qemu/nbd
Eric Blake 7d31776d7f nbd/server: CVE-2024-7409: Drop non-negotiating clients
A client that opens a socket but does not negotiate is merely hogging
qemu's resources (an open fd and a small amount of memory); and a
malicious client that can access the port where NBD is listening can
attempt a denial of service attack by intentionally opening and
abandoning lots of unfinished connections.  The previous patch put a
default bound on the number of such ongoing connections, but once that
limit is hit, no more clients can connect (including legitimate ones).
The solution is to insist that clients complete handshake within a
reasonable time limit, defaulting to 10 seconds.  A client that has
not successfully completed NBD_OPT_GO by then (including the case of
where the client didn't know TLS credentials to even reach the point
of NBD_OPT_GO) is wasting our time and does not deserve to stay
connected.  Later patches will allow fine-tuning the limit away from
the default value (including disabling it for doing integration
testing of the handshake process itself).

Note that this patch in isolation actually makes it more likely to see
qemu SEGV after nbd-server-stop, as any client socket still connected
when the server shuts down will now be closed after 10 seconds rather
than at the client's whims.  That will be addressed in the next patch.

For a demo of this patch in action:
$ qemu-nbd -f raw -r -t -e 10 file &
$ nbdsh --opt-mode -c '
H = list()
for i in range(20):
  print(i)
  H.insert(i, nbd.NBD())
  H[i].set_opt_mode(True)
  H[i].connect_uri("nbd://localhost")
'
$ kill $!

where later connections get to start progressing once earlier ones are
forcefully dropped for taking too long, rather than hanging.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20240807174943.771624-13-eblake@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
[eblake: rebase to changes earlier in series, reduce scope of timer]
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit b9b72cb3ce)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in nbd/server.c: lack of WITH_QEMU_LOCK_GUARD in 7.2)
2024-08-11 11:01:20 +03:00
..
client-connection.c nbd: trace long NBD operations 2022-06-29 10:57:02 +03:00
client.c nbd/server: do not poll within a coroutine context 2024-04-28 15:13:17 +03:00
common.c nbd/server: do not poll within a coroutine context 2024-04-28 15:13:17 +03:00
meson.build nbd: move connection code from block/nbd to nbd/client-connection 2021-06-18 10:59:53 -05:00
nbd-internal.h nbd/server: do not poll within a coroutine context 2024-04-28 15:13:17 +03:00
server.c nbd/server: CVE-2024-7409: Drop non-negotiating clients 2024-08-11 11:01:20 +03:00
trace-events nbd/server: CVE-2024-7409: Drop non-negotiating clients 2024-08-11 11:01:20 +03:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00