Bug 2241041 (CVE-2023-5215)

Summary: CVE-2023-5215 libnbd: Crash or misbehaviour when NBD server returns an unexpected block size
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mxie, rjones, tyan, tzheng, virt-maint, vwu, xiaodwan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libnbd 1.18.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libnbd. A server can reply with a block size larger than 2^63 (the NBD spec states the size is a 64-bit unsigned value). This issue could lead to an application crash or other unintended behavior for NBD clients that doesn't treat the return value of the nbd_get_size() function correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241042, 2241043, 2241044    
Bug Blocks: 2240178, 2241096    

Description Pedro Sampaio 2023-09-27 19:49:50 UTC 
In libnbd since v1.0 a server can reply with a block size larger than 2^63 (the NBD spec states size is a 64-bit unsigned value) possibly leading to application crash or other unintended behavior for NBD clients that doesn't treat the return value correctly.

References:

https://listman.redhat.com/archives/libguestfs/2023-September/032635.html
Comment 1 Pedro Sampaio 2023-09-27 19:52:29 UTC 
Created libnbd tracking bugs for this issue:

Affects: fedora-all [bug 2241042]
Comment 6 errata-xmlrpc 2024-04-30 09:47:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2204 https://access.redhat.com/errata/RHSA-2024:2204