mbox series

[for-9.1,v4,0/7] CVE-2024-7409

Message ID 20240807174943.771624-9-eblake@redhat.com
Headers show
Series CVE-2024-7409 | expand

Message

Eric Blake Aug. 7, 2024, 5:43 p.m. UTC 
v3 was here:
https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html

since then:
 - re-add a minor patch from v2 (now patch 1)
 - refactor how the client opaque pointer is handled (patch 2)
 - add two new patches to prevent malicious clients from consuming
   inordinate resources: change the default max-connections from
   unlimited to capped at 100 (patch 3), and add code to kill any
   client that takes longer than 10 seconds after connect to reach
   NBD_OPT_GO (patch 4) [Dan]
 - squash the connection list handling into a single patch (5) [Dan]
 - two new additional patches for reverting back to 9.0 behavior for
   integration testing purposes; I'm okay if these last two miss 9.1

Eric Blake (7):
  nbd: Minor style fixes
  nbd/server: Plumb in new args to nbd_client_add()
  nbd/server: CVE-2024-7409: Change default max-connections to 100
  nbd/server: CVE-2024-7409: Drop non-negotiating clients
  nbd/server: CVE-2024-7409: Close stray client sockets at shutdown
  qemu-nbd: Allow users to adjust handshake limit
  nbd/server: Allow users to adjust handshake limit in QMP

 docs/tools/qemu-nbd.rst        |  5 +++
 qapi/block-export.json         | 18 +++++++---
 include/block/nbd.h            | 20 +++++++++--
 block/monitor/block-hmp-cmds.c |  3 +-
 blockdev-nbd.c                 | 62 +++++++++++++++++++++++++++++++---
 nbd/server.c                   | 51 +++++++++++++++++++++++++---
 qemu-nbd.c                     | 44 ++++++++++++++++--------
 nbd/trace-events               |  1 +
 8 files changed, 173 insertions(+), 31 deletions(-)

Comments

Denis V. Lunev Aug. 22, 2024, 10:57 a.m. UTC | #1 
On 8/7/24 19:43, Eric Blake wrote:
> v3 was here:
> https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html
>
> since then:
>   - re-add a minor patch from v2 (now patch 1)
>   - refactor how the client opaque pointer is handled (patch 2)
>   - add two new patches to prevent malicious clients from consuming
>     inordinate resources: change the default max-connections from
>     unlimited to capped at 100 (patch 3), and add code to kill any
>     client that takes longer than 10 seconds after connect to reach
>     NBD_OPT_GO (patch 4) [Dan]
>   - squash the connection list handling into a single patch (5) [Dan]
>   - two new additional patches for reverting back to 9.0 behavior for
>     integration testing purposes; I'm okay if these last two miss 9.1
>
> Eric Blake (7):
>    nbd: Minor style fixes
>    nbd/server: Plumb in new args to nbd_client_add()
>    nbd/server: CVE-2024-7409: Change default max-connections to 100
>    nbd/server: CVE-2024-7409: Drop non-negotiating clients
>    nbd/server: CVE-2024-7409: Close stray client sockets at shutdown
>    qemu-nbd: Allow users to adjust handshake limit
>    nbd/server: Allow users to adjust handshake limit in QMP
>
>   docs/tools/qemu-nbd.rst        |  5 +++
>   qapi/block-export.json         | 18 +++++++---
>   include/block/nbd.h            | 20 +++++++++--
>   block/monitor/block-hmp-cmds.c |  3 +-
>   blockdev-nbd.c                 | 62 +++++++++++++++++++++++++++++++---
>   nbd/server.c                   | 51 +++++++++++++++++++++++++---
>   qemu-nbd.c                     | 44 ++++++++++++++++--------
>   nbd/trace-events               |  1 +
>   8 files changed, 173 insertions(+), 31 deletions(-)
>
should this go to stable too? 7.5 score is high enough.
We have had CVE-2024-4467 
<https://security-tracker.debian.org/tracker/CVE-2024-4467> with 7.8 
merged to stables too.

Den