From 88c5e40c874d58170effe041f34a6ff408798287b46b8fba633899022d3bc083 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Fri, 19 Sep 2014 04:45:37 +0000 Subject: [PATCH 1/2] Fix for CVE-2014-3633, which is public. - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=408 --- 3e745e8f-CVE-2014-3633.patch | 41 ++++++++++++++++++++++++++++++++++++ libvirt.changes | 7 ++++++ libvirt.spec | 2 ++ 3 files changed, 50 insertions(+) create mode 100644 3e745e8f-CVE-2014-3633.patch diff --git a/3e745e8f-CVE-2014-3633.patch b/3e745e8f-CVE-2014-3633.patch new file mode 100644 index 0000000..9b7d786 --- /dev/null +++ b/3e745e8f-CVE-2014-3633.patch @@ -0,0 +1,41 @@ +commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b +Author: Peter Krempa +Date: Thu Sep 11 16:35:53 2014 +0200 + + CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk + + Live definition was used to look up the disk index while persistent one + was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the + correct def and report a nice error. + + Unfortunately it's accessible via read-only connection, though it can + only crash libvirtd in the cases where the guest is hot-plugging disks + without reflecting those changes to the persistent definition. So + avoiding hotplug, or doing hotplug where persistent is always modified + alongside live definition, will avoid the out-of-bounds access. + + Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8) + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724 + Reported-by: Luyao Huang + Signed-off-by: Peter Krempa + +Index: libvirt-1.2.8/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.2.8.orig/src/qemu/qemu_driver.c ++++ libvirt-1.2.8/src/qemu/qemu_driver.c +@@ -16141,9 +16141,13 @@ qemuDomainGetBlockIoTune(virDomainPtr do + } + + if (flags & VIR_DOMAIN_AFFECT_CONFIG) { +- int idx = virDomainDiskIndexByName(vm->def, disk, true); +- if (idx < 0) ++ int idx = virDomainDiskIndexByName(persistentDef, disk, true); ++ if (idx < 0) { ++ virReportError(VIR_ERR_INVALID_ARG, ++ _("disk '%s' was not found in the domain config"), ++ disk); + goto endjob; ++ } + reply = persistentDef->disks[idx]->blkdeviotune; + } + diff --git a/libvirt.changes b/libvirt.changes index 214f483..3a328f6 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 18 22:42:38 MDT 2014 - jfehlig@suse.com + +- CVE-2014-3633: Use correct definition when looking up disk in + qemu blkiotune + 3e745e8f-CVE-2014-3633.patch + ------------------------------------------------------------------- Wed Sep 10 10:24:26 MDT 2014 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 68ba539..2f3d570 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -429,6 +429,7 @@ Source1: libvirtd.init Source2: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: 3e745e8f-CVE-2014-3633.patch # Patches pending upstream review Patch100: libvirt-guests-wait-for-ntp.patch # Need to go upstream @@ -950,6 +951,7 @@ namespaces. %prep %setup -q +%patch0 -p1 %patch100 -p1 %patch150 -p1 %patch151 -p1 From 408925e5ca714341c3713c57d69160604d6ac484aa781c5f2f501d96a9d3d4f6 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 22 Sep 2014 21:33:19 +0000 Subject: [PATCH 2/2] Add bug number to changelog for CVE-2014-3633 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=409 --- libvirt.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/libvirt.changes b/libvirt.changes index 3a328f6..f9276d2 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -4,6 +4,7 @@ Thu Sep 18 22:42:38 MDT 2014 - jfehlig@suse.com - CVE-2014-3633: Use correct definition when looking up disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch + bnc#897783 ------------------------------------------------------------------- Wed Sep 10 10:24:26 MDT 2014 - jfehlig@suse.com