packages/corosync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-30472

Browse Source
This commit is contained in:
Funda Wang 2025-03-27 11:30:25 +08:00
parent d0c5d094af
commit 7a572f5671
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
backport-CVE-2025-30472.patch Normal file
View File

@ -0,0 +1,65 @@
From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Mon, 24 Mar 2025 12:05:08 +0100
Subject: [PATCH] totemsrp: Check size of orf_token msg
orf_token message is stored into preallocated array on endian convert
so carefully crafted malicious message can lead to crash of corosync.
Solution is to check message size beforehand.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
exec/totemsrp.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 962d0e2a..364528ce 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
const struct totemsrp_instance *instance,
const void *msg,
size_t msg_len,
+ size_t max_msg_len,
int endian_conversion_needed)
{
int rtr_entries;
const struct orf_token *token = (const struct orf_token *)msg;
size_t required_len;
+ if (msg_len > max_msg_len) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message is too long... ignoring.");
+
+ return (-1);
+ }
+
if (msg_len < sizeof(struct orf_token)) {
log_printf (instance->totemsrp_log_level_security,
"Received orf_token message is too short... ignoring.");
@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
rtr_entries = token->rtr_list_entries;
}
+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message rtr_entries is corrupted... ignoring.");
+
+ return (-1);
+ }
+
required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
if (msg_len < required_len) {
log_printf (instance->totemsrp_log_level_security,
@@ -3866,7 +3881,8 @@ static int message_handler_orf_token (
"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
#endif
- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+ endian_conversion_needed) == -1) {
return (0);
}

6
corosync.spec
View File

@ -18,7 +18,7 @@
Name: corosync Name: corosync
Summary: The Corosync Cluster Engine and Application Programming Interfaces Summary: The Corosync Cluster Engine and Application Programming Interfaces
Version: 3.1.8 Version: 3.1.8
Release: 5 Release: 6
License: BSD-3-Clause License: BSD-3-Clause
URL: http://corosync.github.io/corosync/ URL: http://corosync.github.io/corosync/
Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
@ -26,6 +26,7 @@ Patch0: Fix-up-the-library-versions-files.patch
Patch1: Report-crypto-errors-back-to-cfg-reload.patch Patch1: Report-crypto-errors-back-to-cfg-reload.patch
Patch2: Fix-building-of-rust-for-release.patch Patch2: Fix-building-of-rust-for-release.patch
Patch3: totem-Fix-reference-links.patch Patch3: totem-Fix-reference-links.patch
Patch4: backport-CVE-2025-30472.patch
# Runtime bits # Runtime bits
# The automatic dependency overridden in favor of explicit version lock # The automatic dependency overridden in favor of explicit version lock
@ -292,6 +293,9 @@ network splits)
%endif %endif
%changelog %changelog
* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 3.1.8-6
- fix CVE-2025-30472
* Fri Mar 15 2024 zouzhimin <zouzhimin@kylinos.cn> - 3.1.8-5 * Fri Mar 15 2024 zouzhimin <zouzhimin@kylinos.cn> - 3.1.8-5
- totem: Fix reference links - totem: Fix reference links