From 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6 Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Mon, 30 Oct 2023 12:50:53 -0500 Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 Another round of fuzz testing revealed that when a server negotiates extended headers and replies with a 64-bit flag value where the client used the 32-bit API command, we were correctly flagging the server's response as being an EOVERFLOW condition, but then immediately failing in an assertion failure instead of reporting it to the application. The following one-byte change to qemu.git at commit fd9a38fd43 allows the creation of an intentionally malicious server: | diff --git i/nbd/server.c w/nbd/server.c | index 859c163d19f..32e1e771a95 100644 | --- i/nbd/server.c | +++ w/nbd/server.c | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) | | for (i = 0; i < ea->count; i++) { | ea->extents[i].length = cpu_to_be64(ea->extents[i].length); | - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); | + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); | } | } and can then be detected with the following command line: $ nbdsh -c - <<\EOF > def f(a,b,c,d): > pass > > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", > "-r", "-f", "raw", "TODO"]) > h.block_staus(h.get_size(), 0, f) > EOF nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. Aborted (core dumped) whereas a fixed libnbd will give: nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type We can either relax the assertion (by changing to 'assert ((len | flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags to make the existing assertion reliable. This patch goes with the latter approach. Sadly, this crash is possible in all existing 1.18.x stable releases, if they were built with assertions enabled (most distros do this by default), meaning a malicious server has an easy way to cause a Denial of Service attack by triggering the assertion failure in vulnerable clients, so we have assigned this CVE-2023-5871. Mitigating factors: the crash only happens for a server that sends a 64-bit status block reply (no known production servers do so; qemu 8.2 will be the first known server to support extended headers, but it is not yet released); and as usual, a client can use TLS to guarantee it is connecting only to a known-safe server. If libnbd is compiled without assertions, there is no crash or other mistaken behavior; and when assertions are enabled, the attacker cannot accomplish anything more than a denial of service. Reported-by: Richard W.M. Jones Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) Signed-off-by: Eric Blake --- generator/states-reply-chunk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c index 5a31c19..8ab7e8b 100644 --- a/generator/states-reply-chunk.c +++ b/generator/states-reply-chunk.c @@ -600,6 +600,7 @@ STATE_MACHINE { break; /* Skip this and later extents; we already made progress */ /* Expose this extent as an error; we made no progress */ cmd->error = cmd->error ? : EOVERFLOW; + flags = (uint32_t)flags; } } -- 2.41.0