[nbdkit PATCH v2 0/2] Fix two assertion failures on large block size
by Eric Blake
Still waiting on Red Hat's security team to decide if these get CVE
designations, but at this point, we consider the impact to be low
enough severity (easy to avoid if your server rejects malicious
clients by the use of TLS) and related enough that there is no longer
any need to embargo the second one.
I'll wait a bit longer to apply, to provide time to update the subject
lines according to whether we get CVEs assigned.
Eric Blake (2):
server: Fix off-by-one for maximum block_status length [CVE-XXX]
blocksize: Fix 32-bit overflow in .extents [CVE-XXXX]
tests/Makefile.am | 4 ++
server/protocol.c | 2 +-
filters/blocksize/blocksize.c | 5 +-
tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
tests/test-eval-extents.sh | 71 ++++++++++++++++++++
5 files changed, 162 insertions(+), 3 deletions(-)
create mode 100755 tests/test-blocksize-extents-overflow.sh
create mode 100755 tests/test-eval-extents.sh
--
2.49.0
8 hours, 26 minutes
[PATCH] curl: add proxy-cafile and proxy-capath
by Adi Aloni
curl exposes the --proxy-cafile and --proxy-capath options via libcurl
CURLOPT_PROXY_CAINFO and CURLOPT_PROXY_CAPATH respectively.
this patch adds the matching proxy-cainfo and proxy-capath options to
the nbdkit curl plugin.
Signed-off-by: Adi Aloni <aaloni(a)redhat.com>
---
plugins/curl/config.c | 14 ++++++++++++++
plugins/curl/nbdkit-curl-plugin.pod | 4 ++++
tests/test-curl-options.sh | 2 ++
3 files changed, 20 insertions(+)
diff --git a/plugins/curl/config.c b/plugins/curl/config.c
index 3e98178a..e951078b 100644
--- a/plugins/curl/config.c
+++ b/plugins/curl/config.c
@@ -73,6 +73,8 @@ static const char *protocols = NULL;
static const char *proxy = NULL;
static char *proxy_password = NULL;
static const char *proxy_user = NULL;
+static const char *proxy_cainfo = NULL;
+static const char *proxy_capath = NULL;
static struct curl_slist *resolves = NULL;
static bool sslverify = true;
static const char *ssl_cipher_list = NULL;
@@ -369,6 +371,12 @@ curl_config (const char *key, const char *value)
else if (strcmp (key, "proxy-user") == 0)
proxy_user = value;
+ else if (strcmp (key, "proxy-cainfo") == 0)
+ proxy_cainfo = value;
+
+ else if (strcmp (key, "proxy-capath") == 0)
+ proxy_capath = value;
+
else if (strcmp (key, "resolve") == 0) {
resolves = curl_slist_append (headers, value);
if (resolves == NULL) {
@@ -536,6 +544,8 @@ const char *curl_config_help =
"proxy=<PROXY> Set proxy URL.\n"
"proxy-password=<PASSWORD> The proxy password.\n"
"proxy-user=<USER> The proxy user.\n"
+ "proxy-cainfo=<CAINFO> Path to Proxy Certificate Authority file.\n"
+ "proxy-capath=<CAPATH> Path to directory with Proxy CA certificates.\n"
"resolve=<HOST>:<PORT>:<ADDR> Custom host to IP address resolution.\n"
"sslverify=false Do not verify SSL certificate of remote host.\n"
"ssl-cipher-list=C1:C2:.. Specify TLS/SSL cipher suites to be used.\n"
@@ -661,6 +671,10 @@ allocate_handle (void)
curl_easy_setopt (ch->c, CURLOPT_PROXYPASSWORD, proxy_password);
if (proxy_user)
curl_easy_setopt (ch->c, CURLOPT_PROXYUSERNAME, proxy_user);
+ if (proxy_cainfo)
+ curl_easy_setopt (ch->c, CURLOPT_PROXY_CAINFO, proxy_cainfo);
+ if (proxy_capath)
+ curl_easy_setopt (ch->c, CURLOPT_PROXY_CAPATH, proxy_capath);
if (!sslverify) {
curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYHOST, 0L);
diff --git a/plugins/curl/nbdkit-curl-plugin.pod b/plugins/curl/nbdkit-curl-plugin.pod
index 96940152..56990385 100644
--- a/plugins/curl/nbdkit-curl-plugin.pod
+++ b/plugins/curl/nbdkit-curl-plugin.pod
@@ -288,6 +288,10 @@ Set the proxy. See L<CURLOPT_PROXY(3)>.
=item B<proxy-user=>USERNAME
+=item B<proxy-cainfo=>FILENAME
+
+=item B<proxy-capath=>PATH
+
(nbdkit E<ge> 1.12)
Set the proxy username and password.
diff --git a/tests/test-curl-options.sh b/tests/test-curl-options.sh
index 3264bc3c..c70acb34 100755
--- a/tests/test-curl-options.sh
+++ b/tests/test-curl-options.sh
@@ -87,6 +87,8 @@ for opt in \
protocols=file,http,https \
proxy-password=secret \
proxy-user=eve \
+ proxy-cainfo=/dev/null \
+ proxy-capath=/dev/null \
resolve=example.com:443:127.0.0.1 \
sslverify=false \
ssl-version=default \
--
2.49.0
9 hours, 17 minutes
[nbdkit PATCH] server: Fix off-by-one for maximum block_status length [CVE-XXX]
by Eric Blake
Latent since the introduction of the .extents callback. The loop
intentionally truncates to 2**32-1 bytes, but condition to end the
loop early used > while the assertion after the loop used <=, meaning
that the assertion can fire for any plugin that returns an extent of
2**32 or larger.
Fixes: 26455d45 ('server: protocol: Implement Block Status "base:allocation".', v1.11.10)
Reported-by: Nikolay Ivanets <stenavin(a)gmail.com>
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
We still need to sort out if this gets a CVE number; either way, the
commit title needs an update, and if it does get a CVE we need to also
post a security alert message to the list.
tests/Makefile.am | 2 ++
server/protocol.c | 2 +-
tests/test-eval-extents.sh | 60 ++++++++++++++++++++++++++++++++++++++
3 files changed, 63 insertions(+), 1 deletion(-)
create mode 100755 tests/test-eval-extents.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 13c0457c..ffe42c78 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -881,6 +881,7 @@ TESTS += \
test-eval.sh \
test-eval-file.sh \
test-eval-exports.sh \
+ test-eval-extents.sh \
test-eval-cache.sh \
test-eval-dump-plugin.sh \
test-eval-disconnect.sh \
@@ -889,6 +890,7 @@ EXTRA_DIST += \
test-eval.sh \
test-eval-file.sh \
test-eval-exports.sh \
+ test-eval-extents.sh \
test-eval-cache.sh \
test-eval-dump-plugin.sh \
test-eval-disconnect.sh \
diff --git a/server/protocol.c b/server/protocol.c
index d428bfc8..b4b1c162 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -499,7 +499,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents,
(*nr_blocks)++;
pos += length;
- if (pos > offset + count) /* this must be the last block */
+ if (pos >= offset + count) /* this must be the last block */
break;
/* If we reach here then we must have consumed this whole
diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh
new file mode 100755
index 00000000..08c8d670
--- /dev/null
+++ b/tests/test-eval-extents.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+requires_plugin eval
+requires_nbdsh_uri
+requires nbdsh --base-allocation
+
+files="eval-extents.out"
+rm -f $files
+cleanup_fn rm -f $files
+
+# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.6
+export script='
+def f(context, offset, extents, status):
+ print(extents)
+
+h.block_status(2**32-1, 0, f)
+'
+nbdkit eval \
+ get_size='echo 5G' \
+ pread='dd if=/dev/zero count=$3 iflag=count_bytes' \
+ extents='echo 0 5G 0' \
+ --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \
+ > eval-extents.out
+cat eval-extents.out
+grep -E '\[4294967295, 0]' eval-extents.out
--
2.49.0
1 day, 7 hours
nbdkit crashes on attempt to retrieve extent with len of 2^32-1
by Nikolay Ivanets
nbdkit crashes when the client is trying to get extents with len=2^32-1.
Here is client code (nbdsh):
h.add_meta_context("base:allocation")
h.connect_uri("nbd://localhost:10809/disk0-flat.vmdk")
def f(metacontext, offset, e, status):
print(e)
h.block_status(2**32-2, 0, f)
[4294967295, 0] <--- OK
h.block_status(2**32-1, 0, f) <-- FAIL
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/lib64/python3.12/site-packages/nbd.py", line 2775, in
block_status
return libnbdmod.block_status(self._o, count, offset, extent, flags)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nbd.Error: nbd_block_status: block-status: command failed: Transport
endpoint is not connected (ENOTCONN)
Server prints:
nbdkit: file.8: debug: file: extents count=4294967295 offset=0 req_one=0
nbdkit: ../../server/protocol.c:505: extents_to_block_descriptors:
Assertion `e.length <= length' failed.
Aborted (core dumped)
Why 2^32-2 is max len, and why nbdkit crashes with 2**32-1? It seems like a
bad-behaviour client can crash the server. Or did I miss something?
--
+380979184774
Mykola Ivanets
2 days, 1 hour
