Libguestfs - Jul 2023 - LIBNBD SECURITY: Assertion failure with unexpected block status

We have discovered a security flaw with potential minor impact in
libnbd.

Lifecycle
---------

Reported: 2023-07-14  Fixed: 2023-07-15  Published: 2023-07-17

This was not deemed severe enough to warrant a CVE: even though a
malicious server can cause libnbd to crash in a specific scenario, it
requires the client to have first invoked non-default setup, typically
used only during integration testing by developers aware of the risks
of protocol non-compliance.

Credit
------

Reported and patched by Eric Blake <eblake at redhat.com>

Description
-----------

libnbd is a Network Block Device (NBD) client library.  The NBD
protocol states that a client should not request block status
information from a server without first negotiating that feature;
however, for interoperability testing of server behavior, libnbd
allows a client to make requests that are not compliant with the
protocol.  The intent is that even when libnbd is used to trigger a
protocol violation, it will still gracefully handle whatever the
server may return (even if by disconnecting from the server).

However, a flaw in the logic for validating block status responses
meant that a server that does not follow the usual practice of
replying with an NBD_EINVAL error to an unexpected command can crash
libnbd with an assertion failure when libnbd is used to send an
unexpected block status request, rather than the intended behavior of
diagnosing the server's unusual response.

Test if libnbd is vulnerable
----------------------------

As the crash can only occur when coupling non-default settings in
libnbd with non-typical server behavior, there is no easy test for the
vulnerability.  The patch includes instructions for reproducing the
crash by modifying nbdkit to behave as a non-typical server.

Workarounds
-----------

By default, libnbd strives to avoid violating the NBD protocol; this
particular crash can only be triggered when specifically using
nbd_set_strict_mode(3) to bypass libnbd's default protections, and use
of this API is not recommended except when doing integration tests of
a server's error handling behaviors.  Likewise, the crash depends on a
server responding to a client error differently than recommended by
NBD protocol; it is always a wise idea to use TLS to ensure your
libnbd client is connecting to a server with known properties as a way
to avoid any potential problems where libnbd might mishandle an
unexpected server response.

If you intend to use libnbd to probe for server compliance, it is
recommended to apply the fix or upgrade to a fixed version.

Fixes
-----

The flaw was introduced in libnbd 1.15.3 (commit 55b0966706), when
adding support for manual control over meta-context negotation via
nbd_opt_set_meta_context(3).  A fix for the overly-strict assertion is
available for the affected stable branch and the current development
branch.

* development branch (1.17)

https://gitlab.com/nbdkit/libnbd/-/commit/653f9c211da6943ab00a1fa665f0b8f0d21333d9
  or use libnbd >= 1.17.3 from
  http://download.libguestfs.org/libnbd/1.17-development/

* stable branch 1.16

https://gitlab.com/nbdkit/libnbd/-/commit/72b4c8622b25589526be19ba82443eef82b150ca
  or use libnbd >= 1.16.3 from
  http://download.libguestfs.org/libnbd/1.16-stable/

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org