summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch172
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb3
2 files changed, 174 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch
new file mode 100644
index 0000000000..a5eb519738
--- /dev/null
+++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch
@@ -0,0 +1,172 @@
1From 8b41004f101505fd13e0491c88570a00820ccdc2 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Tue, 22 Apr 2025 17:01:12 -0500
4Subject: [PATCH 1/2] server: Fix off-by-one for maximum block_status length
5 [CVE-2025-47711]
6
7From: Eric Blake <eblake@redhat.com>
8
9There has been an off-by-one bug in the code for .extents since the
10introduction of that callback. Remember, internally the code allows
11plugins to report on extents with 64-bit lengths, but the protocol
12only supports 32-bit block status calls (nbdkit will need to create
13plugin version 3 before it can support NBD's newer 64-bit block
14status). As such, the server loop intentionally truncates a plugin's
15large extent to 2**32-1 bytes. But in the process of checking whether
16the loop should exit early, or if any additional extents should be
17reported to the client, the server used 'pos > offset+count' instead
18of >=, which is one byte too far. If the client has requested exactly
192**32-1 bytes, and the plugin's first extent has that same length, the
20code erroneously proceeds on to the plugin's second extent. Worse, if
21the plugin's first extent has 2**32 bytes or more, it was truncated to
222**31-1 bytes, but not completely handled, and the failure to exit the
23loop early means that the server then fails the assertion:
24
25nbdkit: ../../server/protocol.c:505: extents_to_block_descriptors:
26Assertion `e.length <= length' failed.
27
28The single-byte fix addresses both symptoms, while the added test
29demonstrates both when run on older nbdkit (the protocol violation
30when the plugin returns 2**32-1 bytes in the first extent, and the
31assertion failure when the plugin returns 2**32 or more bytes in the
32first extent).
33
34The problem can only be triggered by a client request for 2**32-1
35bytes; anything smaller is immune. The problem also does not occur
36for plugins that do not return extents information beyond the client's
37request, or if the first extent is smaller than the client's request.
38
39The ability to cause the server to die from an assertion failure can
40be used as a denial of service attack against other clients.
41Mitigations: if you require the use of TLS, then you can ensure that
42you only have trusted clients that won't trigger a block status call
43of length 2**32-1 bytes. Also, you can use "--filter=blocksize-policy
44blocksize-minimum=512" to reject block status attempts from clients
45that are not sector-aligned.
46
47Fixes: 26455d45 ('server: protocol: Implement Block Status "base:allocation".', v1.11.10)
48Reported-by: Nikolay Ivanets <stenavin@gmail.com>
49Signed-off-by: Eric Blake <eblake@redhat.com>
50Message-ID: <20250423211953.GR1450@redhat.com>
51Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
52
53CVE: CVE-2025-47711
54Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/e6f96bd1b77c0cc927ce6aeff650b52238304f39]
55Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
56---
57 server/protocol.c | 2 +-
58 tests/Makefile.am | 2 ++
59 tests/test-eval-extents.sh | 71 ++++++++++++++++++++++++++++++++++++++
60 3 files changed, 74 insertions(+), 1 deletion(-)
61 create mode 100755 tests/test-eval-extents.sh
62
63diff --git a/server/protocol.c b/server/protocol.c
64index d9a5e282..c32fec82 100644
65--- a/server/protocol.c
66+++ b/server/protocol.c
67@@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents,
68 (*nr_blocks)++;
69
70 pos += length;
71- if (pos > offset + count) /* this must be the last block */
72+ if (pos >= offset + count) /* this must be the last block */
73 break;
74
75 /* If we reach here then we must have consumed this whole
76diff --git a/tests/Makefile.am b/tests/Makefile.am
77index 9b846d24..36ac1e16 100644
78--- a/tests/Makefile.am
79+++ b/tests/Makefile.am
80@@ -781,6 +781,7 @@ TESTS += \
81 test-eval.sh \
82 test-eval-file.sh \
83 test-eval-exports.sh \
84+ test-eval-extents.sh \
85 test-eval-cache.sh \
86 test-eval-dump-plugin.sh \
87 test-eval-disconnect.sh \
88@@ -789,6 +790,7 @@ EXTRA_DIST += \
89 test-eval.sh \
90 test-eval-file.sh \
91 test-eval-exports.sh \
92+ test-eval-extents.sh \
93 test-eval-cache.sh \
94 test-eval-dump-plugin.sh \
95 test-eval-disconnect.sh \
96diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh
97new file mode 100755
98index 00000000..92b503e6
99--- /dev/null
100+++ b/tests/test-eval-extents.sh
101@@ -0,0 +1,71 @@
102+#!/usr/bin/env bash
103+# nbdkit
104+# Copyright Red Hat
105+#
106+# Redistribution and use in source and binary forms, with or without
107+# modification, are permitted provided that the following conditions are
108+# met:
109+#
110+# * Redistributions of source code must retain the above copyright
111+# notice, this list of conditions and the following disclaimer.
112+#
113+# * Redistributions in binary form must reproduce the above copyright
114+# notice, this list of conditions and the following disclaimer in the
115+# documentation and/or other materials provided with the distribution.
116+#
117+# * Neither the name of Red Hat nor the names of its contributors may be
118+# used to endorse or promote products derived from this software without
119+# specific prior written permission.
120+#
121+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
122+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
123+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
124+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
125+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
126+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
127+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
128+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
129+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
130+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
131+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
132+# SUCH DAMAGE.
133+
134+source ./functions.sh
135+set -e
136+set -x
137+
138+requires_run
139+requires_plugin eval
140+requires_nbdsh_uri
141+requires nbdsh --base-allocation --version
142+
143+files="eval-extents.out"
144+rm -f $files
145+cleanup_fn rm -f $files
146+
147+# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.7
148+export script='
149+def f(context, offset, extents, status):
150+ print(extents)
151+
152+# First, probe where the server should return 2 extents.
153+h.block_status(2**32-1, 2, f)
154+
155+# Next, probe where the server has exactly 2**32-1 bytes in its first extent.
156+h.block_status(2**32-1, 1, f)
157+
158+# Now, probe where the first extent has to be truncated.
159+h.block_status(2**32-1, 0, f)
160+'
161+nbdkit eval \
162+ get_size='echo 5G' \
163+ pread='dd if=/dev/zero count=$3 iflag=count_bytes' \
164+ extents='echo 0 4G 1; echo 4G 1G 2' \
165+ --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \
166+ > eval-extents.out
167+cat eval-extents.out
168+diff -u - eval-extents.out <<EOF
169+[4294967294, 1, 1073741824, 2]
170+[4294967295, 1]
171+[4294967295, 1]
172+EOF
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
index cdf2677f13..0c83991b4d 100644
--- a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb
@@ -10,7 +10,8 @@ LICENSE = "BSD-3-Clause"
10LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049" 10LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049"
11 11
12SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ 12SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
13 file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch" 13 file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \
14 file://CVE-2025-47711.patch"
14SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" 15SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b"
15 16
16S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"