From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
vsementsov@virtuozzo.com, qemu-block@nongnu.org,
xuwei@redhat.com, qemu-stable@nongnu.org,
Max Reitz <mreitz@redhat.com>,
ppandit@redhat.com
Subject: Re: [PATCH v2 1/2] nbd/server: Avoid long error message assertions CVE-2020-10761
Date: Mon, 15 Jun 2020 15:38:39 -0500 [thread overview]
Message-ID: <1b590b1f-08b8-678f-c53d-794ca3dea812@redhat.com> (raw)
In-Reply-To: <20200610163741.3745251-2-eblake@redhat.com>
On 6/10/20 11:37 AM, Eric Blake wrote:
> We may later want to further sanitize the user-supplied strings we
> place into our error messages, such as scrubbing out control
> characters, but that is less important to the CVE fix, so it can be a
> later patch to the new nbd_sanitize_name.
>
> +static char *
> +nbd_sanitize_name(const char *name)
> +{
> + if (strnlen(name, 80) < 80) {
> + return g_strdup(name);
> + }
> + /* XXX Should we also try to sanitize any control characters? */
> + return g_strdup_printf("%.80s...", name);
Max pointed out off-list that this can take a valid UTF-8 name from the
client and truncate it mid-character to make our reply NOT valid UTF-8,
which is a (minor) violation of the NBD protocol. We have not yet
implemented strict UTF-8 enforcement in qemu (neither our client nor
server code takes pains to only send UTF-8, nor validates that incoming
strings are valid UTF-8); and while the server would previously echo
non-UTF-8 (where the client violated protocol first), this is now a case
where the server can be coerced into violating protocol first. I guess
I may end up doing a followup patch that adds incoming validation and in
the process avoids chopping a multi-byte character, but that's just as
easy to fold in with my question about sanitizing control characters.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-06-15 20:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-10 16:37 [PATCH v2 0/2] Fix NBD CVE-2020-10761 Eric Blake
2020-06-10 16:37 ` [PATCH v2 1/2] nbd/server: Avoid long error message assertions CVE-2020-10761 Eric Blake
2020-06-10 17:17 ` Vladimir Sementsov-Ogievskiy
2020-06-15 20:38 ` Eric Blake [this message]
2020-06-10 16:37 ` [PATCH v2 2/2] block: Call attention to truncation of long NBD exports Eric Blake
2020-06-15 20:39 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b590b1f-08b8-678f-c53d-794ca3dea812@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=vsementsov@virtuozzo.com \
--cc=xuwei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).