From 1e45aa3a6b36609aa8d9de28ffde3ef7e4f02273 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Thu, 27 Mar 2025 11:32:59 +0800 Subject: [PATCH] fix CVE-2025-30472 (cherry picked from commit f613ea5e51c76902c0a0d7e09ef341c4b0d1f8c3) --- backport-CVE-2025-30472.patch | 65 +++++++++++++++++++++++++++++++++++ corosync.spec | 11 +++--- 2 files changed, 71 insertions(+), 5 deletions(-) create mode 100644 backport-CVE-2025-30472.patch diff --git a/backport-CVE-2025-30472.patch b/backport-CVE-2025-30472.patch new file mode 100644 index 0000000..0318def --- /dev/null +++ b/backport-CVE-2025-30472.patch @@ -0,0 +1,65 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 962d0e2a..364528ce 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3866,7 +3881,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + diff --git a/corosync.spec b/corosync.spec index 7676dc0..ae50100 100644 --- a/corosync.spec +++ b/corosync.spec @@ -18,13 +18,14 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.5 -Release: 1 +Release: 2 License: BSD URL: http://corosync.github.io/corosync/ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz Patch0: bz2002115-1-totem-Add-cancel_hold_on_retransmit-config-option.patch Patch1: bz2024658-1-totemsrp-Switch-totempg-buffers-at-the-right-time.patch +Patch2: backport-CVE-2025-30472.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -72,10 +73,7 @@ BuildRequires: readline-devel %endif %prep -%setup -q -n %{name}-%{version}%{?gittarver} - -%patch0 -p1 -b .bz2002115-1 -%patch1 -p1 -b .bz2024658-1 +%autosetup -p1 -n %{name}-%{version}%{?gittarver} %build %if %{with runautogen} @@ -293,6 +291,9 @@ network splits) %endif %changelog +* Thu Mar 27 2025 Funda Wang - 3.1.5-2 +- fix CVE-2025-30472 + * Mon Jul 25 2022 zouzhimin - 3.1.5-1 - update to 3.1.5 -- Gitee