[PULL for-9.1-rc4 0/1] NBD patches for 2024-08-26

[PULL for-9.1-rc4 0/1] NBD patches for 2024-08-26

[Eric Blake]

The following changes since commit f259e4cb8a8b4ef5463326fc214a7d8d7703d5de:

  Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging (2024-08-24 08:09:27 +1000)

are available in the Git repository at:

  https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-26

for you to fetch changes up to 3874f5f73c441c52f1c699c848d463b0eda01e4c:

  nbd/server: CVE-2024-7409: Avoid use-after-free when closing server (2024-08-26 08:42:42 -0500)

----------------------------------------------------------------
NBD patches for 2024-08-26

- One more patch for CVE-2024-7409 (use-after-free on nbd-server-stop)

----------------------------------------------------------------
Eric Blake (1):
      nbd/server: CVE-2024-7409: Avoid use-after-free when closing server

 blockdev-nbd.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

-- 
2.46.0

[PULL 1/1] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server

[Eric Blake]

Commit 3e7ef738 plugged the use-after-free of the global nbd_server
object, but overlooked a use-after-free of nbd_server->listener.
Although this race is harder to hit, notice that our shutdown path
first drops the reference count of nbd_server->listener, then triggers
actions that can result in a pending client reaching the
nbd_blockdev_client_closed() callback, which in turn calls
qio_net_listener_set_client_func on a potentially stale object.

If we know we don't want any more clients to connect, and have already
told the listener socket to shut down, then we should not be trying to
update the listener socket's associated function.

Reproducer:

> #!/usr/bin/python3
>
> import os
> from threading import Thread
>
> def start_stop():
>     while 1:
>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
+"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
>         os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
>
> def nbd_list():
>     while 1:
>         os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
>
> def test():
>     sst = Thread(target=start_stop)
>     sst.start()
>     nlt = Thread(target=nbd_list)
>     nlt.start()
>
>     sst.join()
>     nlt.join()
>
> test()

Fixes: CVE-2024-7409
Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
CC: qemu-stable@nongnu.org
Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20240822143617.800419-2-eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 blockdev-nbd.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index f73409ae494..b36f41b7c5a 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -92,10 +92,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,

 static void nbd_update_server_watch(NBDServerData *s)
 {
-    if (!s->max_connections || s->connections < s->max_connections) {
-        qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
-    } else {
-        qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+    if (s->listener) {
+        if (!s->max_connections || s->connections < s->max_connections) {
+            qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
+                                             NULL);
+        } else {
+            qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+        }
     }
 }

@@ -113,6 +116,7 @@ static void nbd_server_free(NBDServerData *server)
      */
     qio_net_listener_disconnect(server->listener);
     object_unref(OBJECT(server->listener));
+    server->listener = NULL;
     QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
         qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
                              NULL);
-- 
2.46.0

Re: [PULL for-9.1-rc4 0/1] NBD patches for 2024-08-26

[Richard Henderson]

On 8/26/24 23:49, Eric Blake wrote:
> The following changes since commit f259e4cb8a8b4ef5463326fc214a7d8d7703d5de:
> 
>    Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging (2024-08-24 08:09:27 +1000)
> 
> are available in the Git repository at:
> 
>    https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-26
> 
> for you to fetch changes up to 3874f5f73c441c52f1c699c848d463b0eda01e4c:
> 
>    nbd/server: CVE-2024-7409: Avoid use-after-free when closing server (2024-08-26 08:42:42 -0500)
> 
> ----------------------------------------------------------------
> NBD patches for 2024-08-26
> 
> - One more patch for CVE-2024-7409 (use-after-free on nbd-server-stop)
> 
> ----------------------------------------------------------------
> Eric Blake (1):
>        nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
> 
>   blockdev-nbd.c | 12 ++++++++----
>   1 file changed, 8 insertions(+), 4 deletions(-)
> 


Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~