fix CVE-2025-30472

2025-03-27 11:30:25 +08:00 · 2025-03-27 11:30:25 +08:00 · 7a572f5671
commit 7a572f5671
parent d0c5d094af
2 changed files with 70 additions and 1 deletions
--- a/backport-CVE-2025-30472.patch
+++ b/backport-CVE-2025-30472.patch
@ -0,0 +1,65 @@
+From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Mon, 24 Mar 2025 12:05:08 +0100
+Subject: [PATCH] totemsrp: Check size of orf_token msg
+
+orf_token message is stored into preallocated array on endian convert
+so carefully crafted malicious message can lead to crash of corosync.
+
+Solution is to check message size beforehand.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 962d0e2a..364528ce 100644
+--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
+@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
+ 	const struct totemsrp_instance *instance,
+ 	const void *msg,
+ 	size_t msg_len,
+	size_t max_msg_len,
+ 	int endian_conversion_needed)
+ {
+ 	int rtr_entries;
+ 	const struct orf_token *token = (const struct orf_token *)msg;
+ 	size_t required_len;
+ 
+	if (msg_len > max_msg_len) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message is too long...  ignoring.");
+
+		return (-1);
+	}
+
+ 	if (msg_len < sizeof(struct orf_token)) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received orf_token message is too short...  ignoring.");
+@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
+ 		rtr_entries = token->rtr_list_entries;
+ 	}
+ 
+	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
+
+		return (-1);
+	}
+
+ 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+@@ -3866,7 +3881,8 @@ static int message_handler_orf_token (
+ 	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
+ #endif
+ 
+-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+            endian_conversion_needed) == -1) {
+ 		return (0);
+ 	}
+ 
--- a/corosync.spec
+++ b/corosync.spec
@ -18,7 +18,7 @@
 Name:           corosync
 Summary:        The Corosync Cluster Engine and Application Programming Interfaces
 Version:        3.1.8
-Release:        5
+Release:        6
 License:        BSD-3-Clause
 URL:            http://corosync.github.io/corosync/
 Source0:        http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
@ -26,6 +26,7 @@ Patch0:         Fix-up-the-library-versions-files.patch
 Patch1:         Report-crypto-errors-back-to-cfg-reload.patch
 Patch2:         Fix-building-of-rust-for-release.patch
 Patch3:         totem-Fix-reference-links.patch
+Patch4:         backport-CVE-2025-30472.patch

 # Runtime bits
 # The automatic dependency overridden in favor of explicit version lock
@ -292,6 +293,9 @@ network splits)
 %endif

 %changelog
+* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 3.1.8-6
+- fix CVE-2025-30472
+
 * Fri Mar 15 2024 zouzhimin <zouzhimin@kylinos.cn> - 3.1.8-5
 - totem: Fix reference links