new file mode 100644
@@ -0,0 +1,166 @@
+From fcc4b6e49c9e90b83de5619bba5c828b0e0dea45 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Tue, 22 Apr 2025 19:53:39 -0500
+Subject: [PATCH 2/2] blocksize: Fix 32-bit overflow in .extents
+ [CVE-2025-47712]
+
+From: Eric Blake <eblake@redhat.com>
+
+If the original request is larger than 2**32 - minblock, then we were
+calling nbdkit_extents_aligned() with a count that rounded up then
+overflowed to 0 instead of the intended 4G because of overflowing a
+32-bit type, which in turn causes an assertion failure:
+
+nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed.
+
+The fix is to force the rounding to be in a 64-bit type from the
+get-go.
+
+The ability for a well-behaved client to cause the server to die from
+an assertion failure can be used as a denial of service attack against
+other clients. Mitigations: if you requrire the use of TLS, then you
+can ensure that you only have trusted clients that won't trigger a
+block status call that large. Also, the problem only occurs when
+using the blocksize filter, although setting the filter's maxlen
+parameter to a smaller value than its default of 2**32-1 does not
+help.
+
+Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20250423210917.1784789-3-eblake@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+
+CVE: CVE-2025-47712
+Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ filters/blocksize/blocksize.c | 5 +-
+ tests/Makefile.am | 2 +
+ tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++
+ 3 files changed, 88 insertions(+), 2 deletions(-)
+ create mode 100755 tests/test-blocksize-extents-overflow.sh
+
+diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c
+index 09195cea..e5c8b744 100644
+--- a/filters/blocksize/blocksize.c
++++ b/filters/blocksize/blocksize.c
+@@ -482,8 +482,9 @@ blocksize_extents (nbdkit_next *next,
+ return -1;
+ }
+
+- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock),
+- h->maxlen),
++ if (nbdkit_extents_aligned (next,
++ MIN (ROUND_UP ((uint64_t) count, h->minblock),
++ h->maxlen),
+ ROUND_DOWN (offset, h->minblock), flags,
+ h->minblock, extents2, err) == -1)
+ return -1;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 36ac1e16..a6fb1993 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1473,12 +1473,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS)
+ TESTS += \
+ test-blocksize.sh \
+ test-blocksize-extents.sh \
++ test-blocksize-extents-overflow.sh \
+ test-blocksize-default.sh \
+ test-blocksize-sharding.sh \
+ $(NULL)
+ EXTRA_DIST += \
+ test-blocksize.sh \
+ test-blocksize-extents.sh \
++ test-blocksize-extents-overflow.sh \
+ test-blocksize-default.sh \
+ test-blocksize-sharding.sh \
+ $(NULL)
+diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh
+new file mode 100755
+index 00000000..844c3999
+--- /dev/null
++++ b/tests/test-blocksize-extents-overflow.sh
+@@ -0,0 +1,83 @@
++#!/usr/bin/env bash
++# nbdkit
++# Copyright Red Hat
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are
++# met:
++#
++# * Redistributions of source code must retain the above copyright
++# notice, this list of conditions and the following disclaimer.
++#
++# * Redistributions in binary form must reproduce the above copyright
++# notice, this list of conditions and the following disclaimer in the
++# documentation and/or other materials provided with the distribution.
++#
++# * Neither the name of Red Hat nor the names of its contributors may be
++# used to endorse or promote products derived from this software without
++# specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++# SUCH DAMAGE.
++
++# Demonstrate a fix for a bug where blocksize overflowed 32 bits
++
++source ./functions.sh
++set -e
++set -x
++
++requires_run
++requires_plugin eval
++requires_nbdsh_uri
++requires nbdsh --base-allocation --version
++
++# Script a sparse server that requires 512-byte aligned requests.
++exts='
++if test $(( ($3|$4) & 511 )) != 0; then
++ echo "EINVAL request unaligned" 2>&1
++ exit 1
++fi
++echo 0 5G 0
++'
++
++# We also need an nbdsh script to parse all extents, coalescing adjacent
++# types for simplicity.
++# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run
++# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit
++# will get the same result with only 1 extent).
++export script='
++size = h.get_size()
++offs = 0
++entries = []
++def f(metacontext, offset, e, err):
++ global entries
++ global offs
++ assert offs == offset
++ for length, flags in zip(*[iter(e)] * 2):
++ if entries and flags == entries[-1][1]:
++ entries[-1] = (entries[-1][0] + length, flags)
++ else:
++ entries.append((length, flags))
++ offs = offs + length
++
++# Test a loop over the entire device
++while offs < size:
++ len = min(size - offs, 2**32-1)
++ h.block_status(len, offs, f)
++assert entries == [(5 * 2**30, 0)]
++'
++
++# Now run everything
++nbdkit --filter=blocksize eval minblock=512 \
++ get_size='echo 5G' pread='exit 1' extents="$exts" \
++ --run 'nbdsh --base-allocation -u "$uri" -c "$script"'
@@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049"
SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \
- file://CVE-2025-47711.patch"
+ file://CVE-2025-47711.patch \
+ file://CVE-2025-47712.patch"
SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b"
S = "${WORKDIR}/git"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712 Pick the patch from the project's repository which explicitly mentions this vulnerability ID. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../nbdkit/nbdkit/CVE-2025-47712.patch | 166 ++++++++++++++++++ .../recipes-support/nbdkit/nbdkit_1.33.11.bb | 3 +- 2 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch