Eric Blake
2023-Jul-17 14:14 UTC
[Libguestfs] LIBNBD SECURITY: Assertion failure with unexpected block status
We have discovered a security flaw with potential minor impact in libnbd. Lifecycle --------- Reported: 2023-07-14 Fixed: 2023-07-15 Published: 2023-07-17 This was not deemed severe enough to warrant a CVE: even though a malicious server can cause libnbd to crash in a specific scenario, it requires the client to have first invoked non-default setup, typically used only during integration testing by developers aware of the risks of protocol non-compliance. Credit ------ Reported and patched by Eric Blake <eblake at redhat.com> Description ----------- libnbd is a Network Block Device (NBD) client library. The NBD protocol states that a client should not request block status information from a server without first negotiating that feature; however, for interoperability testing of server behavior, libnbd allows a client to make requests that are not compliant with the protocol. The intent is that even when libnbd is used to trigger a protocol violation, it will still gracefully handle whatever the server may return (even if by disconnecting from the server). However, a flaw in the logic for validating block status responses meant that a server that does not follow the usual practice of replying with an NBD_EINVAL error to an unexpected command can crash libnbd with an assertion failure when libnbd is used to send an unexpected block status request, rather than the intended behavior of diagnosing the server's unusual response. Test if libnbd is vulnerable ---------------------------- As the crash can only occur when coupling non-default settings in libnbd with non-typical server behavior, there is no easy test for the vulnerability. The patch includes instructions for reproducing the crash by modifying nbdkit to behave as a non-typical server. Workarounds ----------- By default, libnbd strives to avoid violating the NBD protocol; this particular crash can only be triggered when specifically using nbd_set_strict_mode(3) to bypass libnbd's default protections, and use of this API is not recommended except when doing integration tests of a server's error handling behaviors. Likewise, the crash depends on a server responding to a client error differently than recommended by NBD protocol; it is always a wise idea to use TLS to ensure your libnbd client is connecting to a server with known properties as a way to avoid any potential problems where libnbd might mishandle an unexpected server response. If you intend to use libnbd to probe for server compliance, it is recommended to apply the fix or upgrade to a fixed version. Fixes ----- The flaw was introduced in libnbd 1.15.3 (commit 55b0966706), when adding support for manual control over meta-context negotation via nbd_opt_set_meta_context(3). A fix for the overly-strict assertion is available for the affected stable branch and the current development branch. * development branch (1.17) https://gitlab.com/nbdkit/libnbd/-/commit/653f9c211da6943ab00a1fa665f0b8f0d21333d9 or use libnbd >= 1.17.3 from http://download.libguestfs.org/libnbd/1.17-development/ * stable branch 1.16 https://gitlab.com/nbdkit/libnbd/-/commit/72b4c8622b25589526be19ba82443eef82b150ca or use libnbd >= 1.16.3 from http://download.libguestfs.org/libnbd/1.16-stable/ -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
Reasonably Related Threads
- [libnbd PATCH 1/2] api: Add nbd_set_strict_mode
- [libnbd PATCH v2 3/5] api: Add nbd_set_strict_mode
- [libnbd PATCH 2/2] api: Add STRICT_BOUNDS to nbd_set_strict_mode
- [libnbd PATCH v2 5/5] api: Add STRICT_BOUNDS/ZERO_SIZE to nbd_set_strict_mode
- [libnbd PATCH v2 4/5] api: Add STRICT_FLAGS to set_strict_mode