1 月之前 · 3adc396a6f
--- a/meta-networking/recipes-extended/corosync/corosync/CVE-2025-30472.patch
+++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2025-30472.patch
@@ -0,0 +1,69 @@
 
				+From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
			
 
				+From: Jan Friesse <jfriesse@redhat.com>
			
 
				+Date: Mon, 24 Mar 2025 12:05:08 +0100
			
 
				+Subject: [PATCH] totemsrp: Check size of orf_token msg
			
 
				+
			
 
				+orf_token message is stored into preallocated array on endian convert
			
 
				+so carefully crafted malicious message can lead to crash of corosync.
			
 
				+
			
 
				+Solution is to check message size beforehand.
			
 
				+
			
 
				+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
			
 
				+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
			
 
				+
			
 
				+CVE: CVE-2025-30472
			
 
				+Upstream-Status: Backport [https://github.com/corosync/corosync/commits/7839990f9cdf34e55435ed90109e82709032466a]
			
 
				+Signed-off-by: Peter Marko <peter.marko@siemens.com>
			
 
				+---
			
 
				+ exec/totemsrp.c | 18 +++++++++++++++++-
			
 
				+ 1 file changed, 17 insertions(+), 1 deletion(-)
			
 
				+
			
 
				+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
			
 
				+index 962d0e2a..364528ce 100644
			
 
				+--- a/exec/totemsrp.c
			
 
				++++ b/exec/totemsrp.c
			
 
				+@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
			
 
				+ 	const struct totemsrp_instance *instance,
			
 
				+ 	const void *msg,
			
 
				+ 	size_t msg_len,
			
 
				++	size_t max_msg_len,
			
 
				+ 	int endian_conversion_needed)
			
 
				+ {
			
 
				+ 	int rtr_entries;
			
 
				+ 	const struct orf_token *token = (const struct orf_token *)msg;
			
 
				+ 	size_t required_len;
			
 
				+ 
			
 
				++	if (msg_len > max_msg_len) {
			
 
				++		log_printf (instance->totemsrp_log_level_security,
			
 
				++		    "Received orf_token message is too long...  ignoring.");
			
 
				++
			
 
				++		return (-1);
			
 
				++	}
			
 
				++
			
 
				+ 	if (msg_len < sizeof(struct orf_token)) {
			
 
				+ 		log_printf (instance->totemsrp_log_level_security,
			
 
				+ 		    "Received orf_token message is too short...  ignoring.");
			
 
				+@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
			
 
				+ 		rtr_entries = token->rtr_list_entries;
			
 
				+ 	}
			
 
				+ 
			
 
				++	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
			
 
				++		log_printf (instance->totemsrp_log_level_security,
			
 
				++		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
			
 
				++
			
 
				++		return (-1);
			
 
				++	}
			
 
				++
			
 
				+ 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
			
 
				+ 	if (msg_len < required_len) {
			
 
				+ 		log_printf (instance->totemsrp_log_level_security,
			
 
				+@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
			
 
				+ 	    "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
			
 
				+ #endif
			
 
				+ 
			
 
				+-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
			
 
				++	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
			
 
				++	    endian_conversion_needed) == -1) {
			
 
				+ 		return (0);
			
 
				+ 	}
			
 
				+ 
			
--- a/meta-networking/recipes-extended/corosync/corosync_3.1.9.bb
+++ b/meta-networking/recipes-extended/corosync/corosync_3.1.9.bb
@@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases
 
				 
			
 
				 SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
			
 
				            file://corosync.conf \
			
 
				+           file://CVE-2025-30472.patch \
			
 
				           "
			
 
				 SRC_URI[sha256sum] = "203354bbddee1a97b3c50a076eae89c635f406dd674ccaefc94bb9092acd9535"
			
 
				 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"