[v2] Fix NBD CVE-2020-10761

[PATCH v2 0/2] Fix NBD CVE-2020-10761

Eric Blake posted 2 patches 3 years, 10 months ago

Diff against v1
Download series mbox

Test docker-mingw@fedora passed

Test checkpatch passed

Test docker-quick@centos7 passed

Test FreeBSD passed

Test asan passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200610163741.3745251-1-eblake@redhat.com

Maintainers: Max Reitz <mreitz@redhat.com>, Eric Blake <eblake@redhat.com>, Kevin Wolf <kwolf@redhat.com>

block.c                    |  7 +++++--
block/nbd.c                | 21 +++++++++++++--------
nbd/server.c               | 23 ++++++++++++++++++++---
tests/qemu-iotests/143     |  4 ++++
tests/qemu-iotests/143.out |  2 ++
5 files changed, 44 insertions(+), 13 deletions(-)

Expand all Fold all

[PATCH v2 0/2] Fix NBD CVE-2020-10761

Posted by Eric Blake 3 years, 10 months ago

In qemu 4.2, I accidentally introduced the ability for an NBD client
obeying the specification to kill qemu as NBD server with an assertion
failure when the client requests an unusually long export name, as a
regression from the intended graceful server error message back to the
client.

In v2:
- use strnlen instead of strlen
- malloc a sane string rather than using a static buffer [Vladimir]
- enhance commit message
- tweak iotest to use different abbreviation than qemu-nbd
- add R-b on patch 2

Once this is reviewed, I'll then spin v2 of my NBD pull request.

Eric Blake (2):
  nbd/server: Avoid long error message assertions CVE-2020-10761
  block: Call attention to truncation of long NBD exports

 block.c                    |  7 +++++--
 block/nbd.c                | 21 +++++++++++++--------
 nbd/server.c               | 23 ++++++++++++++++++++---
 tests/qemu-iotests/143     |  4 ++++
 tests/qemu-iotests/143.out |  2 ++
 5 files changed, 44 insertions(+), 13 deletions(-)

-- 
2.27.0