[Medium] Patch nbdkit for CVE-2025-47711 & CVE-2025-47712 (#14032)

durgajagadeesh · web-flow · commit 94f44bd6b851 · 2025-06-26T06:00:51.000+05:30
diff --git a/SPECS/nbdkit/CVE-2025-47711.patch b/SPECS/nbdkit/CVE-2025-47711.patch
@@ -0,0 +1,126 @@
+From 9457616cacdb044aa1773d7a931cdfeea77b1057 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Wed, 18 Jun 2025 14:40:17 +0000
+Subject: [PATCH] Address CVE-2025-47711
+
+Upstream patch reference: https://gitlab.com/nbdkit/nbdkit/-/commit/c3c1950867ea8d9c2108ff066ed9e78dde3cfc3f
+---
+ server/protocol.c          |  2 +-
+ tests/Makefile.am          |  2 ++
+ tests/test-eval-extents.sh | 71 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 74 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test-eval-extents.sh
+
+diff --git a/server/protocol.c b/server/protocol.c
+index d9a5e28..c32fec8 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents,
+       (*nr_blocks)++;
+ 
+       pos += length;
+-      if (pos > offset + count) /* this must be the last block */
++      if (pos >= offset + count) /* this must be the last block */
+         break;
+ 
+       /* If we reach here then we must have consumed this whole
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 9233c37..a1905c9 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -781,6 +781,7 @@ TESTS += \
+ 	test-eval.sh \
+ 	test-eval-file.sh \
+ 	test-eval-exports.sh \
++	test-eval-extents.sh \
+ 	test-eval-cache.sh \
+ 	test-eval-dump-plugin.sh \
+ 	test-eval-disconnect.sh \
+@@ -789,6 +790,7 @@ EXTRA_DIST += \
+ 	test-eval.sh \
+ 	test-eval-file.sh \
+ 	test-eval-exports.sh \
++	test-eval-extents.sh \
+ 	test-eval-cache.sh \
+ 	test-eval-dump-plugin.sh \
+ 	test-eval-disconnect.sh \
+diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh
+new file mode 100644
+index 0000000..92b503e
+--- /dev/null
++++ b/tests/test-eval-extents.sh
+@@ -0,0 +1,71 @@
++#!/usr/bin/env bash
++# nbdkit
++# Copyright Red Hat
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are
++# met:
++#
++# * Redistributions of source code must retain the above copyright
++# notice, this list of conditions and the following disclaimer.
++#
++# * Redistributions in binary form must reproduce the above copyright
++# notice, this list of conditions and the following disclaimer in the
++# documentation and/or other materials provided with the distribution.
++#
++# * Neither the name of Red Hat nor the names of its contributors may be
++# used to endorse or promote products derived from this software without
++# specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGE.
++
++source ./functions.sh
++set -e
++set -x
++
++requires_run
++requires_plugin eval
++requires_nbdsh_uri
++requires nbdsh --base-allocation --version
++
++files="eval-extents.out"
++rm -f $files
++cleanup_fn rm -f $files
++
++# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.7
++export script='
++def f(context, offset, extents, status):
++  print(extents)
++
++# First, probe where the server should return 2 extents.
++h.block_status(2**32-1, 2, f)
++
++# Next, probe where the server has exactly 2**32-1 bytes in its first extent.
++h.block_status(2**32-1, 1, f)
++
++# Now, probe where the first extent has to be truncated.
++h.block_status(2**32-1, 0, f)
++'
++nbdkit eval \
++       get_size='echo 5G' \
++       pread='dd if=/dev/zero count=$3 iflag=count_bytes' \
++       extents='echo 0 4G 1; echo 4G 1G 2' \
++       --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \
++       > eval-extents.out
++cat eval-extents.out
++diff -u - eval-extents.out <<EOF
++[4294967294, 1, 1073741824, 2]
++[4294967295, 1]
++[4294967295, 1]
++EOF
+-- 
+2.45.2
+
diff --git a/SPECS/nbdkit/CVE-2025-47712.patch b/SPECS/nbdkit/CVE-2025-47712.patch
@@ -0,0 +1,138 @@
+From 93e521b7d705202335c4147218181b0bdd1e7cb0 Mon Sep 17 00:00:00 2001
+From: dj_palli <v-dpalli@microsoft.com>
+Date: Wed, 18 Jun 2025 16:11:18 +0000
+Subject: [PATCH] Address CVE-2025-47712
+
+Upstream patch reference: https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7
+---
+ filters/blocksize/blocksize.c            |  3 +-
+ tests/Makefile.am                        |  2 +
+ tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
+ 3 files changed, 87 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test-blocksize-extents-overflow.sh
+
+diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
+index 09195ce..d3fcb4b 100644
+--- a/filters/blocksize/blocksize.c
++++ b/filters/blocksize/blocksize.c
+@@ -482,7 +482,8 @@ blocksize_extents (nbdkit_next *next,
+     return -1;
+   }
+ 
+-  if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
++  if (nbdkit_extents_aligned (next,
++                              MIN (ROUND_UP ((uint64_t) count, h->minblock),
+                                          h->maxlen),
+                               ROUND_DOWN (offset, h->minblock), flags,
+                               h->minblock, extents2, err) == -1)
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index a1905c9..dc8445f 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1483,12 +1483,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
+ TESTS += \
+ 	test-blocksize.sh \
+ 	test-blocksize-extents.sh \
++	test-blocksize-extents-overflow.sh \
+ 	test-blocksize-default.sh \
+ 	test-blocksize-sharding.sh \
+ 	$(NULL)
+ EXTRA_DIST += \
+ 	test-blocksize.sh \
+ 	test-blocksize-extents.sh \
++	test-blocksize-extents-overflow.sh \
+ 	test-blocksize-default.sh \
+ 	test-blocksize-sharding.sh \
+ 	$(NULL)
+diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
+new file mode 100644
+index 0000000..844c399
+--- /dev/null
++++ b/tests/test-blocksize-extents-overflow.sh
+@@ -0,0 +1,83 @@
++#!/usr/bin/env bash
++# nbdkit
++# Copyright Red Hat
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are
++# met:
++#
++# * Redistributions of source code must retain the above copyright
++# notice, this list of conditions and the following disclaimer.
++#
++# * Redistributions in binary form must reproduce the above copyright
++# notice, this list of conditions and the following disclaimer in the
++# documentation and/or other materials provided with the distribution.
++#
++# * Neither the name of Red Hat nor the names of its contributors may be
++# used to endorse or promote products derived from this software without
++# specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGE.
++
++# Demonstrate a fix for a bug where blocksize overflowed 32 bits
++
++source ./functions.sh
++set -e
++set -x
++
++requires_run
++requires_plugin eval
++requires_nbdsh_uri
++requires nbdsh --base-allocation --version
++
++# Script a sparse server that requires 512-byte aligned requests.
++exts='
++if test $(( ($3|$4) & 511 )) != 0; then
++  echo "EINVAL request unaligned" 2>&1
++  exit 1
++fi
++echo 0 5G 0
++'
++
++# We also need an nbdsh script to parse all extents, coalescing adjacent
++# types for simplicity.
++# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
++# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
++# will get the same result with only 1 extent).
++export script='
++size = h.get_size()
++offs = 0
++entries = []
++def f(metacontext, offset, e, err):
++    global entries
++    global offs
++    assert offs == offset
++    for length, flags in zip(*[iter(e)] * 2):
++        if entries and flags == entries[-1][1]:
++            entries[-1] = (entries[-1][0] + length, flags)
++        else:
++            entries.append((length, flags))
++        offs = offs + length
++
++# Test a loop over the entire device
++while offs < size:
++    len = min(size - offs, 2**32-1)
++    h.block_status(len, offs, f)
++assert entries == [(5 * 2**30, 0)]
++'
++
++# Now run everything
++nbdkit --filter=blocksize eval minblock=512 \
++       get_size='echo 5G' pread='exit 1' extents="$exts" \
++       --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
+-- 
+2.45.2
+
diff --git a/SPECS/nbdkit/nbdkit.spec b/SPECS/nbdkit/nbdkit.spec
@@ -51,7 +51,7 @@ Distribution:   Mariner
 
 Name:           nbdkit
 Version:        1.35.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        NBD server
 
 License:        BSD
@@ -128,6 +128,8 @@ Requires:       nbdkit-server%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-plugins%{?_isa} = %{version}-%{release}
 Requires:       nbdkit-basic-filters%{?_isa} = %{version}-%{release}
 
+Patch0: CVE-2025-47711.patch
+Patch1: CVE-2025-47712.patch
 
 %description
 NBD is a protocol for accessing block devices (hard disks and
@@ -1193,6 +1195,10 @@ export LIBGUESTFS_TRACE=1
 
 
 %changelog
+* Wed Jun 18 2025 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 1.35.3-4
+- add patch for CVE-2025-47711.patch
+- add patch for CVE-2025-47712.patch
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 1.35.3-3
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
