From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
vsementsov@virtuozzo.com, qemu-block@nongnu.org,
xuwei@redhat.com, qemu-stable@nongnu.org,
Max Reitz <mreitz@redhat.com>,
ppandit@redhat.com
Subject: Re: [PATCH 1/2] nbd/server: Avoid long error message assertions CVE-2020-10761
Date: Tue, 9 Jun 2020 13:41:24 -0500 [thread overview]
Message-ID: <2547a325-74e4-426b-9ec6-c8ad05028139@redhat.com> (raw)
In-Reply-To: <20200608182638.3256473-2-eblake@redhat.com>
On 6/8/20 1:26 PM, Eric Blake wrote:
> Ever since commit 36683283 (v2.8), the server code asserts that error
> strings sent to the client are well-formed per the protocol by not
> exceeding the maximum string length of 4096. At the time the server
> first started sending error messages, the assertion could not be
> triggered, because messages were completely under our control.
> However, over the years, we have added latent scenarios where a client
> could trigger the server to attempt an error message that would
> include the client's information if it passed other checks first:
>
> - requesting NBD_OPT_INFO/GO on an export name that is not present
> (commit 0cfae925 in v2.12 echoes the name)
>
> - requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is
> not present (commit e7b1948d in v2.12 echoes the name)
Note that this patch does NOT scrub the client's export name for control
characters. Then again, the qcow2 file format does not (currently)
prohibit control characters in bitmap or internal snapshot names, and
'qemu-img info' blindly outputs there too. We may want to do followup
patches that further scrub qemu error messages to avoid scenarios where
a user can attempt to coerce qemu into producing an error message
containing control characters.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-06-09 18:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 18:26 [PATCH 0/2] Fix NBD CVE-2020-10761 Eric Blake
2020-06-08 18:26 ` [PATCH 1/2] nbd/server: Avoid long error message assertions CVE-2020-10761 Eric Blake
2020-06-09 18:41 ` Eric Blake [this message]
2020-06-10 8:57 ` Vladimir Sementsov-Ogievskiy
2020-06-10 13:39 ` Eric Blake
2020-06-10 13:52 ` Vladimir Sementsov-Ogievskiy
2020-06-08 18:26 ` [PATCH 2/2] block: Call attention to truncation of long NBD exports Eric Blake
2020-06-10 9:24 ` Vladimir Sementsov-Ogievskiy
2020-06-10 16:29 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2547a325-74e4-426b-9ec6-c8ad05028139@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=vsementsov@virtuozzo.com \
--cc=xuwei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).