[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] fdad35: nbd/server: CVE-2017-15119 Reject opt
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] fdad35: nbd/server: CVE-2017-15119 Reject options larger t... |
Date: |
Tue, 28 Nov 2017 05:51:38 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: fdad35ef6c5839d50dfc14073364ac893afebc30
https://github.com/qemu/qemu/commit/fdad35ef6c5839d50dfc14073364ac893afebc30
Author: Eric Blake <address@hidden>
Date: 2017-11-28 (Tue, 28 Nov 2017)
Changed paths:
M nbd/server.c
Log Message:
-----------
nbd/server: CVE-2017-15119 Reject options larger than 32M
The NBD spec gives us permission to abruptly disconnect on clients
that send outrageously large option requests, rather than having
to spend the time reading to the end of the option. No real
option request requires that much data anyways; and meanwhile, we
already have the practice of abruptly dropping the connection on
any client that sends NBD_CMD_WRITE with a payload larger than 32M.
For comparison, nbdkit drops the connection on any request with
more than 4096 bytes; however, that limit is probably too low
(as the NBD spec states an export name can theoretically be up
to 4096 bytes, which means a valid NBD_OPT_INFO could be even
longer) - even if qemu doesn't permit exports longer than 256
bytes.
It could be argued that a malicious client trying to get us to
read nearly 4G of data on a bad request is a form of denial of
service. In particular, if the server requires TLS, but a client
that does not know the TLS credentials sends any option (other
than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
payload of nearly 4G, then the server was keeping the connection
alive trying to read all the payload, tying up resources that it
would rather be spending on a client that can get past the TLS
handshake. Hence, this warranted a CVE.
Present since at least 2.5 when handling known options, and made
worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
to handle unknown options.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Commit: 51ae4f8455c9e32c54770c4ebc25bf86a8128183
https://github.com/qemu/qemu/commit/51ae4f8455c9e32c54770c4ebc25bf86a8128183
Author: Eric Blake <address@hidden>
Date: 2017-11-28 (Tue, 28 Nov 2017)
Changed paths:
M nbd/server.c
Log Message:
-----------
nbd/server: CVE-2017-15118 Stack smash on large export name
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256. However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.
The smash can be easily demonstrated with this client:
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs). Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Commit: 844496f3e55a2155200fdcf7f6320acef03d4e9f
https://github.com/qemu/qemu/commit/844496f3e55a2155200fdcf7f6320acef03d4e9f
Author: Peter Maydell <address@hidden>
Date: 2017-11-28 (Tue, 28 Nov 2017)
Changed paths:
M nbd/server.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2017-11-28' into
staging
nbd patches for 2017-11-28
Eric Blake - 0/2 fix two NBD server CVEs
# gpg: Signature made Tue 28 Nov 2017 12:58:29 GMT
# gpg: using RSA key 0xA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <address@hidden>"
# gpg: aka "Eric Blake (Free Software Programmer)
<address@hidden>"
# gpg: aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A
* remotes/ericb/tags/pull-nbd-2017-11-28:
nbd/server: CVE-2017-15118 Stack smash on large export name
nbd/server: CVE-2017-15119 Reject options larger than 32M
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/a914f04c2338...844496f3e55a
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] fdad35: nbd/server: CVE-2017-15119 Reject options larger t...,
GitHub <=