|
 |
9bac43 |
From dd7511a6effe839c73ed8f71ceaa3c53f16ebdbd Mon Sep 17 00:00:00 2001
|
|
|
9bac43 |
From: Eric Blake <eblake@redhat.com>
|
|
|
9bac43 |
Date: Wed, 13 Dec 2017 18:17:30 +0100
|
|
|
9bac43 |
Subject: [PATCH 5/6] nbd/server: CVE-2017-15118 Stack smash on large export
|
|
|
9bac43 |
name
|
|
|
9bac43 |
|
|
|
9bac43 |
RH-Author: Eric Blake <eblake@redhat.com>
|
|
|
9bac43 |
Message-id: <20171213181730.1278-3-eblake@redhat.com>
|
|
|
9bac43 |
Patchwork-id: 78393
|
|
|
9bac43 |
O-Subject: [RHEV-7.5 qemu-kvm-rhev PATCH 2/2] nbd/server: CVE-2017-15118 Stack smash on large export name
|
|
|
9bac43 |
Bugzilla: 1516545 1518548
|
|
|
9bac43 |
CVE: CVE-2017-15118/20171128
|
|
|
9bac43 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
|
|
|
9bac43 |
can request export names up to 4096 bytes in length, even though
|
|
|
9bac43 |
they should not expect success on names longer than 256. However,
|
|
|
9bac43 |
qemu hard-codes the limit of 256, and fails to filter out a client
|
|
|
9bac43 |
that probes for a longer name; the result is a stack smash that can
|
|
|
9bac43 |
potentially give an attacker arbitrary control over the qemu
|
|
|
9bac43 |
process.
|
|
|
9bac43 |
|
|
|
9bac43 |
The smash can be easily demonstrated with this client:
|
|
|
9bac43 |
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
|
|
|
9bac43 |
|
|
|
9bac43 |
If the qemu NBD server binary (whether the standalone qemu-nbd, or
|
|
|
9bac43 |
the builtin server of QMP nbd-server-start) was compiled with
|
|
|
9bac43 |
-fstack-protector-strong, the ability to exploit the stack smash
|
|
|
9bac43 |
into arbitrary execution is a lot more difficult (but still
|
|
|
9bac43 |
theoretically possible to a determined attacker, perhaps in
|
|
|
9bac43 |
combination with other CVEs). Still, crashing a running qemu (and
|
|
|
9bac43 |
losing the VM) is bad enough, even if the attacker did not obtain
|
|
|
9bac43 |
full execution control.
|
|
|
9bac43 |
|
|
|
9bac43 |
CC: qemu-stable@nongnu.org
|
|
|
9bac43 |
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
9bac43 |
(cherry picked from commit 51ae4f8455c9e32c54770c4ebc25bf86a8128183)
|
|
|
9bac43 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
---
|
|
|
9bac43 |
nbd/server.c | 4 ++++
|
|
|
9bac43 |
1 file changed, 4 insertions(+)
|
|
|
9bac43 |
|
|
|
9bac43 |
diff --git a/nbd/server.c b/nbd/server.c
|
|
|
9bac43 |
index b93cb88..56aed3a 100644
|
|
|
9bac43 |
--- a/nbd/server.c
|
|
|
9bac43 |
+++ b/nbd/server.c
|
|
|
9bac43 |
@@ -393,6 +393,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
|
|
|
9bac43 |
msg = "name length is incorrect";
|
|
|
9bac43 |
goto invalid;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
+ if (namelen >= sizeof(name)) {
|
|
|
9bac43 |
+ msg = "name too long for qemu";
|
|
|
9bac43 |
+ goto invalid;
|
|
|
9bac43 |
+ }
|
|
|
9bac43 |
if (nbd_read(client->ioc, name, namelen, errp) < 0) {
|
|
|
9bac43 |
return -EIO;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
--
|
|
|
9bac43 |
1.8.3.1
|
|
|
9bac43 |
|