From 9fc703e4772d113dcd0a9087576809dacd288336 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Thu, 27 Mar 2025 11:27:06 +0800 Subject: [PATCH] fix CVE-2025-30472 --- backport-CVE-2025-30472.patch | 65 +++++++++++++++++++++++++++++++++++ corosync.spec | 6 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-30472.patch diff --git a/backport-CVE-2025-30472.patch b/backport-CVE-2025-30472.patch new file mode 100644 index 0000000..0318def --- /dev/null +++ b/backport-CVE-2025-30472.patch @@ -0,0 +1,65 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 962d0e2a..364528ce 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3866,7 +3881,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + diff --git a/corosync.spec b/corosync.spec index 62f6019..3cd7eef 100644 --- a/corosync.spec +++ b/corosync.spec @@ -18,7 +18,7 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.8 -Release: 6 +Release: 7 License: BSD-3-Clause URL: http://corosync.github.io/corosync/ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz @@ -27,6 +27,7 @@ Patch1: Report-crypto-errors-back-to-cfg-reload.patch Patch2: Fix-building-of-rust-for-release.patch Patch3: totem-Fix-reference-links.patch Patch4: backport-Move-corosync-notifyd-policy-file-into-datadir.patch +Patch5: backport-CVE-2025-30472.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -293,6 +294,9 @@ network splits) %endif %changelog +* Thu Mar 27 2025 Funda Wang - 3.1.8-7 +- fix CVE-2025-30472 + * Thu Jun 06 2024 zouzhimin - 3.1.8-6 - Move corosync-notifyd policy file into $(datadir)/dbus-1/system.d and add yaml file -- Gitee