From: Stefan Hajnoczi <stefanha@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
qemu-stable@nongnu.org, kwolf@redhat.com, hreitz@redhat.com,
berrange@redhat.com, andrey.drobyshev@virtuozzo.com,
alexander.ivanov@virtuozzo.com, den@virtuozzo.com,
vsementsov@yandex-team.ru
Subject: Re: [PATCH for-9.1] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
Date: Mon, 26 Aug 2024 09:34:43 -0400 [thread overview]
Message-ID: <20240826133443.GA851041@fedora.redhat.com> (raw)
In-Reply-To: <20240822143617.800419-2-eblake@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1872 bytes --]
On Thu, Aug 22, 2024 at 09:35:29AM -0500, Eric Blake wrote:
> Commit 3e7ef738 plugged the use-after-free of the global nbd_server
> object, but overlooked a use-after-free of nbd_server->listener.
> Although this race is harder to hit, notice that our shutdown path
> first drops the reference count of nbd_server->listener, then triggers
> actions that can result in a pending client reaching the
> nbd_blockdev_client_closed() callback, which in turn calls
> qio_net_listener_set_client_func on a potentially stale object.
>
> If we know we don't want any more clients to connect, and have already
> told the listener socket to shut down, then we should not be trying to
> update the listener socket's associated function.
>
> Reproducer:
>
> > #!/usr/bin/python3
> >
> > import os
> > from threading import Thread
> >
> > def start_stop():
> > while 1:
> > os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
> +"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
> > os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
> >
> > def nbd_list():
> > while 1:
> > os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
> >
> > def test():
> > sst = Thread(target=start_stop)
> > sst.start()
> > nlt = Thread(target=nbd_list)
> > nlt.start()
> >
> > sst.join()
> > nlt.join()
> >
> > test()
>
> Fixes: CVE-2024-7409
> Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
> CC: qemu-stable@nongnu.org
> Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> blockdev-nbd.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2024-08-26 13:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-22 14:35 [PATCH for-9.1] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server Eric Blake
2024-08-26 13:34 ` Stefan Hajnoczi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240826133443.GA851041@fedora.redhat.com \
--to=stefanha@redhat.com \
--cc=alexander.ivanov@virtuozzo.com \
--cc=andrey.drobyshev@virtuozzo.com \
--cc=berrange@redhat.com \
--cc=den@virtuozzo.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=vsementsov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).