nbdkit: patch CVE-2025-47711

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47711 Pick the patch from the repository which explicitly mentions this CVE ID. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-14 05:49:57 +00:00 · 2025-11-30 21:35:10 +01:00
parent 8f602e1cfa
commit ffb8d52fae
2 changed files with 174 additions and 1 deletions
@@ -0,0 +1,172 @@
 From 8b41004f101505fd13e0491c88570a00820ccdc2 Mon Sep 17 00:00:00 2001
 From: Gyorgy Sarvari <skandigraun@gmail.com>
 Date: Tue, 22 Apr 2025 17:01:12 -0500
 Subject: [PATCH 1/2] server: Fix off-by-one for maximum block_status length
 [CVE-2025-47711]
 From: Eric Blake <eblake@redhat.com>
 There has been an off-by-one bug in the code for .extents since the
 introduction of that callback.  Remember, internally the code allows
 plugins to report on extents with 64-bit lengths, but the protocol
 only supports 32-bit block status calls (nbdkit will need to create
 plugin version 3 before it can support NBD's newer 64-bit block
 status).  As such, the server loop intentionally truncates a plugin's
 large extent to 2**32-1 bytes.  But in the process of checking whether
 the loop should exit early, or if any additional extents should be
 reported to the client, the server used 'pos > offset+count' instead
 of >=, which is one byte too far.  If the client has requested exactly
 2**32-1 bytes, and the plugin's first extent has that same length, the
 code erroneously proceeds on to the plugin's second extent.  Worse, if
 the plugin's first extent has 2**32 bytes or more, it was truncated to
 2**31-1 bytes, but not completely handled, and the failure to exit the
 loop early means that the server then fails the assertion:
 nbdkit: ../../server/protocol.c:505: extents_to_block_descriptors:
 Assertion `e.length <= length' failed.
 The single-byte fix addresses both symptoms, while the added test
 demonstrates both when run on older nbdkit (the protocol violation
 when the plugin returns 2**32-1 bytes in the first extent, and the
 assertion failure when the plugin returns 2**32 or more bytes in the
 first extent).
 The problem can only be triggered by a client request for 2**32-1
 bytes; anything smaller is immune.  The problem also does not occur
 for plugins that do not return extents information beyond the client's
 request, or if the first extent is smaller than the client's request.
 The ability to cause the server to die from an assertion failure can
 be used as a denial of service attack against other clients.
 Mitigations: if you require the use of TLS, then you can ensure that
 you only have trusted clients that won't trigger a block status call
 of length 2**32-1 bytes.  Also, you can use "--filter=blocksize-policy
 blocksize-minimum=512" to reject block status attempts from clients
 that are not sector-aligned.
 Fixes: 26455d45 ('server: protocol: Implement Block Status "base:allocation".', v1.11.10)
 Reported-by: Nikolay Ivanets <stenavin@gmail.com>
 Signed-off-by: Eric Blake <eblake@redhat.com>
 Message-ID: <20250423211953.GR1450@redhat.com>
 Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
 CVE: CVE-2025-47711
 Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/e6f96bd1b77c0cc927ce6aeff650b52238304f39]
 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 ---
 server/protocol.c          |  2 +-
 tests/Makefile.am          |  2 ++
 tests/test-eval-extents.sh | 71 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100755 tests/test-eval-extents.sh
 diff --git a/server/protocol.c b/server/protocol.c
 index d9a5e282..c32fec82 100644
 --- a/server/protocol.c
 +++ b/server/protocol.c
@@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents,
       (*nr_blocks)++;
       pos += length;
 -      if (pos > offset + count) /* this must be the last block */
 +      if (pos >= offset + count) /* this must be the last block */
         break;
       /* If we reach here then we must have consumed this whole
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 9b846d24..36ac1e16 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -781,6 +781,7 @@ TESTS += \
 	test-eval.sh \
 	test-eval-file.sh \
 	test-eval-exports.sh \
 +	test-eval-extents.sh \
 	test-eval-cache.sh \
 	test-eval-dump-plugin.sh \
 	test-eval-disconnect.sh \
@@ -789,6 +790,7 @@ EXTRA_DIST += \
 	test-eval.sh \
 	test-eval-file.sh \
 	test-eval-exports.sh \
 +	test-eval-extents.sh \
 	test-eval-cache.sh \
 	test-eval-dump-plugin.sh \
 	test-eval-disconnect.sh \
 diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh
 new file mode 100755
 index 00000000..92b503e6
 --- /dev/null
 +++ b/tests/test-eval-extents.sh
@@ -0,0 +1,71 @@
 +#!/usr/bin/env bash
 +# nbdkit
 +# Copyright Red Hat
 +#
 +# Redistribution and use in source and binary forms, with or without
 +# modification, are permitted provided that the following conditions are
 +# met:
 +#
 +# * Redistributions of source code must retain the above copyright
 +# notice, this list of conditions and the following disclaimer.
 +#
 +# * Redistributions in binary form must reproduce the above copyright
 +# notice, this list of conditions and the following disclaimer in the
 +# documentation and/or other materials provided with the distribution.
 +#
 +# * Neither the name of Red Hat nor the names of its contributors may be
 +# used to endorse or promote products derived from this software without
 +# specific prior written permission.
 +#
 +# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
 +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 +# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
 +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 +# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 +# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 +# SUCH DAMAGE.
 +
 +source ./functions.sh
 +set -e
 +set -x
 +
 +requires_run
 +requires_plugin eval
 +requires_nbdsh_uri
 +requires nbdsh --base-allocation --version
 +
 +files="eval-extents.out"
 +rm -f $files
 +cleanup_fn rm -f $files
 +
 +# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.7
 +export script='
 +def f(context, offset, extents, status):
 +  print(extents)
 +
 +# First, probe where the server should return 2 extents.
 +h.block_status(2**32-1, 2, f)
 +
 +# Next, probe where the server has exactly 2**32-1 bytes in its first extent.
 +h.block_status(2**32-1, 1, f)
 +
 +# Now, probe where the first extent has to be truncated.
 +h.block_status(2**32-1, 0, f)
 +'
 +nbdkit eval \
 +       get_size='echo 5G' \
 +       pread='dd if=/dev/zero count=$3 iflag=count_bytes' \
 +       extents='echo 0 4G 1; echo 4G 1G 2' \
 +       --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \
 +       > eval-extents.out
 +cat eval-extents.out
 +diff -u - eval-extents.out <<EOF
 +[4294967294, 1, 1073741824, 2]
 +[4294967295, 1]
 +[4294967295, 1]
 +EOF
@@ -10,7 +10,8 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049"
 SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
-           file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch"
+           file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \
           file://CVE-2025-47711.patch"
 SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b"
 S = "${WORKDIR}/git"