Bug 2050324 (CVE-2022-0485) - CVE-2022-0485 libnbd: nbdcopy: missing error handling may create corrupted destination image
Summary: CVE-2022-0485 libnbd: nbdcopy: missing error handling may create corrupted de...
Alias: CVE-2022-0485
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2045718 2046194 2050325 2050338 2050339 2050340
Blocks: 2050309 2050326
TreeView+ depends on / blocked
Reported: 2022-02-03 17:02 UTC by Mauro Matteo Cascella
Modified: 2022-12-02 09:00 UTC (History)
4 users (show)

Fixed In Version: libnbd 1.11.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image.
Clone Of:
Last Closed: 2022-05-12 09:45:44 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0949 0 None None None 2022-03-16 14:07:59 UTC
Red Hat Product Errata RHSA-2022:0971 0 None None None 2022-03-21 07:52:14 UTC
Red Hat Product Errata RHSA-2022:1759 0 None None None 2022-05-10 13:18:01 UTC
Red Hat Product Errata RHSA-2022:2181 0 None None None 2022-05-11 10:47:46 UTC

Description Mauro Matteo Cascella 2022-02-03 17:02:34 UTC
A flaw was found in nbdcopy. When copying from NBD server using the asynchronous copy mode (default) nbdcopy may create a corrupted destination image if read or write NBD command start but the server returns an error. nbdcopy also exits with zero exit code, so programs running it cannot detect that the operation failed.

Upstream patch proposed:

Comment 1 Mauro Matteo Cascella 2022-02-03 17:03:14 UTC
Created libnbd tracking bugs for this issue:

Affects: fedora-all [bug 2050325]

Comment 9 Richard W.M. Jones 2022-02-04 08:57:50 UTC

Comment 11 Mauro Matteo Cascella 2022-02-07 13:57:05 UTC
Patch v2:

Comment 12 Mauro Matteo Cascella 2022-02-07 14:00:51 UTC
Upstream commit:

Comment 14 Mauro Matteo Cascella 2022-02-07 21:05:32 UTC
Libnbd security advisory:

Comment 15 errata-xmlrpc 2022-03-16 14:07:57 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0949 https://access.redhat.com/errata/RHSA-2022:0949

Comment 16 errata-xmlrpc 2022-03-21 07:52:11 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2022:0971 https://access.redhat.com/errata/RHSA-2022:0971

Comment 17 errata-xmlrpc 2022-05-10 13:17:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759

Comment 18 errata-xmlrpc 2022-05-11 10:47:44 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.6.0

Via RHSA-2022:2181 https://access.redhat.com/errata/RHSA-2022:2181

Comment 19 Product Security DevOps Team 2022-05-12 09:45:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 20 Richard W.M. Jones 2022-07-06 12:59:36 UTC
A simple reproducer for this is:

nbdcopy -p -- [ nbdkit --filter=error pattern 5M error-pread-rate=1 ] null:

This command will exit with success (status code 0) if the bug is present
and exit with an error (status code 1) if the bug is fixed.

Note that nbdkit error messages will be printed either way.

Comment 21 Mauro Matteo Cascella 2022-12-01 10:16:30 UTC
As far as Red Hat CVSS score is concerned, this is a data corruption issue with integrity impact (for a failed read by source NBD server) and confidentiality impact (for a failed write by destination NBD server). In both cases Low impact (C:L/I:L) as the attacker has no control over what information is modified/obtained. No direct compromise of availability (A:N).

Note You need to log in before you can comment on or make changes to this bug.