!39 fix CVE-2025-30472

From: @fundawang Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2025-03-27 05:46:00 +00:00 · 2025-03-27 05:46:00 +00:00 · 805829665a
commit 805829665a
parent d0c5d094af 7a572f5671
2 changed files with 70 additions and 1 deletions
--- a/backport-CVE-2025-30472.patch
+++ b/backport-CVE-2025-30472.patch
@ -0,0 +1,65 @@
 From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
 From: Jan Friesse <jfriesse@redhat.com>
 Date: Mon, 24 Mar 2025 12:05:08 +0100
 Subject: [PATCH] totemsrp: Check size of orf_token msg
 orf_token message is stored into preallocated array on endian convert
 so carefully crafted malicious message can lead to crash of corosync.
 Solution is to check message size beforehand.
 Signed-off-by: Jan Friesse <jfriesse@redhat.com>
 Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
 ---
 exec/totemsrp.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
 diff --git a/exec/totemsrp.c b/exec/totemsrp.c
 index 962d0e2a..364528ce 100644
 --- a/exec/totemsrp.c
 +++ b/exec/totemsrp.c
@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
 	const struct totemsrp_instance *instance,
 	const void *msg,
 	size_t msg_len,
 +	size_t max_msg_len,
 	int endian_conversion_needed)
 {
 	int rtr_entries;
 	const struct orf_token *token = (const struct orf_token *)msg;
 	size_t required_len;
 +	if (msg_len > max_msg_len) {
 +		log_printf (instance->totemsrp_log_level_security,
 +		    "Received orf_token message is too long...  ignoring.");
 +
 +		return (-1);
 +	}
 +
 	if (msg_len < sizeof(struct orf_token)) {
 		log_printf (instance->totemsrp_log_level_security,
 		    "Received orf_token message is too short...  ignoring.");
@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
 		rtr_entries = token->rtr_list_entries;
 	}
 +	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
 +		log_printf (instance->totemsrp_log_level_security,
 +		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
 +
 +		return (-1);
 +	}
 +
 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
 	if (msg_len < required_len) {
 		log_printf (instance->totemsrp_log_level_security,
@@ -3866,7 +3881,8 @@ static int message_handler_orf_token (
 	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
 #endif
 -	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
 +	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
 +            endian_conversion_needed) == -1) {
 		return (0);
 	}
--- a/corosync.spec
+++ b/corosync.spec
@ -18,7 +18,7 @@
 Name:           corosync
 Summary:        The Corosync Cluster Engine and Application Programming Interfaces
 Version:        3.1.8
-Release:        5
+Release:        6
 License:        BSD-3-Clause
 URL:            http://corosync.github.io/corosync/
 Source0:        http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
@ -26,6 +26,7 @@ Patch0:         Fix-up-the-library-versions-files.patch
 Patch1:         Report-crypto-errors-back-to-cfg-reload.patch
 Patch2:         Fix-building-of-rust-for-release.patch
 Patch3:         totem-Fix-reference-links.patch
 Patch4:         backport-CVE-2025-30472.patch
 # Runtime bits
 # The automatic dependency overridden in favor of explicit version lock
@ -292,6 +293,9 @@ network splits)
 %endif
 %changelog
 * Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 3.1.8-6
 - fix CVE-2025-30472
 * Fri Mar 15 2024 zouzhimin <zouzhimin@kylinos.cn> - 3.1.8-5
 - totem: Fix reference links