|
| 1 | +From 93e521b7d705202335c4147218181b0bdd1e7cb0 Mon Sep 17 00:00:00 2001 |
| 2 | +From: dj_palli <v-dpalli@microsoft.com> |
| 3 | +Date: Wed, 18 Jun 2025 16:11:18 +0000 |
| 4 | +Subject: [PATCH] Address CVE-2025-47712 |
| 5 | + |
| 6 | +--- |
| 7 | + filters/blocksize/blocksize.c | 3 +- |
| 8 | + tests/Makefile.am | 2 + |
| 9 | + tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++ |
| 10 | + 3 files changed, 87 insertions(+), 1 deletion(-) |
| 11 | + create mode 100644 tests/test-blocksize-extents-overflow.sh |
| 12 | + |
| 13 | +diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c |
| 14 | +index 09195ce..d3fcb4b 100644 |
| 15 | +--- a/filters/blocksize/blocksize.c |
| 16 | ++++ b/filters/blocksize/blocksize.c |
| 17 | +@@ -482,7 +482,8 @@ blocksize_extents (nbdkit_next *next, |
| 18 | + return -1; |
| 19 | + } |
| 20 | + |
| 21 | +- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock), |
| 22 | ++ if (nbdkit_extents_aligned (next, |
| 23 | ++ MIN (ROUND_UP ((uint64_t) count, h->minblock), |
| 24 | + h->maxlen), |
| 25 | + ROUND_DOWN (offset, h->minblock), flags, |
| 26 | + h->minblock, extents2, err) == -1) |
| 27 | +diff --git a/tests/Makefile.am b/tests/Makefile.am |
| 28 | +index a1905c9..dc8445f 100644 |
| 29 | +--- a/tests/Makefile.am |
| 30 | ++++ b/tests/Makefile.am |
| 31 | +@@ -1483,12 +1483,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS) |
| 32 | + TESTS += \ |
| 33 | + test-blocksize.sh \ |
| 34 | + test-blocksize-extents.sh \ |
| 35 | ++ test-blocksize-extents-overflow.sh \ |
| 36 | + test-blocksize-default.sh \ |
| 37 | + test-blocksize-sharding.sh \ |
| 38 | + $(NULL) |
| 39 | + EXTRA_DIST += \ |
| 40 | + test-blocksize.sh \ |
| 41 | + test-blocksize-extents.sh \ |
| 42 | ++ test-blocksize-extents-overflow.sh \ |
| 43 | + test-blocksize-default.sh \ |
| 44 | + test-blocksize-sharding.sh \ |
| 45 | + $(NULL) |
| 46 | +diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh |
| 47 | +new file mode 100644 |
| 48 | +index 0000000..844c399 |
| 49 | +--- /dev/null |
| 50 | ++++ b/tests/test-blocksize-extents-overflow.sh |
| 51 | +@@ -0,0 +1,83 @@ |
| 52 | ++#!/usr/bin/env bash |
| 53 | ++# nbdkit |
| 54 | ++# Copyright Red Hat |
| 55 | ++# |
| 56 | ++# Redistribution and use in source and binary forms, with or without |
| 57 | ++# modification, are permitted provided that the following conditions are |
| 58 | ++# met: |
| 59 | ++# |
| 60 | ++# * Redistributions of source code must retain the above copyright |
| 61 | ++# notice, this list of conditions and the following disclaimer. |
| 62 | ++# |
| 63 | ++# * Redistributions in binary form must reproduce the above copyright |
| 64 | ++# notice, this list of conditions and the following disclaimer in the |
| 65 | ++# documentation and/or other materials provided with the distribution. |
| 66 | ++# |
| 67 | ++# * Neither the name of Red Hat nor the names of its contributors may be |
| 68 | ++# used to endorse or promote products derived from this software without |
| 69 | ++# specific prior written permission. |
| 70 | ++# |
| 71 | ++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND |
| 72 | ++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, |
| 73 | ++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
| 74 | ++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR |
| 75 | ++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 76 | ++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 77 | ++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
| 78 | ++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| 79 | ++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| 80 | ++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
| 81 | ++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 82 | ++# SUCH DAMAGE. |
| 83 | ++ |
| 84 | ++# Demonstrate a fix for a bug where blocksize overflowed 32 bits |
| 85 | ++ |
| 86 | ++source ./functions.sh |
| 87 | ++set -e |
| 88 | ++set -x |
| 89 | ++ |
| 90 | ++requires_run |
| 91 | ++requires_plugin eval |
| 92 | ++requires_nbdsh_uri |
| 93 | ++requires nbdsh --base-allocation --version |
| 94 | ++ |
| 95 | ++# Script a sparse server that requires 512-byte aligned requests. |
| 96 | ++exts=' |
| 97 | ++if test $(( ($3|$4) & 511 )) != 0; then |
| 98 | ++ echo "EINVAL request unaligned" 2>&1 |
| 99 | ++ exit 1 |
| 100 | ++fi |
| 101 | ++echo 0 5G 0 |
| 102 | ++' |
| 103 | ++ |
| 104 | ++# We also need an nbdsh script to parse all extents, coalescing adjacent |
| 105 | ++# types for simplicity. |
| 106 | ++# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run |
| 107 | ++# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit |
| 108 | ++# will get the same result with only 1 extent). |
| 109 | ++export script=' |
| 110 | ++size = h.get_size() |
| 111 | ++offs = 0 |
| 112 | ++entries = [] |
| 113 | ++def f(metacontext, offset, e, err): |
| 114 | ++ global entries |
| 115 | ++ global offs |
| 116 | ++ assert offs == offset |
| 117 | ++ for length, flags in zip(*[iter(e)] * 2): |
| 118 | ++ if entries and flags == entries[-1][1]: |
| 119 | ++ entries[-1] = (entries[-1][0] + length, flags) |
| 120 | ++ else: |
| 121 | ++ entries.append((length, flags)) |
| 122 | ++ offs = offs + length |
| 123 | ++ |
| 124 | ++# Test a loop over the entire device |
| 125 | ++while offs < size: |
| 126 | ++ len = min(size - offs, 2**32-1) |
| 127 | ++ h.block_status(len, offs, f) |
| 128 | ++assert entries == [(5 * 2**30, 0)] |
| 129 | ++' |
| 130 | ++ |
| 131 | ++# Now run everything |
| 132 | ++nbdkit --filter=blocksize eval minblock=512 \ |
| 133 | ++ get_size='echo 5G' pread='exit 1' extents="$exts" \ |
| 134 | ++ --run 'nbdsh --base-allocation -u "$uri" -c "$script"' |
| 135 | +-- |
| 136 | +2.45.2 |
| 137 | + |
0 commit comments