[PULL,0/5] NBD: fix CVE-2024-7409 for 9.1

Message ID	20240808215529.1065336-7-eblake@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Eric Blake <eblake@redhat.com> To: qemu-devel@nongnu.org Subject: [PULL 0/5] NBD: fix CVE-2024-7409 for 9.1 Date: Thu, 8 Aug 2024 16:53:38 -0500 Message-ID: <20240808215529.1065336-7-eblake@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.141, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

20240808215529.1065336-7-eblake@redhat.com

State

New

Headers

From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Subject: [PULL 0/5] NBD: fix CVE-2024-7409 for 9.1
Date: Thu,  8 Aug 2024 16:53:38 -0500
Message-ID: <20240808215529.1065336-7-eblake@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -21
X-Spam_score: -2.2
X-Spam_bar: --
X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.141,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message

Eric Blake Aug. 8, 2024, 9:53 p.m. UTC

The following changes since commit 75c7f574035622798e9361a942bdfbb0af930f0e:

  Merge tag 'pull-hex-20240807' of https://github.com/quic/qemu into staging (2024-08-08 16:08:18 +1000)

are available in the Git repository at:

  https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-08

for you to fetch changes up to 3e7ef738c8462c45043a1d39f702a0990406a3b3:

  nbd/server: CVE-2024-7409: Close stray clients at server-stop (2024-08-08 16:34:04 -0500)

----------------------------------------------------------------
NBD patches for 2024-08-08

- plug CVE-2024-7409, a DoS attack exploiting nbd-server-stop

----------------------------------------------------------------
Eric Blake (5):
      nbd: Minor style and typo fixes
      nbd/server: Plumb in new args to nbd_client_add()
      nbd/server: CVE-2024-7409: Cap default max-connections to 100
      nbd/server: CVE-2024-7409: Drop non-negotiating clients
      nbd/server: CVE-2024-7409: Close stray clients at server-stop

 qapi/block-export.json         |  4 ++--
 include/block/nbd.h            | 18 +++++++++++++++-
 block/monitor/block-hmp-cmds.c |  3 ++-
 blockdev-nbd.c                 | 47 +++++++++++++++++++++++++++++++++++++++--
 nbd/server.c                   | 48 ++++++++++++++++++++++++++++++++++++++----
 qemu-nbd.c                     |  7 ++++--
 nbd/trace-events               |  1 +
 7 files changed, 116 insertions(+), 12 deletions(-)

Comments

Richard Henderson Aug. 10, 2024, 11:39 a.m. UTC | #1

On 8/9/24 07:53, Eric Blake wrote:
> The following changes since commit 75c7f574035622798e9361a942bdfbb0af930f0e:
> 
>    Merge tag 'pull-hex-20240807' ofhttps://github.com/quic/qemu into staging (2024-08-08 16:08:18 +1000)
> 
> are available in the Git repository at:
> 
>    https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-08
> 
> for you to fetch changes up to 3e7ef738c8462c45043a1d39f702a0990406a3b3:
> 
>    nbd/server: CVE-2024-7409: Close stray clients at server-stop (2024-08-08 16:34:04 -0500)
> 
> ----------------------------------------------------------------
> NBD patches for 2024-08-08
> 
> - plug CVE-2024-7409, a DoS attack exploiting nbd-server-stop

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~

[PULL,0/5] NBD: fix CVE-2024-7409 for 9.1

Pull-request

Message

Comments