[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.7 41/53] nbd/server: CVE-2024-7409: Avoid use-after-free whe
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.7 41/53] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server |
Date: |
Fri, 6 Sep 2024 09:54:11 +0300 |
From: Eric Blake <eblake@redhat.com>
Commit 3e7ef738 plugged the use-after-free of the global nbd_server
object, but overlooked a use-after-free of nbd_server->listener.
Although this race is harder to hit, notice that our shutdown path
first drops the reference count of nbd_server->listener, then triggers
actions that can result in a pending client reaching the
nbd_blockdev_client_closed() callback, which in turn calls
qio_net_listener_set_client_func on a potentially stale object.
If we know we don't want any more clients to connect, and have already
told the listener socket to shut down, then we should not be trying to
update the listener socket's associated function.
Reproducer:
> #!/usr/bin/python3
>
> import os
> from threading import Thread
>
> def start_stop():
> while 1:
> os.system('virsh qemu-monitor-command VM \'{"execute":
> "nbd-server-start",
+"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
> os.system('virsh qemu-monitor-command VM \'{"execute":
> "nbd-server-stop"}\'')
>
> def nbd_list():
> while 1:
> os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
>
> def test():
> sst = Thread(target=start_stop)
> sst.start()
> nlt = Thread(target=nbd_list)
> nlt.start()
>
> sst.join()
> nlt.join()
>
> test()
Fixes: CVE-2024-7409
Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at
server-stop")
CC: qemu-stable@nongnu.org
Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20240822143617.800419-2-eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 3874f5f73c441c52f1c699c848d463b0eda01e4c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index f73409ae49..b36f41b7c5 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -92,10 +92,13 @@ static void nbd_accept(QIONetListener *listener,
QIOChannelSocket *cioc,
static void nbd_update_server_watch(NBDServerData *s)
{
- if (!s->max_connections || s->connections < s->max_connections) {
- qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
- } else {
- qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+ if (s->listener) {
+ if (!s->max_connections || s->connections < s->max_connections) {
+ qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
+ NULL);
+ } else {
+ qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+ }
}
}
@@ -113,6 +116,7 @@ static void nbd_server_free(NBDServerData *server)
*/
qio_net_listener_disconnect(server->listener);
object_unref(OBJECT(server->listener));
+ server->listener = NULL;
QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
qio_channel_shutdown(QIO_CHANNEL(conn->cioc),
QIO_CHANNEL_SHUTDOWN_BOTH,
NULL);
--
2.39.2
- [Stable-8.2.7 33/53] vvfat: Fix usage of `info.file.offset`, (continued)
- [Stable-8.2.7 33/53] vvfat: Fix usage of `info.file.offset`, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 37/53] nbd/server: Plumb in new args to nbd_client_add(), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 36/53] iotests: Add `vvfat` tests, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 38/53] nbd/server: CVE-2024-7409: Cap default max-connections to 100, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 35/53] vvfat: Fix reading files with non-continuous clusters, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 44/53] target/i386: Do not apply REX to MMX operands, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 40/53] nbd/server: CVE-2024-7409: Close stray clients at server-stop, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 39/53] nbd/server: CVE-2024-7409: Drop non-negotiating clients, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 43/53] block/blkio: use FUA flag on write zeroes only if supported, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 42/53] hw/core/ptimer: fix timer zero period condition for freq > 1GHz, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 41/53] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server,
Michael Tokarev <=
- [Stable-8.2.7 46/53] module: Prevent crash by resetting local_err in module_load_qom_all(), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 47/53] target/hexagon: don't look for static glib, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 45/53] target/arm: Clear high SVE elements in handle_vec_simd_wshli, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 48/53] target/sparc: Restrict STQF to sparcv9, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 49/53] crypto/tlscredspsk: Free username on finalize, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 53/53] target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 50/53] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 51/53] virtio-pci: Fix the use of an uninitialized irqfd, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 52/53] hw/audio/virtio-snd: fix invalid param check, Michael Tokarev, 2024/09/06