diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-11-30 21:35:10 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2025-12-03 10:31:34 +0530 |
| commit | ffb8d52faee0b4dd28d8f02f8a52e864d2a43561 (patch) | |
| tree | a30bb6afbfa7f61dc3ce5c00d3be3d38807979c3 /meta-networking | |
| parent | 8f602e1cfada7bce18d01c2422bed871102e5af6 (diff) | |
| download | meta-openembedded-ffb8d52faee0b4dd28d8f02f8a52e864d2a43561.tar.gz | |
nbdkit: patch CVE-2025-47711
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47711
Pick the patch from the repository which explicitly mentions
this CVE ID.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch | 172 | ||||
| -rw-r--r-- | meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb | 3 |
2 files changed, 174 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch new file mode 100644 index 0000000000..a5eb519738 --- /dev/null +++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch | |||
| @@ -0,0 +1,172 @@ | |||
| 1 | From 8b41004f101505fd13e0491c88570a00820ccdc2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Tue, 22 Apr 2025 17:01:12 -0500 | ||
| 4 | Subject: [PATCH 1/2] server: Fix off-by-one for maximum block_status length | ||
| 5 | [CVE-2025-47711] | ||
| 6 | |||
| 7 | From: Eric Blake <eblake@redhat.com> | ||
| 8 | |||
| 9 | There has been an off-by-one bug in the code for .extents since the | ||
| 10 | introduction of that callback. Remember, internally the code allows | ||
| 11 | plugins to report on extents with 64-bit lengths, but the protocol | ||
| 12 | only supports 32-bit block status calls (nbdkit will need to create | ||
| 13 | plugin version 3 before it can support NBD's newer 64-bit block | ||
| 14 | status). As such, the server loop intentionally truncates a plugin's | ||
| 15 | large extent to 2**32-1 bytes. But in the process of checking whether | ||
| 16 | the loop should exit early, or if any additional extents should be | ||
| 17 | reported to the client, the server used 'pos > offset+count' instead | ||
| 18 | of >=, which is one byte too far. If the client has requested exactly | ||
| 19 | 2**32-1 bytes, and the plugin's first extent has that same length, the | ||
| 20 | code erroneously proceeds on to the plugin's second extent. Worse, if | ||
| 21 | the plugin's first extent has 2**32 bytes or more, it was truncated to | ||
| 22 | 2**31-1 bytes, but not completely handled, and the failure to exit the | ||
| 23 | loop early means that the server then fails the assertion: | ||
| 24 | |||
| 25 | nbdkit: ../../server/protocol.c:505: extents_to_block_descriptors: | ||
| 26 | Assertion `e.length <= length' failed. | ||
| 27 | |||
| 28 | The single-byte fix addresses both symptoms, while the added test | ||
| 29 | demonstrates both when run on older nbdkit (the protocol violation | ||
| 30 | when the plugin returns 2**32-1 bytes in the first extent, and the | ||
| 31 | assertion failure when the plugin returns 2**32 or more bytes in the | ||
| 32 | first extent). | ||
| 33 | |||
| 34 | The problem can only be triggered by a client request for 2**32-1 | ||
| 35 | bytes; anything smaller is immune. The problem also does not occur | ||
| 36 | for plugins that do not return extents information beyond the client's | ||
| 37 | request, or if the first extent is smaller than the client's request. | ||
| 38 | |||
| 39 | The ability to cause the server to die from an assertion failure can | ||
| 40 | be used as a denial of service attack against other clients. | ||
| 41 | Mitigations: if you require the use of TLS, then you can ensure that | ||
| 42 | you only have trusted clients that won't trigger a block status call | ||
| 43 | of length 2**32-1 bytes. Also, you can use "--filter=blocksize-policy | ||
| 44 | blocksize-minimum=512" to reject block status attempts from clients | ||
| 45 | that are not sector-aligned. | ||
| 46 | |||
| 47 | Fixes: 26455d45 ('server: protocol: Implement Block Status "base:allocation".', v1.11.10) | ||
| 48 | Reported-by: Nikolay Ivanets <stenavin@gmail.com> | ||
| 49 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
| 50 | Message-ID: <20250423211953.GR1450@redhat.com> | ||
| 51 | Reviewed-by: Richard W.M. Jones <rjones@redhat.com> | ||
| 52 | |||
| 53 | CVE: CVE-2025-47711 | ||
| 54 | Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/e6f96bd1b77c0cc927ce6aeff650b52238304f39] | ||
| 55 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 56 | --- | ||
| 57 | server/protocol.c | 2 +- | ||
| 58 | tests/Makefile.am | 2 ++ | ||
| 59 | tests/test-eval-extents.sh | 71 ++++++++++++++++++++++++++++++++++++++ | ||
| 60 | 3 files changed, 74 insertions(+), 1 deletion(-) | ||
| 61 | create mode 100755 tests/test-eval-extents.sh | ||
| 62 | |||
| 63 | diff --git a/server/protocol.c b/server/protocol.c | ||
| 64 | index d9a5e282..c32fec82 100644 | ||
| 65 | --- a/server/protocol.c | ||
| 66 | +++ b/server/protocol.c | ||
| 67 | @@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents, | ||
| 68 | (*nr_blocks)++; | ||
| 69 | |||
| 70 | pos += length; | ||
| 71 | - if (pos > offset + count) /* this must be the last block */ | ||
| 72 | + if (pos >= offset + count) /* this must be the last block */ | ||
| 73 | break; | ||
| 74 | |||
| 75 | /* If we reach here then we must have consumed this whole | ||
| 76 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
| 77 | index 9b846d24..36ac1e16 100644 | ||
| 78 | --- a/tests/Makefile.am | ||
| 79 | +++ b/tests/Makefile.am | ||
| 80 | @@ -781,6 +781,7 @@ TESTS += \ | ||
| 81 | test-eval.sh \ | ||
| 82 | test-eval-file.sh \ | ||
| 83 | test-eval-exports.sh \ | ||
| 84 | + test-eval-extents.sh \ | ||
| 85 | test-eval-cache.sh \ | ||
| 86 | test-eval-dump-plugin.sh \ | ||
| 87 | test-eval-disconnect.sh \ | ||
| 88 | @@ -789,6 +790,7 @@ EXTRA_DIST += \ | ||
| 89 | test-eval.sh \ | ||
| 90 | test-eval-file.sh \ | ||
| 91 | test-eval-exports.sh \ | ||
| 92 | + test-eval-extents.sh \ | ||
| 93 | test-eval-cache.sh \ | ||
| 94 | test-eval-dump-plugin.sh \ | ||
| 95 | test-eval-disconnect.sh \ | ||
| 96 | diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh | ||
| 97 | new file mode 100755 | ||
| 98 | index 00000000..92b503e6 | ||
| 99 | --- /dev/null | ||
| 100 | +++ b/tests/test-eval-extents.sh | ||
| 101 | @@ -0,0 +1,71 @@ | ||
| 102 | +#!/usr/bin/env bash | ||
| 103 | +# nbdkit | ||
| 104 | +# Copyright Red Hat | ||
| 105 | +# | ||
| 106 | +# Redistribution and use in source and binary forms, with or without | ||
| 107 | +# modification, are permitted provided that the following conditions are | ||
| 108 | +# met: | ||
| 109 | +# | ||
| 110 | +# * Redistributions of source code must retain the above copyright | ||
| 111 | +# notice, this list of conditions and the following disclaimer. | ||
| 112 | +# | ||
| 113 | +# * Redistributions in binary form must reproduce the above copyright | ||
| 114 | +# notice, this list of conditions and the following disclaimer in the | ||
| 115 | +# documentation and/or other materials provided with the distribution. | ||
| 116 | +# | ||
| 117 | +# * Neither the name of Red Hat nor the names of its contributors may be | ||
| 118 | +# used to endorse or promote products derived from this software without | ||
| 119 | +# specific prior written permission. | ||
| 120 | +# | ||
| 121 | +# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND | ||
| 122 | +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, | ||
| 123 | +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A | ||
| 124 | +# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR | ||
| 125 | +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 126 | +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
| 127 | +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF | ||
| 128 | +# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
| 129 | +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | ||
| 130 | +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | ||
| 131 | +# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| 132 | +# SUCH DAMAGE. | ||
| 133 | + | ||
| 134 | +source ./functions.sh | ||
| 135 | +set -e | ||
| 136 | +set -x | ||
| 137 | + | ||
| 138 | +requires_run | ||
| 139 | +requires_plugin eval | ||
| 140 | +requires_nbdsh_uri | ||
| 141 | +requires nbdsh --base-allocation --version | ||
| 142 | + | ||
| 143 | +files="eval-extents.out" | ||
| 144 | +rm -f $files | ||
| 145 | +cleanup_fn rm -f $files | ||
| 146 | + | ||
| 147 | +# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.7 | ||
| 148 | +export script=' | ||
| 149 | +def f(context, offset, extents, status): | ||
| 150 | + print(extents) | ||
| 151 | + | ||
| 152 | +# First, probe where the server should return 2 extents. | ||
| 153 | +h.block_status(2**32-1, 2, f) | ||
| 154 | + | ||
| 155 | +# Next, probe where the server has exactly 2**32-1 bytes in its first extent. | ||
| 156 | +h.block_status(2**32-1, 1, f) | ||
| 157 | + | ||
| 158 | +# Now, probe where the first extent has to be truncated. | ||
| 159 | +h.block_status(2**32-1, 0, f) | ||
| 160 | +' | ||
| 161 | +nbdkit eval \ | ||
| 162 | + get_size='echo 5G' \ | ||
| 163 | + pread='dd if=/dev/zero count=$3 iflag=count_bytes' \ | ||
| 164 | + extents='echo 0 4G 1; echo 4G 1G 2' \ | ||
| 165 | + --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \ | ||
| 166 | + > eval-extents.out | ||
| 167 | +cat eval-extents.out | ||
| 168 | +diff -u - eval-extents.out <<EOF | ||
| 169 | +[4294967294, 1, 1073741824, 2] | ||
| 170 | +[4294967295, 1] | ||
| 171 | +[4294967295, 1] | ||
| 172 | +EOF | ||
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb index cdf2677f13..0c83991b4d 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb | |||
| @@ -10,7 +10,8 @@ LICENSE = "BSD-3-Clause" | |||
| 10 | LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049" | 10 | LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049" |
| 11 | 11 | ||
| 12 | SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ | 12 | SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ |
| 13 | file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch" | 13 | file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \ |
| 14 | file://CVE-2025-47711.patch" | ||
| 14 | SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" | 15 | SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" |
| 15 | 16 | ||
| 16 | S = "${WORKDIR}/git" | 17 | S = "${WORKDIR}/git" |
