
+                               ROUND_DOWN (offset, h->minblock), flags,
+                               h->minblock, extents2, err) == -1)
+     return -1;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 8ddf73d1..a38a37bc 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -1415,11 +1415,13 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
+ TESTS += \
+        test-blocksize.sh \
+        test-blocksize-extents.sh \
+       test-blocksize-extents-overflow.sh \
+        test-blocksize-default.sh \
+        $(NULL)
+ EXTRA_DIST += \
+        test-blocksize.sh \
+        test-blocksize-extents.sh \
+       test-blocksize-extents-overflow.sh \
+        test-blocksize-default.sh \
+        $(NULL)
+ 
+diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
+new file mode 100755
+index 00000000..844c3999
+--- /dev/null
+++ b/tests/test-blocksize-extents-overflow.sh
+@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Demonstrate a fix for a bug where blocksize overflowed 32 bits
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+requires_plugin eval
+requires_nbdsh_uri
+requires nbdsh --base-allocation --version
+
+# Script a sparse server that requires 512-byte aligned requests.
+exts='
+if test $(( ($3|$4) & 511 )) != 0; then
+  echo "EINVAL request unaligned" 2>&1
+  exit 1
+fi
+echo 0 5G 0
+'
+
+# We also need an nbdsh script to parse all extents, coalescing adjacent
+# types for simplicity.
+# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
+# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
+# will get the same result with only 1 extent).
+export script='
+size = h.get_size()
+offs = 0
+entries = []
+def f(metacontext, offset, e, err):
+    global entries
+    global offs
+    assert offs == offset
+    for length, flags in zip(*[iter(e)] * 2):
+        if entries and flags == entries[-1][1]:
+            entries[-1] = (entries[-1][0] + length, flags)
+        else:
+            entries.append((length, flags))
+        offs = offs + length
+
+# Test a loop over the entire device
+while offs < size:
+    len = min(size - offs, 2**32-1)
+    h.block_status(len, offs, f)
+assert entries == [(5 * 2**30, 0)]
+'
+
+# Now run everything
+nbdkit --filter=blocksize eval minblock=512 \
+       get_size='echo 5G' pread='exit 1' extents="$exts" \
+       --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
index d5b51f0e8d..7996c43752 100644
--- a/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0"
 SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
           file://CVE-2025-47711.patch \
+           file://CVE-2025-47712.patch \
           "
 SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-28 14:39:28 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-08 22:03:02 +0100
commit	2ab2b6060992367a4a2b603a6068078f9d32e443 (patch)
tree	53dcc9f58c6b598d21da71e37c775c00afa9965d /meta-networking
parent	4a97186719ef0367b5841d7b92e4672b83d91db8 (diff)
download	meta-openembedded-2ab2b6060992367a4a2b603a6068078f9d32e443.tar.gz

diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch new file mode 100644 index 0000000000..84b0ad89f2 --- /dev/null +++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
@@ -0,0 +1,162 @@
		1	From 4290f04d6fd9321fffcf09c0507a4f394e19f087 Mon Sep 17 00:00:00 2001
		2	From: Eric Blake <eblake@redhat.com>
		3	Date: Tue, 22 Apr 2025 19:53:39 -0500
		4	Subject: [PATCH] blocksize: Fix 32-bit overflow in .extents [CVE-2025-47712]
		5
		6	If the original request is larger than 2**32 - minblock, then we were
		7	calling nbdkit_extents_aligned() with a count that rounded up then
		8	overflowed to 0 instead of the intended 4G because of overflowing a
		9	32-bit type, which in turn causes an assertion failure:
		10
		11	nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
		12
		13	The fix is to force the rounding to be in a 64-bit type from the
		14	get-go.
		15
		16	The ability for a well-behaved client to cause the server to die from
		17	an assertion failure can be used as a denial of service attack against
		18	other clients. Mitigations: if you requrire the use of TLS, then you
		19	can ensure that you only have trusted clients that won't trigger a
		20	block status call that large. Also, the problem only occurs when
		21	using the blocksize filter, although setting the filter's maxlen
		22	parameter to a smaller value than its default of 2**32-1 does not
		23	help.
		24
		25	Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
		26	Signed-off-by: Eric Blake <eblake@redhat.com>
		27	Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
		28	Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
		29
		30	CVE: CVE-2025-47712
		31	Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
		32	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		33	---
		34	filters/blocksize/blocksize.c \| 5 +-
		35	tests/Makefile.am \| 2 +
		36	tests/test-blocksize-extents-overflow.sh \| 83 ++++++++++++++++++++++++
		37	3 files changed, 88 insertions(+), 2 deletions(-)
		38	create mode 100755 tests/test-blocksize-extents-overflow.sh
		39
		40	diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
		41	index 03da4971..b06f78b3 100644
		42	--- a/filters/blocksize/blocksize.c
		43	+++ b/filters/blocksize/blocksize.c
		44	@@ -474,8 +474,9 @@ blocksize_extents (nbdkit_next *next,
		45	return -1;
		46	}
		47
		48	- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
		49	- h->maxlen),
		50	+ if (nbdkit_extents_aligned (next,
		51	+ MIN (ROUND_UP ((uint64_t) count, h->minblock),
		52	+ h->maxlen),
		53	ROUND_DOWN (offset, h->minblock), flags,
		54	h->minblock, extents2, err) == -1)
		55	return -1;
		56	diff --git a/tests/Makefile.am b/tests/Makefile.am
		57	index 8ddf73d1..a38a37bc 100644
		58	--- a/tests/Makefile.am
		59	+++ b/tests/Makefile.am
		60	@@ -1415,11 +1415,13 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
		61	TESTS += \
		62	test-blocksize.sh \
		63	test-blocksize-extents.sh \
		64	+ test-blocksize-extents-overflow.sh \
		65	test-blocksize-default.sh \
		66	$(NULL)
		67	EXTRA_DIST += \
		68	test-blocksize.sh \
		69	test-blocksize-extents.sh \
		70	+ test-blocksize-extents-overflow.sh \
		71	test-blocksize-default.sh \
		72	$(NULL)
		73
		74	diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
		75	new file mode 100755
		76	index 00000000..844c3999
		77	--- /dev/null
		78	+++ b/tests/test-blocksize-extents-overflow.sh
		79	@@ -0,0 +1,83 @@
		80	+#!/usr/bin/env bash
		81	+# nbdkit
		82	+# Copyright Red Hat
		83	+#
		84	+# Redistribution and use in source and binary forms, with or without
		85	+# modification, are permitted provided that the following conditions are
		86	+# met:
		87	+#
		88	+# * Redistributions of source code must retain the above copyright
		89	+# notice, this list of conditions and the following disclaimer.
		90	+#
		91	+# * Redistributions in binary form must reproduce the above copyright
		92	+# notice, this list of conditions and the following disclaimer in the
		93	+# documentation and/or other materials provided with the distribution.
		94	+#
		95	+# * Neither the name of Red Hat nor the names of its contributors may be
		96	+# used to endorse or promote products derived from this software without
		97	+# specific prior written permission.
		98	+#
		99	+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
		100	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
		101	+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
		102	+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
		103	+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		104	+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
		105	+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
		106	+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
		107	+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
		108	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
		109	+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		110	+# SUCH DAMAGE.
		111	+
		112	+# Demonstrate a fix for a bug where blocksize overflowed 32 bits
		113	+
		114	+source ./functions.sh
		115	+set -e
		116	+set -x
		117	+
		118	+requires_run
		119	+requires_plugin eval
		120	+requires_nbdsh_uri
		121	+requires nbdsh --base-allocation --version
		122	+
		123	+# Script a sparse server that requires 512-byte aligned requests.
		124	+exts='
		125	+if test $(( ($3\|$4) & 511 )) != 0; then
		126	+ echo "EINVAL request unaligned" 2>&1
		127	+ exit 1
		128	+fi
		129	+echo 0 5G 0
		130	+'
		131	+
		132	+# We also need an nbdsh script to parse all extents, coalescing adjacent
		133	+# types for simplicity.
		134	+# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
		135	+# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
		136	+# will get the same result with only 1 extent).
		137	+export script='
		138	+size = h.get_size()
		139	+offs = 0
		140	+entries = []
		141	+def f(metacontext, offset, e, err):
		142	+ global entries
		143	+ global offs
		144	+ assert offs == offset
		145	+ for length, flags in zip([iter(e)] 2):
		146	+ if entries and flags == entries[-1][1]:
		147	+ entries[-1] = (entries[-1][0] + length, flags)
		148	+ else:
		149	+ entries.append((length, flags))
		150	+ offs = offs + length
		151	+
		152	+# Test a loop over the entire device
		153	+while offs < size:
		154	+ len = min(size - offs, 2**32-1)
		155	+ h.block_status(len, offs, f)
		156	+assert entries == [(5 * 2**30, 0)]
		157	+'
		158	+
		159	+# Now run everything
		160	+nbdkit --filter=blocksize eval minblock=512 \
		161	+ get_size='echo 5G' pread='exit 1' extents="$exts" \
		162	+ --run 'nbdsh --base-allocation -u "$uri" -c "$script"'


diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb index d5b51f0e8d..7996c43752 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0"
11		11
12	SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \	12	SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
13	file://CVE-2025-47711.patch \	13	file://CVE-2025-47711.patch \
		14	file://CVE-2025-47712.patch \
14	"	15	"
15		16
16	SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"	17	SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"