VUL-0: libvirt: integer overflow in VirDomainGetVcpus

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=129

774b21c1-CVE-2011-2511.patch

@@ -0,0 +1,83 @@
+commit 774b21c163845170c9ffa873f5720d318812eaf6
+Author: Eric Blake <eblake@redhat.com>
+Date:   Fri Jun 24 12:16:05 2011 -0600
+
+    remote: protect against integer overflow
+    
+    Integer overflow and remote code are never a nice mix.
+    
+    This has existed since commit 56cd414.
+    
+    * src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
+    * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
+    on sending rpc.
+    * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
+    receiving rpc.
+
+Index: libvirt-0.9.2/daemon/remote.c
+===================================================================
+--- libvirt-0.9.2.orig/daemon/remote.c
++++ libvirt-0.9.2/daemon/remote.c
+@@ -61,6 +61,7 @@
+ #include "network.h"
+ #include "libvirt/libvirt-qemu.h"
+ #include "command.h"
++#include "intprops.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_REMOTE
+ 
+@@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemu
+         goto cleanup;
+     }
+ 
+-    if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
++    if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
++        args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
+         goto cleanup;
+     }
+Index: libvirt-0.9.2/src/libvirt.c
+===================================================================
+--- libvirt-0.9.2.orig/src/libvirt.c
++++ libvirt-0.9.2/src/libvirt.c
+@@ -39,6 +39,7 @@
+ #include "util.h"
+ #include "memory.h"
+ #include "configmake.h"
++#include "intprops.h"
+ 
+ #ifndef WITH_DRIVER_MODULES
+ # ifdef WITH_TEST
+@@ -6805,8 +6806,8 @@ virDomainGetVcpus(virDomainPtr domain, v
+ 
+     /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
+        try to memcpy anything into a NULL pointer.  */
+-    if ((cpumaps == NULL && maplen != 0)
+-        || (cpumaps && maplen <= 0)) {
++    if (!cpumaps ? maplen != 0
++        : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
+         virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
+         goto error;
+     }
+Index: libvirt-0.9.2/src/remote/remote_driver.c
+===================================================================
+--- libvirt-0.9.2.orig/src/remote/remote_driver.c
++++ libvirt-0.9.2/src/remote/remote_driver.c
+@@ -84,6 +84,7 @@
+ #include "ignore-value.h"
+ #include "files.h"
+ #include "command.h"
++#include "intprops.h"
+ 
+ #define VIR_FROM_THIS VIR_FROM_REMOTE
+ 
+@@ -2032,7 +2033,8 @@ remoteDomainGetVcpus (virDomainPtr domai
+                     maxinfo, REMOTE_VCPUINFO_MAX);
+         goto done;
+     }
+-    if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
++    if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
++        maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+         remoteError(VIR_ERR_RPC,
+                     _("vCPU map buffer length exceeds maximum: %d > %d"),
+                     maxinfo * maplen, REMOTE_CPUMAPS_MAX);

libvirt.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jun 30 14:48:51 MDT 2011 - jfehlig@suse.de
+
+- VUL-0: libvirt: integer overflow in VirDomainGetVcpus
+  774b21c1-CVE-2011-2511.patch
+  bnc#703084
+
 -------------------------------------------------------------------
 Thu Jun 30 10:44:17 MDT 2011 - jfehlig@suse.de
 

libvirt.spec

@@ -352,6 +352,7 @@ Source0:        %{name}-%{version}.tar.bz2
 Source1:        libvirtd.init
 Source2:        libvirtd-relocation-server.fw
 # Upstream patches
+Patch0:         774b21c1-CVE-2011-2511.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
@@ -467,6 +468,7 @@ Authors:
 
 %prep
 %setup -q
+%patch0 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1