summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch166
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb3
2 files changed, 168 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
new file mode 100644
index 0000000000..0bd34f0995
--- /dev/null
+++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
@@ -0,0 +1,166 @@
1From fcc4b6e49c9e90b83de5619bba5c828b0e0dea45 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Tue, 22 Apr 2025 19:53:39 -0500
4Subject: [PATCH 2/2] blocksize: Fix 32-bit overflow in .extents
5 [CVE-2025-47712]
6
7From: Eric Blake <eblake@redhat.com>
8
9If the original request is larger than 2**32 - minblock, then we were
10calling nbdkit_extents_aligned() with a count that rounded up then
11overflowed to 0 instead of the intended 4G because of overflowing a
1232-bit type, which in turn causes an assertion failure:
13
14nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
15
16The fix is to force the rounding to be in a 64-bit type from the
17get-go.
18
19The ability for a well-behaved client to cause the server to die from
20an assertion failure can be used as a denial of service attack against
21other clients. Mitigations: if you requrire the use of TLS, then you
22can ensure that you only have trusted clients that won't trigger a
23block status call that large. Also, the problem only occurs when
24using the blocksize filter, although setting the filter's maxlen
25parameter to a smaller value than its default of 2**32-1 does not
26help.
27
28Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
29Signed-off-by: Eric Blake <eblake@redhat.com>
30Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
31Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
32
33CVE: CVE-2025-47712
34Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
35Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
36---
37 filters/blocksize/blocksize.c | 5 +-
38 tests/Makefile.am | 2 +
39 tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
40 3 files changed, 88 insertions(+), 2 deletions(-)
41 create mode 100755 tests/test-blocksize-extents-overflow.sh
42
43diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
44index 09195cea..e5c8b744 100644
45--- a/filters/blocksize/blocksize.c
46+++ b/filters/blocksize/blocksize.c
47@@ -482,8 +482,9 @@ blocksize_extents (nbdkit_next *next,
48 return -1;
49 }
50
51- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
52- h->maxlen),
53+ if (nbdkit_extents_aligned (next,
54+ MIN (ROUND_UP ((uint64_t) count, h->minblock),
55+ h->maxlen),
56 ROUND_DOWN (offset, h->minblock), flags,
57 h->minblock, extents2, err) == -1)
58 return -1;
59diff --git a/tests/Makefile.am b/tests/Makefile.am
60index 36ac1e16..a6fb1993 100644
61--- a/tests/Makefile.am
62+++ b/tests/Makefile.am
63@@ -1473,12 +1473,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
64 TESTS += \
65 test-blocksize.sh \
66 test-blocksize-extents.sh \
67+ test-blocksize-extents-overflow.sh \
68 test-blocksize-default.sh \
69 test-blocksize-sharding.sh \
70 $(NULL)
71 EXTRA_DIST += \
72 test-blocksize.sh \
73 test-blocksize-extents.sh \
74+ test-blocksize-extents-overflow.sh \
75 test-blocksize-default.sh \
76 test-blocksize-sharding.sh \
77 $(NULL)
78diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
79new file mode 100755
80index 00000000..844c3999
81--- /dev/null
82+++ b/tests/test-blocksize-extents-overflow.sh
83@@ -0,0 +1,83 @@
84+#!/usr/bin/env bash
85+# nbdkit
86+# Copyright Red Hat
87+#
88+# Redistribution and use in source and binary forms, with or without
89+# modification, are permitted provided that the following conditions are
90+# met:
91+#
92+# * Redistributions of source code must retain the above copyright
93+# notice, this list of conditions and the following disclaimer.
94+#
95+# * Redistributions in binary form must reproduce the above copyright
96+# notice, this list of conditions and the following disclaimer in the
97+# documentation and/or other materials provided with the distribution.
98+#
99+# * Neither the name of Red Hat nor the names of its contributors may be
100+# used to endorse or promote products derived from this software without
101+# specific prior written permission.
102+#
103+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
104+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
105+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
106+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
107+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
108+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
109+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
110+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
111+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
112+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
113+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
114+# SUCH DAMAGE.
115+
116+# Demonstrate a fix for a bug where blocksize overflowed 32 bits
117+
118+source ./functions.sh
119+set -e
120+set -x
121+
122+requires_run
123+requires_plugin eval
124+requires_nbdsh_uri
125+requires nbdsh --base-allocation --version
126+
127+# Script a sparse server that requires 512-byte aligned requests.
128+exts='
129+if test $(( ($3|$4) & 511 )) != 0; then
130+ echo "EINVAL request unaligned" 2>&1
131+ exit 1
132+fi
133+echo 0 5G 0
134+'
135+
136+# We also need an nbdsh script to parse all extents, coalescing adjacent
137+# types for simplicity.
138+# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
139+# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
140+# will get the same result with only 1 extent).
141+export script='
142+size = h.get_size()
143+offs = 0
144+entries = []
145+def f(metacontext, offset, e, err):
146+ global entries
147+ global offs
148+ assert offs == offset
149+ for length, flags in zip(*[iter(e)] * 2):
150+ if entries and flags == entries[-1][1]:
151+ entries[-1] = (entries[-1][0] + length, flags)
152+ else:
153+ entries.append((length, flags))
154+ offs = offs + length
155+
156+# Test a loop over the entire device
157+while offs < size:
158+ len = min(size - offs, 2**32-1)
159+ h.block_status(len, offs, f)
160+assert entries == [(5 * 2**30, 0)]
161+'
162+
163+# Now run everything
164+nbdkit --filter=blocksize eval minblock=512 \
165+ get_size='echo 5G' pread='exit 1' extents="$exts" \
166+ --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
index 0c83991b4d..dd1e52214b 100644
--- a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
@@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049"
11 11
12SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ 12SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
13 file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \ 13 file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \
14 file://CVE-2025-47711.patch" 14 file://CVE-2025-47711.patch \
15 file://CVE-2025-47712.patch"
15SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" 16SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b"
16 17
17S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"