mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
nbdkit: patch CVE-2025-47712
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712 Pick the patch from the project's repository which explicitly mentions this vulnerability ID. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,162 @@
|
|||||||
|
From 4290f04d6fd9321fffcf09c0507a4f394e19f087 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Blake <eblake@redhat.com>
|
||||||
|
Date: Tue, 22 Apr 2025 19:53:39 -0500
|
||||||
|
Subject: [PATCH] blocksize: Fix 32-bit overflow in .extents [CVE-2025-47712]
|
||||||
|
|
||||||
|
If the original request is larger than 2**32 - minblock, then we were
|
||||||
|
calling nbdkit_extents_aligned() with a count that rounded up then
|
||||||
|
overflowed to 0 instead of the intended 4G because of overflowing a
|
||||||
|
32-bit type, which in turn causes an assertion failure:
|
||||||
|
|
||||||
|
nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
|
||||||
|
|
||||||
|
The fix is to force the rounding to be in a 64-bit type from the
|
||||||
|
get-go.
|
||||||
|
|
||||||
|
The ability for a well-behaved client to cause the server to die from
|
||||||
|
an assertion failure can be used as a denial of service attack against
|
||||||
|
other clients. Mitigations: if you requrire the use of TLS, then you
|
||||||
|
can ensure that you only have trusted clients that won't trigger a
|
||||||
|
block status call that large. Also, the problem only occurs when
|
||||||
|
using the blocksize filter, although setting the filter's maxlen
|
||||||
|
parameter to a smaller value than its default of 2**32-1 does not
|
||||||
|
help.
|
||||||
|
|
||||||
|
Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
|
||||||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
|
||||||
|
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
||||||
|
|
||||||
|
CVE: CVE-2025-47712
|
||||||
|
Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
filters/blocksize/blocksize.c | 5 +-
|
||||||
|
tests/Makefile.am | 2 +
|
||||||
|
tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
|
||||||
|
3 files changed, 88 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100755 tests/test-blocksize-extents-overflow.sh
|
||||||
|
|
||||||
|
diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
|
||||||
|
index 03da4971..b06f78b3 100644
|
||||||
|
--- a/filters/blocksize/blocksize.c
|
||||||
|
+++ b/filters/blocksize/blocksize.c
|
||||||
|
@@ -474,8 +474,9 @@ blocksize_extents (nbdkit_next *next,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
|
||||||
|
- h->maxlen),
|
||||||
|
+ if (nbdkit_extents_aligned (next,
|
||||||
|
+ MIN (ROUND_UP ((uint64_t) count, h->minblock),
|
||||||
|
+ h->maxlen),
|
||||||
|
ROUND_DOWN (offset, h->minblock), flags,
|
||||||
|
h->minblock, extents2, err) == -1)
|
||||||
|
return -1;
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index 8ddf73d1..a38a37bc 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -1415,11 +1415,13 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
|
||||||
|
TESTS += \
|
||||||
|
test-blocksize.sh \
|
||||||
|
test-blocksize-extents.sh \
|
||||||
|
+ test-blocksize-extents-overflow.sh \
|
||||||
|
test-blocksize-default.sh \
|
||||||
|
$(NULL)
|
||||||
|
EXTRA_DIST += \
|
||||||
|
test-blocksize.sh \
|
||||||
|
test-blocksize-extents.sh \
|
||||||
|
+ test-blocksize-extents-overflow.sh \
|
||||||
|
test-blocksize-default.sh \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..844c3999
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/test-blocksize-extents-overflow.sh
|
||||||
|
@@ -0,0 +1,83 @@
|
||||||
|
+#!/usr/bin/env bash
|
||||||
|
+# nbdkit
|
||||||
|
+# Copyright Red Hat
|
||||||
|
+#
|
||||||
|
+# Redistribution and use in source and binary forms, with or without
|
||||||
|
+# modification, are permitted provided that the following conditions are
|
||||||
|
+# met:
|
||||||
|
+#
|
||||||
|
+# * Redistributions of source code must retain the above copyright
|
||||||
|
+# notice, this list of conditions and the following disclaimer.
|
||||||
|
+#
|
||||||
|
+# * Redistributions in binary form must reproduce the above copyright
|
||||||
|
+# notice, this list of conditions and the following disclaimer in the
|
||||||
|
+# documentation and/or other materials provided with the distribution.
|
||||||
|
+#
|
||||||
|
+# * Neither the name of Red Hat nor the names of its contributors may be
|
||||||
|
+# used to endorse or promote products derived from this software without
|
||||||
|
+# specific prior written permission.
|
||||||
|
+#
|
||||||
|
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
|
||||||
|
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
||||||
|
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
||||||
|
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
|
||||||
|
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
||||||
|
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||||
|
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||||
|
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
||||||
|
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
|
+# SUCH DAMAGE.
|
||||||
|
+
|
||||||
|
+# Demonstrate a fix for a bug where blocksize overflowed 32 bits
|
||||||
|
+
|
||||||
|
+source ./functions.sh
|
||||||
|
+set -e
|
||||||
|
+set -x
|
||||||
|
+
|
||||||
|
+requires_run
|
||||||
|
+requires_plugin eval
|
||||||
|
+requires_nbdsh_uri
|
||||||
|
+requires nbdsh --base-allocation --version
|
||||||
|
+
|
||||||
|
+# Script a sparse server that requires 512-byte aligned requests.
|
||||||
|
+exts='
|
||||||
|
+if test $(( ($3|$4) & 511 )) != 0; then
|
||||||
|
+ echo "EINVAL request unaligned" 2>&1
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
+echo 0 5G 0
|
||||||
|
+'
|
||||||
|
+
|
||||||
|
+# We also need an nbdsh script to parse all extents, coalescing adjacent
|
||||||
|
+# types for simplicity.
|
||||||
|
+# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
|
||||||
|
+# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
|
||||||
|
+# will get the same result with only 1 extent).
|
||||||
|
+export script='
|
||||||
|
+size = h.get_size()
|
||||||
|
+offs = 0
|
||||||
|
+entries = []
|
||||||
|
+def f(metacontext, offset, e, err):
|
||||||
|
+ global entries
|
||||||
|
+ global offs
|
||||||
|
+ assert offs == offset
|
||||||
|
+ for length, flags in zip(*[iter(e)] * 2):
|
||||||
|
+ if entries and flags == entries[-1][1]:
|
||||||
|
+ entries[-1] = (entries[-1][0] + length, flags)
|
||||||
|
+ else:
|
||||||
|
+ entries.append((length, flags))
|
||||||
|
+ offs = offs + length
|
||||||
|
+
|
||||||
|
+# Test a loop over the entire device
|
||||||
|
+while offs < size:
|
||||||
|
+ len = min(size - offs, 2**32-1)
|
||||||
|
+ h.block_status(len, offs, f)
|
||||||
|
+assert entries == [(5 * 2**30, 0)]
|
||||||
|
+'
|
||||||
|
+
|
||||||
|
+# Now run everything
|
||||||
|
+nbdkit --filter=blocksize eval minblock=512 \
|
||||||
|
+ get_size='echo 5G' pread='exit 1' extents="$exts" \
|
||||||
|
+ --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
|
||||||
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0"
|
|||||||
|
|
||||||
SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
|
SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
|
||||||
file://CVE-2025-47711.patch \
|
file://CVE-2025-47711.patch \
|
||||||
|
file://CVE-2025-47712.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"
|
SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"
|
||||||
|
|||||||
Reference in New Issue
Block a user