diff options
| -rw-r--r-- | meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch | 166 | ||||
| -rw-r--r-- | meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb | 3 |
2 files changed, 168 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch new file mode 100644 index 0000000000..0bd34f0995 --- /dev/null +++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch | |||
| @@ -0,0 +1,166 @@ | |||
| 1 | From fcc4b6e49c9e90b83de5619bba5c828b0e0dea45 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Tue, 22 Apr 2025 19:53:39 -0500 | ||
| 4 | Subject: [PATCH 2/2] blocksize: Fix 32-bit overflow in .extents | ||
| 5 | [CVE-2025-47712] | ||
| 6 | |||
| 7 | From: Eric Blake <eblake@redhat.com> | ||
| 8 | |||
| 9 | If the original request is larger than 2**32 - minblock, then we were | ||
| 10 | calling nbdkit_extents_aligned() with a count that rounded up then | ||
| 11 | overflowed to 0 instead of the intended 4G because of overflowing a | ||
| 12 | 32-bit type, which in turn causes an assertion failure: | ||
| 13 | |||
| 14 | nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed. | ||
| 15 | |||
| 16 | The fix is to force the rounding to be in a 64-bit type from the | ||
| 17 | get-go. | ||
| 18 | |||
| 19 | The ability for a well-behaved client to cause the server to die from | ||
| 20 | an assertion failure can be used as a denial of service attack against | ||
| 21 | other clients. Mitigations: if you requrire the use of TLS, then you | ||
| 22 | can ensure that you only have trusted clients that won't trigger a | ||
| 23 | block status call that large. Also, the problem only occurs when | ||
| 24 | using the blocksize filter, although setting the filter's maxlen | ||
| 25 | parameter to a smaller value than its default of 2**32-1 does not | ||
| 26 | help. | ||
| 27 | |||
| 28 | Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16) | ||
| 29 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
| 30 | Message-ID: <20250423210917.1784789-3-eblake@redhat.com> | ||
| 31 | Reviewed-by: Richard W.M. Jones <rjones@redhat.com> | ||
| 32 | |||
| 33 | CVE: CVE-2025-47712 | ||
| 34 | Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7] | ||
| 35 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 36 | --- | ||
| 37 | filters/blocksize/blocksize.c | 5 +- | ||
| 38 | tests/Makefile.am | 2 + | ||
| 39 | tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++ | ||
| 40 | 3 files changed, 88 insertions(+), 2 deletions(-) | ||
| 41 | create mode 100755 tests/test-blocksize-extents-overflow.sh | ||
| 42 | |||
| 43 | diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c | ||
| 44 | index 09195cea..e5c8b744 100644 | ||
| 45 | --- a/filters/blocksize/blocksize.c | ||
| 46 | +++ b/filters/blocksize/blocksize.c | ||
| 47 | @@ -482,8 +482,9 @@ blocksize_extents (nbdkit_next *next, | ||
| 48 | return -1; | ||
| 49 | } | ||
| 50 | |||
| 51 | - if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock), | ||
| 52 | - h->maxlen), | ||
| 53 | + if (nbdkit_extents_aligned (next, | ||
| 54 | + MIN (ROUND_UP ((uint64_t) count, h->minblock), | ||
| 55 | + h->maxlen), | ||
| 56 | ROUND_DOWN (offset, h->minblock), flags, | ||
| 57 | h->minblock, extents2, err) == -1) | ||
| 58 | return -1; | ||
| 59 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
| 60 | index 36ac1e16..a6fb1993 100644 | ||
| 61 | --- a/tests/Makefile.am | ||
| 62 | +++ b/tests/Makefile.am | ||
| 63 | @@ -1473,12 +1473,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS) | ||
| 64 | TESTS += \ | ||
| 65 | test-blocksize.sh \ | ||
| 66 | test-blocksize-extents.sh \ | ||
| 67 | + test-blocksize-extents-overflow.sh \ | ||
| 68 | test-blocksize-default.sh \ | ||
| 69 | test-blocksize-sharding.sh \ | ||
| 70 | $(NULL) | ||
| 71 | EXTRA_DIST += \ | ||
| 72 | test-blocksize.sh \ | ||
| 73 | test-blocksize-extents.sh \ | ||
| 74 | + test-blocksize-extents-overflow.sh \ | ||
| 75 | test-blocksize-default.sh \ | ||
| 76 | test-blocksize-sharding.sh \ | ||
| 77 | $(NULL) | ||
| 78 | diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh | ||
| 79 | new file mode 100755 | ||
| 80 | index 00000000..844c3999 | ||
| 81 | --- /dev/null | ||
| 82 | +++ b/tests/test-blocksize-extents-overflow.sh | ||
| 83 | @@ -0,0 +1,83 @@ | ||
| 84 | +#!/usr/bin/env bash | ||
| 85 | +# nbdkit | ||
| 86 | +# Copyright Red Hat | ||
| 87 | +# | ||
| 88 | +# Redistribution and use in source and binary forms, with or without | ||
| 89 | +# modification, are permitted provided that the following conditions are | ||
| 90 | +# met: | ||
| 91 | +# | ||
| 92 | +# * Redistributions of source code must retain the above copyright | ||
| 93 | +# notice, this list of conditions and the following disclaimer. | ||
| 94 | +# | ||
| 95 | +# * Redistributions in binary form must reproduce the above copyright | ||
| 96 | +# notice, this list of conditions and the following disclaimer in the | ||
| 97 | +# documentation and/or other materials provided with the distribution. | ||
| 98 | +# | ||
| 99 | +# * Neither the name of Red Hat nor the names of its contributors may be | ||
| 100 | +# used to endorse or promote products derived from this software without | ||
| 101 | +# specific prior written permission. | ||
| 102 | +# | ||
| 103 | +# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND | ||
| 104 | +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, | ||
| 105 | +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A | ||
| 106 | +# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR | ||
| 107 | +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 108 | +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
| 109 | +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF | ||
| 110 | +# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
| 111 | +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | ||
| 112 | +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | ||
| 113 | +# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| 114 | +# SUCH DAMAGE. | ||
| 115 | + | ||
| 116 | +# Demonstrate a fix for a bug where blocksize overflowed 32 bits | ||
| 117 | + | ||
| 118 | +source ./functions.sh | ||
| 119 | +set -e | ||
| 120 | +set -x | ||
| 121 | + | ||
| 122 | +requires_run | ||
| 123 | +requires_plugin eval | ||
| 124 | +requires_nbdsh_uri | ||
| 125 | +requires nbdsh --base-allocation --version | ||
| 126 | + | ||
| 127 | +# Script a sparse server that requires 512-byte aligned requests. | ||
| 128 | +exts=' | ||
| 129 | +if test $(( ($3|$4) & 511 )) != 0; then | ||
| 130 | + echo "EINVAL request unaligned" 2>&1 | ||
| 131 | + exit 1 | ||
| 132 | +fi | ||
| 133 | +echo 0 5G 0 | ||
| 134 | +' | ||
| 135 | + | ||
| 136 | +# We also need an nbdsh script to parse all extents, coalescing adjacent | ||
| 137 | +# types for simplicity. | ||
| 138 | +# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run | ||
| 139 | +# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit | ||
| 140 | +# will get the same result with only 1 extent). | ||
| 141 | +export script=' | ||
| 142 | +size = h.get_size() | ||
| 143 | +offs = 0 | ||
| 144 | +entries = [] | ||
| 145 | +def f(metacontext, offset, e, err): | ||
| 146 | + global entries | ||
| 147 | + global offs | ||
| 148 | + assert offs == offset | ||
| 149 | + for length, flags in zip(*[iter(e)] * 2): | ||
| 150 | + if entries and flags == entries[-1][1]: | ||
| 151 | + entries[-1] = (entries[-1][0] + length, flags) | ||
| 152 | + else: | ||
| 153 | + entries.append((length, flags)) | ||
| 154 | + offs = offs + length | ||
| 155 | + | ||
| 156 | +# Test a loop over the entire device | ||
| 157 | +while offs < size: | ||
| 158 | + len = min(size - offs, 2**32-1) | ||
| 159 | + h.block_status(len, offs, f) | ||
| 160 | +assert entries == [(5 * 2**30, 0)] | ||
| 161 | +' | ||
| 162 | + | ||
| 163 | +# Now run everything | ||
| 164 | +nbdkit --filter=blocksize eval minblock=512 \ | ||
| 165 | + get_size='echo 5G' pread='exit 1' extents="$exts" \ | ||
| 166 | + --run 'nbdsh --base-allocation -u "$uri" -c "$script"' | ||
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb index 0c83991b4d..dd1e52214b 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb | |||
| @@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049" | |||
| 11 | 11 | ||
| 12 | SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ | 12 | SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ |
| 13 | file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \ | 13 | file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \ |
| 14 | file://CVE-2025-47711.patch" | 14 | file://CVE-2025-47711.patch \ |
| 15 | file://CVE-2025-47712.patch" | ||
| 15 | SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" | 16 | SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" |
| 16 | 17 | ||
| 17 | S = "${WORKDIR}/git" | 18 | S = "${WORKDIR}/git" |
