Bug 2462817 (CVE-2026-10649)
| Summary: | CVE-2026-10649 pacemaker: Pacemaker: Denial of Service via integer overflow in remote message decompression | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | rhel-process-autobot, security-response-team, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2489310 | ||
| Bug Blocks: | |||
| Deadline: | 2026-06-16 | ||
AI_ONLY_REPORT package: pacemaker-3.0.1-5.el10 ------ Summary: Integer Overflow in Remote Message Decompression: crafted pre-auth compressed remote messages can wrap size calculations before allocation, leading to memory corruption and denial of service in the CIB remote listener. Requirements to exploit: Network reachability to a `pacemaker-based` CIB remote listener configured with `remote-port` or `remote-tls-port`, and the ability to send a crafted compressed remote message before authentication. The reproduction below demonstrates the fault on a 32-bit build with a memory sanitizer. Component affected: `pacemaker-3.0.1-5.el10`, `lib/common/remote.c`, `pcmk__remote_message_xml()`, with the pre-auth call path through the CIB remote listener in `daemons/based/based_remote.c` Version affected: `pacemaker-3.0.1-5.el10` when the CIB remote listener is enabled; the supplied reproduction demonstrates impact on a 32-bit build Patch available: no released package fix established; proposed patch included below Version fixed: unknown Upstream coordination: Not notified. CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 (HIGH) AV:N - The vulnerable parser is reachable over the network when the CIB remote listener is enabled. AC:L - The malformed header values and compressed payload are straightforward to construct. PR:N - The message is parsed before authentication. UI:N - No user interaction is required. S:U - The demonstrated impact is within the scope of the service handling the remote message. C:N - The available evidence does not establish unauthorized disclosure of data. I:N - The available evidence does not establish unauthorized modification of data. A:H - A crafted message can trigger memory corruption and crash the service during decompression. Impact: Important. Red Hat classifies flaws that allow remote users to cause a denial of service as Important. Here, an unauthenticated network client can reach the vulnerable parser before authentication and trigger a crash where the CIB remote listener is enabled. This is not Critical because the available evidence supports availability impact, not unauthenticated code execution or broader system compromise. Embargo: yes Reason: The issue is pre-auth and network-reachable when the listener is enabled, the malformed packet is straightforward to build, and no released fix is established yet. Acknowledgement: Aisle Research Vulnerability Details: In the remote message decompression path, attacker-controlled header values are used in size calculations before allocation: ```c if (header->payload_compressed) { int rc = 0; unsigned int size_u = 1 + header->payload_uncompressed; char *uncompressed = pcmk__assert_alloc(1, header->payload_offset + size_u); ... rc = BZ2_bzBuffToBuffDecompress(uncompressed + header->payload_offset, &size_u, remote->buffer + header->payload_offset, header->payload_compressed, 1, 0); ``` `payload_offset`, `payload_compressed`, and `payload_uncompressed` are taken from the received remote message header, and there are no preceding bounds or consistency checks on these fields before `size_u` and the allocation length are derived. A crafted message can therefore cause `1 + payload_uncompressed` or `payload_offset + size_u` to wrap before allocation, leaving a small destination buffer while the decompressor is still asked to produce a much larger output region. This parsing occurs before client authentication on the CIB remote listener, so an unauthenticated client that can reach that listener can trigger the vulnerable path before `cib_remote_auth()` completes. The available evidence supports a denial-of-service outcome through memory corruption and crash. It does not establish confidentiality, integrity, or code-execution impact, so those effects should be treated as unproven. Steps to reproduce: 1. Build and run a 32-bit `pacemaker-based` with ASan or another memory sanitizer, and enable `remote-port` or `remote-tls-port`. 2. Connect to the CIB remote listener and send one packet with `payload_offset = 0x00000028`, `payload_uncompressed = 0xFFFFFFC0`, `payload_compressed = len(bz2_payload)` where `bz2_payload = bz2.compress(b"A"*512 + b"\x00")`, and `size_total = payload_offset + payload_compressed`. 3. Send the header and `bz2_payload` as a single remote message. 4. Observe an out-of-bounds write or crash inside or immediately around `BZ2_bzBuffToBuffDecompress()` from `pcmk__remote_message_xml()` before authentication completes. Note: `payload_uncompressed = UINT32_MAX` alone is not the best trigger. Values near `UINT32_MAX` that make `payload_offset + (1 + payload_uncompressed)` wrap are the more reliable case. Mitigation: Disable the CIB remote listener where it is not required. If it must remain enabled, restrict network access to trusted peers only. These steps reduce exposure but do not correct the underlying validation flaw. Proposed Fix: Validate header layout and sizes before decompression, and use overflow-safe arithmetic for the allocation size. ```diff diff --git a/lib/common/remote.c b/lib/common/remote.c @@ -300,10 +300,34 @@ pcmk_remote_message_xml(pcmk_remote_t *remote) /* Support compression on the receiving end now, in case we ever want to add it later */ if (header->payload_compressed) { int rc = 0; unsigned int size_u = 1 + header->payload_uncompressed; char *uncompressed = pcmk__assert_alloc(1, header->payload_offset + size_u); + size_t alloc_size = 0; + unsigned int size_u = 0; + char *uncompressed = NULL; + + if (header->payload_offset < sizeof(struct remote_header_v0)) { + crm_err("Invalid remote payload offset %u", header->payload_offset); + return NULL; + } + if (((size_t) header->payload_offset + (size_t) header->payload_compressed) + != (size_t) header->size_total) { + crm_err("Invalid remote payload sizing"); + return NULL; + } + if ((size_t) header->size_total > remote->buffer_offset) { + crm_err("Incomplete remote message buffer"); + return NULL; + } + if (header->payload_uncompressed >= UINT_MAX) { + crm_err("Invalid remote uncompressed size %u", header->payload_uncompressed); + return NULL; + } + + size_u = header->payload_uncompressed + 1U; + if ((size_t) header->payload_offset > (SIZE_MAX - (size_t) size_u)) { + crm_err("Remote payload size overflow"); + return NULL; + } + alloc_size = (size_t) header->payload_offset + (size_t) size_u; + uncompressed = pcmk__assert_alloc(1, alloc_size); crm_trace("Decompressing message data %d bytes into %d bytes", header->payload_compressed, size_u); ``` ------ This report was generated using AI technology. Always review AI-generated content prior to use