Travis wants us to have a "plan" these days, which reads like "pay us".

Not going to do that, sorry.

When a user sends a name length value of 0xffffffff, nbd-server will try
to allocate one more byte for the \0 at the end, but that will result in
an integer overflow and a malloc(0), with the resulting write being to a
dangling pointer.

Fix by constraining the string size to 4096 bytes, as recommended by the
protocol standard.

This issue exists in NBD_OPT_INFO/NBD_OPT_GO handling as well as in
NBD_OPT_EXPORT_NAME handling.

CVE-2022-26495

Reported-By: 王多 <duo.wang@chaitin.com>
Signed-Off-By: Wouter Verhelst <w@uter.be>

When len - sizeof(namelen) > 1024, we have a buffer overflow.

Fix by using the "consume" function, which was written for that purpose.

CVE-2022-26496

Reported-By: Dialluvioso <dialluvioso@protonmail.com>
Reported-By: 王多 <duo.wang@chaitin.com>
Signed-Off-By: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Just as a starting point, especially:
The command line parameters must be added to the man page.

Questions:
- Did I update the right files?
- Is the .in.sgml file written manually or are there tools that
  should be used?

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Initial version.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Add an initial CLI.
Planned CLI extentions:
- define what TRIM should do: keep unchanged, set to 0, take the content
  from another block.
- do not apply all sectors, instead behave like a write-back cache
  and drop a few random sectors.
- Create a log file of what was skipped/applied.
- Replay a log file.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Initial commit for nbd-trplay, a command to replay parts of an nbd
trace file.

Changes:
- Just copy nbd-trdump.
- Changes:
   * nbd-trdump replaced with nbd-trplay.
   * Whitespace in empty lines removed.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

The transaction log contains only the request from the clients, the
replies from the server were missing.

The change adds the replies to the transaction log.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Right now:
- The historic values for NBD_REQUEST_MAGIC and NBD_REPLY_MAGIC are
  just documented in nbd.h, without any background.
- The new value that is now used for internal use by nbd-server is
  not documented at all.

Resolve that:
- Add all required information to proto.md.
- Remove the reserved magic values from nbd.h: proto.md is the
  authorative source, double storage doesn't help.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Bugfix for the previous patch:
nbd-server uses multiple processes and within each process multiple threads.
Thus: Locking is needed, to ensure that the data in the transaction log
is not corrupted.

Solution: Use sem_open(), the simplest solution.

Alternatives:
- shm_open() + a shared pthread_mutex

- fcntl() for cross process locking, and a ptrace_mutex for intra-process
  locking.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

The datalog generated by nbd-server contains only the requests
received by the server, not the actual data to be written.

This patch adds support to write the actual data.

As details:
- It is configurable, the default behavior is not changed.
- It defines a new magic that is only used for the log file, and uses
  an entry with that magic to store the information that the actual
  data is stored in the trace file.
- It is an incompatible change: Current nbd-trdump utilities will
  just fail/produce bad output when called with a new log file,
  without a proper error message.
- nbd-trdump supports to dump also the messages sent by the
  server. Unfortunately, the current server does not log
  the sent messages. This change does not fix this.

Open:
Should nbd-trdump abort when it sees an unknown new log config
option? Right now, it is only printed out as "UNKNOWN", but the
tool tries to continue anyways.

Known bugs:
Locking is missing. If multiple clients connect, then the data log
will be unusable.

Plan: Use a named posix semaphore (sem_open()).
Given the multi-process, multi-thread model, with a single fd shared
by everyone, this is probably simpler than trying to find a reliable
flock()/fcntl()/pthread_mutex_lock() combination.
Alternative: shm_open()+a shared pthread_mutex.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Manfred Spraul authored Jan 21, 2022 and Wouter Verhelst committed Mar 03, 2022

Support for pretty-printing NBD_CMD_TRIM and NBD_CMD_WRITE_ZEROES is
missing in nbd-trdump.
In addition, only the commands right now implemented in nbd-server
are supported, instead of all commands defined in the protocol.

Thus:
- move the existing getcommandname() helper function into a new
  nbd-helper.h header file.
- use the helper function in nbd-trdump
- add all commands from proto.md.
- in nbd-trdump: change ctest from "char *" to "const char *"
  and increase number of characters in printf statement.

Signed-off-by: Manfred Spraul <manfred.spraul@de.bosch.com>
Signed-off-by: Wouter Verhelst <w@uter.be>

Fixes: gh-131

Using OPT_SET_META_CONTEXTS is stateful (it is documented to wipe out
any previously-requested contexts, and we just tightened the spec to
clarify that starting TLS also wipes it out).  But
OPT_LIST_META_CONTEXTS is not stateful; and in fact, with a
SELECTIVETLS server, it can be handy to list the meta contexts
available on an unencrypted export, then enable encryption, and then
further list what contexts are available on encrypted exports (as the
server is permitted to let those lists differ).  Although such a
client must negotiate structured replies after starttls if it is going
to actually connect to an export, this change permits the client to
shorten the handshake by two commands if it is only being used to list
available exports and their meta contexts before disconnecting.

When using -u but not -H, we were ending up calling
gnutls_session_set_verify_cert() with the Unix socket's path name,
which is bound to fail (hostnames don't start with /).  Saner is to
only default tlshostname when using TCP sockets.

See also https://gitlab.com/nbdkit/nbdkit/-/issues/1

, as this was
detected during an attempt to prove TLS interoperability between
nbd-client and nbdkit.  Pre-patch, I have to add '-H localhost' to the
nbd-client command line when using nbdkit with a Unix socket, but not
when using a TCP socket; post-patch, I can omit -H and still connect
/dev/nbd0 over TLS using either TCP or Unix.

Signed-off-by: Eric Blake <eblake@redhat.com>

glib now recommends that we use g_memdup2() to avoid accidental 32-bit
truncation bugs on platforms where g_size is larger than guint:

https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538

and failure to do so causes noisy compilation due to deprecation
warnings with glib 2.68:

nbd-server.c: In function ‘parse_cfile’:
nbd-server.c:1010:25: warning: ‘g_memdup’ is deprecated: Use 'g_memdup2' instead [-Wdeprecated-declarations]
 1010 |                         SERVER *srv = serve_inc_ref(g_memdup(&s, sizeof(SERVER)));
      |                         ^~~~~~
In file included from /usr/include/glib-2.0/glib.h:82,
                 from nbd-server.c:117:
/usr/include/glib-2.0/glib/gstrfuncs.h:257:23: note: declared here
  257 | gpointer              g_memdup         (gconstpointer mem,
      |                       ^~~~~~~~

Of course, we still want to build on platforms with older glib that
lack g_memdup2().  Thankfully, it's easy enough to audit that all our
current uses of g_memdup() do not overflow 32 bits.

Codify the fact that downgrade attacks are possible not only by
manipulation of NBD_OPT_STARTTLS, but also by manipulation of the
NBD_FLAG[_C]_* handshake flags.  To ensure we don't accidentally
introduce a new MitM attack vector, we want the specification to
clearly document that controlling any new protocol changes prior to
TLS is unwise, and therefore we are unlikely to add any new handshake
flags.

Viewed from another perspective, the 16 bits for handshake flags
control the protocol used during NBD_OPT_*, but what we have with
NBD_FLAG_FIXED_NEWSTYLE is already fairly robust for future extension
(since all but NBD_OPT_EXPORT_NAME encode a length, and we've gone to
great lengths to document what servers and clients should do with
unknown requests).  Meanwhile, any extension that wants to affect the
protocol used by transmission phase, such as structured replies, is
fine waiting until after TLS is started.

The expense of an extra round trip or two during NBD_OPT_ haggling
pales in comparison to the amount of data that will go over the wire
during transmission phase; and if startup efficiency really matters,
we could add a new NBD_OPT_ that does more things in one round trip
(where the fallback is still the older one-at-a-time approach).

Consider a SELECTIVETLS server and a MitM attacker, under the
following NBD_OPT_ handshake scenario:

 client:                  mitm:                    server:
 > _STARTTLS
                          > _STRUCTURED_REPLY
                                                   < _REP_ACK
                          > _STARTTLS
                                                   < _REP_ACK
                          < _REP_ACK
 > _GO
                          > _GO
                                                   < _REP_ACK
                          < _REP_ACK
 > NBD_CMD_READ

In this scenario, the client is NOT expecting structured replies from
the server, but if the server feels obligated to send them based on
the plaintext negotiation, it may confuse the client.  The MitM
attacker was thus able to corrupt the connection, even without having
any encryption keys.  The only sane approach is to forbid ALL stateful
negotiations from having any effect post-encryption (the MitM's
injected packet is effectively ignored, and the client proceeds
without structured replies).

Unfortunately, nbdkit 1.26.0 is buggy in this regards - a CVE will be
opened against that product.  nbd-server does not yet understand
NBD_OPT_STRUCTURED_REPLY, and qemu as server does not use SELECTIVETLS
mode, so they are immune.

Consider a SELECTIVETLS server and a MitM attacker, under the
following NBD_OPT_ handshake scenario:

 client:                  mitm:                    server:
 > _STARTTLS
                          > _SET_META_CONTEXT("A")
                                                   < _REP_META_CONTEXT
                                                   < _REP_ACK
                          > _STARTTLS
                                                   < _REP_ACK
                          < _REP_ACK
 > _SET_META_CONTEXT("B")
                          < _REP_META_CONTEXT
                          < _REP_ACK
 > _GO
                          > _GO
                                                   < _REP_ACK
                          < _REP_ACK
 > NBD_CMD_BLOCK_STATUS

While this scenario requires the MitM to be able to use encryption to
speak to the client (and thus a less likely scenario than a true
protocol downgrade or plaintext buffering attack), it results in a
situation where the client is asking for information on context "B",
but where the server only saw a request for context "A", which may
result in the client interpreting the results of BLOCK_STATUS
incorrectly even though it is coming over an encrypted connection.

The safest fix to this is to require that a server cannot use any meta
context requests from prior to enabling encryption with any successful
NBD_OPT_GO after encryption.  At this point, the spec already states
that the server should then return an error (the client is asking for
block status without proper negotiation), which is better than letting
the client blindly misinterpret a response sent for a different meta
context.

To date, the only known server that has implemented TLS with
SELECTIVETLS mode as well as support for NBD_OPT_SET_META_CONTEXT is
nbdkit (qemu-nbd only has FORCEDTLS mode, and nbd-server lacks meta
context support); thankfully, that implementation is in already line
with this stricter requirement.

Especially useful in light of the recent publishing of
https://nostarttls.secvuln.info/, which documents a variety of
implementations vulnerable to downgrade attacks in SMTP and IMAP, as
well as its caution that that any protocol with a STARTTLS operation
(which includes NBD) needs to be aware of the potential for downgrade
attacks.

The NBD protocol documentation already covers what is necessary to
avoid the effects of a downgrade attack, and all known implementations
of NBD servers and clients with working NBD_OPT_STARTTLS have at least
one mode where TLS is mandatory rather than opportunistic.  So I don't
see this as a CVE against the NBD protocol itself, so much as a worry
about the potential for future poor implementations that disregard the
documentation.

New file generated as part of the bison support in autotools