[Libguestfs] [libnbd PATCH v2 0/6] Fix fuzzer fallout
Eric Blake
eblake at redhat.com
Fri Sep 22 17:20:35 UTC 2023
On Thu, Sep 21, 2023 at 03:57:59PM -0500, Eric Blake wrote:
> Cat's out of the bag: Rich's fuzzer run found not one, but two
> independent assertion failures that a malicious server could trigger
> in my recent 64-bit extension code additions. What's more, in the
> process of fixing them, we've discovered another long-standing issue
> where nbd_get_size() returns confusing results compared to its
> documentation, when talking to an odd server that reports a really
> large export size.
>
> After off-list discussion between Rich, Laszlo, and myself, we didn't
> think an embargoed CVE against libnbd is necessary (the assertion
> failures only happen to unstable releases, and the nbd_get_size()
> misbehavior does not happen with normal servers and has been in place
> since v1.0, so it is nothing new), so I am posting the series now for
> public review. But we will still be reaching out to secalert for
> their opinion (it may be that they still see a low-priority exploit in
> an app that gets confused when trying to use a negative size as a loop
> bound, for example). Once they answer, and regardless of whether we
> end up doing a libnbd CVE after all, I will follow up to the mailing
> list with a security incident (client apps that demand a positive
> export size should probably favor nbd_get_size()<0 over
> nbd_get_size()==-1).
>
> Eric Blake (6):
> states: Tweak comment in OPT_GO state handler
> fuzzing: Disable client-side strictness checks
> api: Sanitize sizes larger than INT64_MAX
> block_status: Fix assertion with large server size
> block_status: Fix assertion on bad 64-bit block status reply
> info: Tolerate missing size
After making a few edits based on the reviews, the series now in as
adf32845..f8375d3c. I'll wait for an answer from secalert before
posting a followup security advisory email.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org
More information about the Libguestfs
mailing list