From dd7511a6effe839c73ed8f71ceaa3c53f16ebdbd Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Wed, 13 Dec 2017 18:17:30 +0100 Subject: [PATCH 5/6] nbd/server: CVE-2017-15118 Stack smash on large export name RH-Author: Eric Blake Message-id: <20171213181730.1278-3-eblake@redhat.com> Patchwork-id: 78393 O-Subject: [RHEV-7.5 qemu-kvm-rhev PATCH 2/2] nbd/server: CVE-2017-15118 Stack smash on large export name Bugzilla: 1516545 1518548 CVE: CVE-2017-15118/20171128 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: John Snow RH-Acked-by: Stefan Hajnoczi Introduced in commit f37708f6b8 (2.10). The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails to filter out a client that probes for a longer name; the result is a stack smash that can potentially give an attacker arbitrary control over the qemu process. The smash can be easily demonstrated with this client: $ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) If the qemu NBD server binary (whether the standalone qemu-nbd, or the builtin server of QMP nbd-server-start) was compiled with -fstack-protector-strong, the ability to exploit the stack smash into arbitrary execution is a lot more difficult (but still theoretically possible to a determined attacker, perhaps in combination with other CVEs). Still, crashing a running qemu (and losing the VM) is bad enough, even if the attacker did not obtain full execution control. CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake (cherry picked from commit 51ae4f8455c9e32c54770c4ebc25bf86a8128183) Signed-off-by: Miroslav Rezanina --- nbd/server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nbd/server.c b/nbd/server.c index b93cb88..56aed3a 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -393,6 +393,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, msg = "name length is incorrect"; goto invalid; } + if (namelen >= sizeof(name)) { + msg = "name too long for qemu"; + goto invalid; + } if (nbd_read(client->ioc, name, namelen, errp) < 0) { return -EIO; } -- 1.8.3.1