From 35e64d2182d6f0359e5cf35ea1b744ef8d043e79 Mon Sep 17 00:00:00 2001 From: lizhipeng Date: Fri, 10 Oct 2025 20:15:44 +0800 Subject: [PATCH] fix CVE-2025-57275 Signed-off-by: lizhipeng --- backport-fix-CVE-2025-57275.patch | 74 +++++++++++++++++++++++++++++++ spdk.spec | 6 ++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-57275.patch diff --git a/backport-fix-CVE-2025-57275.patch b/backport-fix-CVE-2025-57275.patch new file mode 100644 index 0000000..b0a5b79 --- /dev/null +++ b/backport-fix-CVE-2025-57275.patch @@ -0,0 +1,74 @@ +diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c +index 5729524..94864ea 100644 +--- a/lib/nvmf/subsystem.c ++++ b/lib/nvmf/subsystem.c +@@ -1994,9 +1994,14 @@ nvmf_ns_update_reservation_info(struct spdk_nvmf_ns *ns) + } + + TAILQ_FOREACH_SAFE(reg, &ns->registrants, link, tmp) { +- spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid), +- ®->hostid); +- info.registrants[i++].rkey = reg->rkey; ++ if (i < SPDK_NVMF_MAX_NUM_REGISTRANTS) { ++ spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid), ++ ®->hostid); ++ info.registrants[i++].rkey = reg->rkey; ++ } else { ++ SPDK_ERRLOG("More registrants that can fit into reservation info, truncating\n"); ++ break; ++ } + } + + info.num_regs = i; +diff --git a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c +index df57241..c3fc086 100644 +--- a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c ++++ b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c +@@ -242,6 +242,39 @@ struct spdk_bdev_desc { + struct spdk_bdev *bdev; + }; + ++static void ++test_nvmf_ns_reservation_add_max_registrants(void) ++{ ++ struct spdk_nvmf_ns_reservation_ops ops = { ++ .is_ptpl_capable = ut_is_ptpl_capable, ++ .update = ut_update_reservation, ++ .load = ut_load_reservation, ++ }; ++ spdk_nvmf_set_custom_ns_reservation_ops(&ops); ++ ut_reservation_init(); ++ ++ struct spdk_nvmf_reservation_info info = {}; ++ int rc; ++ ++ /* Register 1 past the max */ ++ uint32_t i = 0; ++ for (i = 0; i < SPDK_NVMF_MAX_NUM_REGISTRANTS + 1; i++) { ++ spdk_uuid_generate(&g_ctrlr1_A.hostid); ++ rc = nvmf_ns_reservation_add_registrant(&g_ns, &g_ctrlr1_A, 0xa11 + i); ++ CU_ASSERT(rc == 0); ++ } ++ /* Update the reservation info */ ++ rc = nvmf_ns_update_reservation_info(&g_ns); ++ CU_ASSERT(rc == 0); ++ /* Validate that info is capped at max */ ++ rc = nvmf_ns_reservation_load(&g_ns, &info); ++ CU_ASSERT(rc == 0); ++ CU_ASSERT_EQUAL(info.num_regs, SPDK_NVMF_MAX_NUM_REGISTRANTS); ++ /* Clear should return max + 1 */ ++ uint32_t cleared = nvmf_ns_reservation_clear_all_registrants(&g_ns); ++ CU_ASSERT_EQUAL(cleared, SPDK_NVMF_MAX_NUM_REGISTRANTS + 1); ++} ++ + int + spdk_bdev_open_ext(const char *bdev_name, bool write, spdk_bdev_event_cb_t event_cb, + void *event_ctx, struct spdk_bdev_desc **_desc) +@@ -1387,6 +1420,7 @@ int main(int argc, char **argv) + CU_ADD_TEST(suite, test_reservation_clear_notification); + CU_ADD_TEST(suite, test_reservation_preempt_notification); + CU_ADD_TEST(suite, test_spdk_nvmf_ns_event); ++ CU_ADD_TEST(suite, test_nvmf_ns_reservation_add_max_registrants); + + allocate_threads(1); + set_thread(0); diff --git a/spdk.spec b/spdk.spec index 2821730..201271a 100644 --- a/spdk.spec +++ b/spdk.spec @@ -3,7 +3,7 @@ Name: spdk Version: 21.01.1 -Release: 15 +Release: 16 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -36,6 +36,7 @@ Patch25: 0025-ut-rdma-Fix-GCC-10.2.0-warning.patch Patch26: 0026-lib-nvme-add-mutex-before-submit-admin-request.patch Patch27: 0027--nvme-cuse-Add-ctrlr_lock-for-cuse-register-and-unreg.patch Patch28: 0028-fixed-use-after-free-detected-by-Coverity.patch +Patch29: backport-fix-CVE-2025-57275.patch %define package_version %{version}-%{release} @@ -206,6 +207,9 @@ mv doc/output/html/ %{install_docdir} %changelog +* Fri Oct 10 2025 lizhipeng - 21.01.1-16 +- Fix CVE-2025-57275 + * Mon May 20 2024 yanshuai - 21.01.1-15 - lib/nvme: fixed use-after-free detected by Coverity -- Gitee