Bug 1843707 (CVE-2020-10761) - CVE-2020-10761 QEMU: nbd: reachable assertion failure in nbd_negotiate_send_rep_verr via remote client
Summary: CVE-2020-10761 QEMU: nbd: reachable assertion failure in nbd_negotiate_send_r...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1845381 1845384 1845385 1910688
Blocks: 1843709
TreeView+ depends on / blocked
 
Reported: 2020-06-03 21:41 UTC by Pedro Sampaio
Modified: 2022-04-17 20:56 UTC (History)
29 users (show)

Fixed In Version: QEMU 5.0.1
Doc Type: If docs needed, set a value
Doc Text:
An assertion failure issue was found in the Network Block Device(NBD) Server of the QEMU. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-12-15 12:03:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2020-06-03 21:41:21 UTC 
Quick Emulator(Qemu) built with the Network Block Device(NBD) Server support is vulnerable to a crash via assertion failure. A nbd-client can cause denial of service by aborting QEMU as NBD server with a spec-compliant request that is near the boundary of maximum length permitted. A remote user/process could use this flaw to crash the qemu-nbd server resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg02031.html

Issue introduced since QEMU v4.2
  -> https://git.qemu.org/?p=qemu.git;a=commit;h=93676c88d7a5cd5971de94f9091eff8e9773b1af
  - It allowed nbd-client to send longer export names
Comment 2 Prasad Pandit 2020-06-09 05:20:09 UTC 
Acknowledgments:

Name: Eric Blake (redhat.com), Xueqiang Wei (redhat.com)
Comment 3 Prasad Pandit 2020-06-09 05:20:31 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1845381]
Comment 5 Prasad Pandit 2020-06-09 05:32:52 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/06/09/1
Note You need to log in before you can comment on or make changes to this bug.