nbdkit: patch CVE-2025-47712

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712 Pick the patch from the project's repository which explicitly mentions this vulnerability ID. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-12-28 14:39:28 +01:00 · 2025-12-28 14:39:28 +01:00 · 2ab2b60609
commit 2ab2b60609
parent 4a97186719
2 changed files with 163 additions and 0 deletions
--- a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
+++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch
@ -0,0 +1,162 @@
+From 4290f04d6fd9321fffcf09c0507a4f394e19f087 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 22 Apr 2025 19:53:39 -0500
+Subject: [PATCH] blocksize: Fix 32-bit overflow in .extents [CVE-2025-47712]
+
+If the original request is larger than 2**32 - minblock, then we were
+calling nbdkit_extents_aligned() with a count that rounded up then
+overflowed to 0 instead of the intended 4G because of overflowing a
+32-bit type, which in turn causes an assertion failure:
+
+nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
+
+The fix is to force the rounding to be in a 64-bit type from the
+get-go.
+
+The ability for a well-behaved client to cause the server to die from
+an assertion failure can be used as a denial of service attack against
+other clients.  Mitigations: if you requrire the use of TLS, then you
+can ensure that you only have trusted clients that won't trigger a
+block status call that large.  Also, the problem only occurs when
+using the blocksize filter, although setting the filter's maxlen
+parameter to a smaller value than its default of 2**32-1 does not
+help.
+
+Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+
+CVE: CVE-2025-47712
+Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ filters/blocksize/blocksize.c            |  5 +-
+ tests/Makefile.am                        |  2 +
+ tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
+ 3 files changed, 88 insertions(+), 2 deletions(-)
+ create mode 100755 tests/test-blocksize-extents-overflow.sh
+
+diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
+index 03da4971..b06f78b3 100644
+--- a/filters/blocksize/blocksize.c
+++ b/filters/blocksize/blocksize.c
+@@ -474,8 +474,9 @@ blocksize_extents (nbdkit_next *next,
+     return -1;
+   }
+ 
+-  if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
+-                                         h->maxlen),
+  if (nbdkit_extents_aligned (next,
+                              MIN (ROUND_UP ((uint64_t) count, h->minblock),
+                                   h->maxlen),
+                               ROUND_DOWN (offset, h->minblock), flags,
+                               h->minblock, extents2, err) == -1)
+     return -1;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 8ddf73d1..a38a37bc 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -1415,11 +1415,13 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
+ TESTS += \
+ 	test-blocksize.sh \
+ 	test-blocksize-extents.sh \
+	test-blocksize-extents-overflow.sh \
+ 	test-blocksize-default.sh \
+ 	$(NULL)
+ EXTRA_DIST += \
+ 	test-blocksize.sh \
+ 	test-blocksize-extents.sh \
+	test-blocksize-extents-overflow.sh \
+ 	test-blocksize-default.sh \
+ 	$(NULL)
+ 
+diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
+new file mode 100755
+index 00000000..844c3999
+--- /dev/null
+++ b/tests/test-blocksize-extents-overflow.sh
+@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+# nbdkit
+# Copyright Red Hat
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Demonstrate a fix for a bug where blocksize overflowed 32 bits
+
+source ./functions.sh
+set -e
+set -x
+
+requires_run
+requires_plugin eval
+requires_nbdsh_uri
+requires nbdsh --base-allocation --version
+
+# Script a sparse server that requires 512-byte aligned requests.
+exts='
+if test $(( ($3|$4) & 511 )) != 0; then
+  echo "EINVAL request unaligned" 2>&1
+  exit 1
+fi
+echo 0 5G 0
+'
+
+# We also need an nbdsh script to parse all extents, coalescing adjacent
+# types for simplicity.
+# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
+# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
+# will get the same result with only 1 extent).
+export script='
+size = h.get_size()
+offs = 0
+entries = []
+def f(metacontext, offset, e, err):
+    global entries
+    global offs
+    assert offs == offset
+    for length, flags in zip(*[iter(e)] * 2):
+        if entries and flags == entries[-1][1]:
+            entries[-1] = (entries[-1][0] + length, flags)
+        else:
+            entries.append((length, flags))
+        offs = offs + length
+
+# Test a loop over the entire device
+while offs < size:
+    len = min(size - offs, 2**32-1)
+    h.block_status(len, offs, f)
+assert entries == [(5 * 2**30, 0)]
+'
+
+# Now run everything
+nbdkit --filter=blocksize eval minblock=512 \
+       get_size='echo 5G' pread='exit 1' extents="$exts" \
+       --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
--- a/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.30.2.bb
@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0"

 SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
           file://CVE-2025-47711.patch \
+           file://CVE-2025-47712.patch \
           "

 SRCREV = "b59380e061fdf0f114c13c226ea2a508f2c067d0"