From eda6aa8e7f9ca1c2c4771fb1aea1943197cf6e1a632b5e1dbf44abdd26fa68d7 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 22 Jul 2013 16:42:02 +0000 Subject: [PATCH] - CVE-2013-4153: Fix double free of returned JSON array in qemuAgentGetVCPUs() dfc69235-CVE-2013-4153.patch - CVE-2013-4154: Prevent crash of libvirtd without guest agent configuration 96518d43-CVE-2013-4154.patch bnc#830498 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=286 --- 96518d43-CVE-2013-4154.patch | 85 ++++++++++++++++++++++++++++++++++++ dfc69235-CVE-2013-4153.patch | 25 +++++++++++ libvirt.changes | 11 +++++ libvirt.spec | 45 +++++++++++++++++++ 4 files changed, 166 insertions(+) create mode 100644 96518d43-CVE-2013-4154.patch create mode 100644 dfc69235-CVE-2013-4153.patch diff --git a/96518d43-CVE-2013-4154.patch b/96518d43-CVE-2013-4154.patch new file mode 100644 index 0000000..1151105 --- /dev/null +++ b/96518d43-CVE-2013-4154.patch @@ -0,0 +1,85 @@ +commit 96518d4316b711c72205117f8d5c967d5127bbb6 +Author: Alex Jia +Date: Tue Jul 16 17:30:20 2013 +0800 + + qemu: Prevent crash of libvirtd without guest agent configuration + + If users haven't configured guest agent then qemuAgentCommand() will + dereference a NULL 'mon' pointer, which causes crash of libvirtd when + using agent based cpu (un)plug. + + With the patch, when the qemu-ga service isn't running in the guest, + a expected error "error: Guest agent is not responding: Guest agent + not available for now" will be raised, and the error "error: argument + unsupported: QEMU guest agent is not configured" is raised when the + guest hasn't configured guest agent. + + GDB backtrace: + + (gdb) bt + #0 virNetServerFatalSignal (sig=11, siginfo=, context=) at rpc/virnetserver.c:326 + #1 + #2 qemuAgentCommand (mon=0x0, cmd=0x7f39300017b0, reply=0x7f394b090910, seconds=-2) at qemu/qemu_agent.c:975 + #3 0x00007f39429507f6 in qemuAgentGetVCPUs (mon=0x0, info=0x7f394b0909b8) at qemu/qemu_agent.c:1475 + #4 0x00007f39429d9857 in qemuDomainGetVcpusFlags (dom=, flags=9) at qemu/qemu_driver.c:4849 + #5 0x00007f3957dffd8d in virDomainGetVcpusFlags (domain=0x7f39300009c0, flags=8) at libvirt.c:9843 + + How to reproduce? + + # To start a guest without guest agent configuration + # then run the following cmdline + + # virsh vcpucount foobar --guest + error: End of file while reading data: Input/output error + error: One or more references were leaked after disconnect from the hypervisor + error: Failed to reconnect to the hypervisor + + RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=984821 + + Signed-off-by: Alex Jia + Signed-off-by: Peter Krempa + +Index: libvirt-1.1.0/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.1.0.orig/src/qemu/qemu_driver.c ++++ libvirt-1.1.0/src/qemu/qemu_driver.c +@@ -3963,6 +3963,19 @@ qemuDomainSetVcpusFlags(virDomainPtr dom + goto endjob; + } + ++ if (priv->agentError) { ++ virReportError(VIR_ERR_AGENT_UNRESPONSIVE, "%s", ++ _("QEMU guest agent is not " ++ "available due to an error")); ++ goto endjob; ++ } ++ ++ if (!priv->agent) { ++ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s", ++ _("QEMU guest agent is not configured")); ++ goto endjob; ++ } ++ + qemuDomainObjEnterAgent(vm); + ncpuinfo = qemuAgentGetVCPUs(priv->agent, &cpuinfo); + qemuDomainObjExitAgent(vm); +@@ -4685,6 +4698,19 @@ qemuDomainGetVcpusFlags(virDomainPtr dom + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; + ++ if (priv->agentError) { ++ virReportError(VIR_ERR_AGENT_UNRESPONSIVE, "%s", ++ _("QEMU guest agent is not " ++ "available due to an error")); ++ goto endjob; ++ } ++ ++ if (!priv->agent) { ++ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s", ++ _("QEMU guest agent is not configured")); ++ goto endjob; ++ } ++ + if (!virDomainObjIsActive(vm)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("domain is not running")); diff --git a/dfc69235-CVE-2013-4153.patch b/dfc69235-CVE-2013-4153.patch new file mode 100644 index 0000000..b7050d0 --- /dev/null +++ b/dfc69235-CVE-2013-4153.patch @@ -0,0 +1,25 @@ +commit dfc692350a04a70b4ca65667c30869b3bfdaf034 +Author: Peter Krempa +Date: Tue Jul 16 15:39:06 2013 +0200 + + qemu: Fix double free of returned JSON array in qemuAgentGetVCPUs() + + A part of the returned monitor response was freed twice and caused + crashes of the daemon when using guest agent cpu count retrieval. + + # virsh vcpucount dom --guest + + Introduced in v1.0.6-48-gc6afcb0 + +Index: libvirt-1.1.0/src/qemu/qemu_agent.c +=================================================================== +--- libvirt-1.1.0.orig/src/qemu/qemu_agent.c ++++ libvirt-1.1.0/src/qemu/qemu_agent.c +@@ -1538,7 +1538,6 @@ qemuAgentGetVCPUs(qemuAgentPtr mon, + cleanup: + virJSONValueFree(cmd); + virJSONValueFree(reply); +- virJSONValueFree(data); + return ret; + } + diff --git a/libvirt.changes b/libvirt.changes index 4049188..e7aa5fd 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Jul 22 10:39:01 MDT 2013 - jfehlig@suse.com + +- CVE-2013-4153: Fix double free of returned JSON array in + qemuAgentGetVCPUs() + dfc69235-CVE-2013-4153.patch +- CVE-2013-4154: Prevent crash of libvirtd without guest agent + configuration + 96518d43-CVE-2013-4154.patch + bnc#830498 + ------------------------------------------------------------------- Wed Jul 17 11:45:21 MDT 2013 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 3609d49..065ae95 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -406,6 +406,8 @@ Source99: baselibs.conf # Upstream patches Patch0: f38c8185-CVE-2013-2230.patch Patch1: fd2e3c4c-xen-sysctl-domctl.patch +Patch2: dfc69235-CVE-2013-4153.patch +Patch3: 96518d43-CVE-2013-4154.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -453,6 +455,7 @@ Includes the API reference for the libvirt C library, and a complete copy of the libvirt.org website documentation. %if %{with_libvirtd} + %package daemon Summary: Server side daemon and supporting files for libvirt library Group: Development/Libraries/C and C++ @@ -541,6 +544,7 @@ of recent versions of Linux. Requires a hypervisor specific sub-RPM for specific drivers. %if %{with_nwfilter} + %package daemon-config-nwfilter Summary: Network filter configuration files for the libvirtd Group: Development/Libraries/C and C++ @@ -554,6 +558,7 @@ cleaning guest network traffic. %if %{with_driver_modules} %if %{with_network} + %package daemon-driver-network Summary: Network driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -566,6 +571,7 @@ bridge capabilities. %endif %if %{with_nwfilter} + %package daemon-driver-nwfilter Summary: A nwfilter driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -578,6 +584,7 @@ iptables and ip6tables capabilities %endif %if %{with_nodedev} + %package daemon-driver-nodedev Summary: Nodedev driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -590,6 +597,7 @@ capabilities. %endif %if %{with_interface} + %package daemon-driver-interface Summary: Interface driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -611,6 +619,7 @@ The secret driver plugin for the libvirtd daemon, providing an implementation of the secret key APIs. %if %{with_storage} + %package daemon-driver-storage Summary: Storage driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -623,6 +632,7 @@ parted and more. %endif %if %{with_qemu} + %package daemon-driver-qemu Summary: Qemu driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -636,6 +646,7 @@ an implementation of the hypervisor driver APIs using QEMU. %endif %if %{with_lxc} + %package daemon-driver-lxc Summary: LXC driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -650,6 +661,7 @@ the Linux kernel %endif %if %{with_uml} + %package daemon-driver-uml Summary: Uml driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -662,6 +674,7 @@ User Mode Linux %endif %if %{with_xen} + %package daemon-driver-xen Summary: Xen driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -673,6 +686,7 @@ an implementation of the hypervisor driver APIs using Xen. %endif %if %{with_vbox} + %package daemon-driver-vbox Summary: VirtualBox driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -685,6 +699,7 @@ VirtualBox %endif %if %{with_libxl} + %package daemon-driver-libxl Summary: Libxl driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ @@ -697,6 +712,7 @@ an implementation of the hypervisor driver APIs using libxl. %endif # with_driver_modules %if %{with_qemu} + %package daemon-qemu Summary: Server side daemon & driver required to run QEMU guests Group: Development/Libraries/C and C++ @@ -721,6 +737,7 @@ capabilities of the QEMU emulators %endif %if %{with_lxc} + %package daemon-lxc Summary: Server side daemon & driver required to run LXC guests Group: Development/Libraries/C and C++ @@ -744,6 +761,7 @@ capabilities of LXC %endif %if %{with_uml} + %package daemon-uml Summary: Server side daemon & driver required to run UML guests Group: Development/Libraries/C and C++ @@ -767,6 +785,7 @@ capabilities of UML %endif %if %{with_xen} || %{with_libxl} + %package daemon-xen Summary: Server side daemon & driver required to run XEN guests Group: Development/Libraries/C and C++ @@ -796,6 +815,7 @@ capabilities of XEN %endif %if %{with_vbox} + %package daemon-vbox Summary: Server side daemon & driver required to run VirtualBox guests Group: Development/Libraries/C and C++ @@ -856,6 +876,7 @@ Include header files & development libraries for the libvirt C library. %if %{with_sanlock} + %package lock-sanlock Summary: Sanlock lock manager plugin for QEMU driver Group: Development/Libraries/C and C++ @@ -870,6 +891,7 @@ Includes the Sanlock lock manager plugin for the QEMU driver %endif %if %{with_python} + %package python Summary: Python bindings for the libvirt library Group: Development/Libraries/C and C++ @@ -887,6 +909,8 @@ of recent versions of Linux (and other OSes). %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 %patch102 -p1 @@ -1236,6 +1260,7 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_loca rm -rf $RPM_BUILD_ROOT %if %{with_libvirtd} + %pre daemon %if %{with_systemd} %service_add_pre libvirtd.service @@ -1314,6 +1339,7 @@ fi %doc %{_docdir}/%{name}/libvirt.README %if %{with_libvirtd} + %files daemon %defattr(-, root, root) %{_sbindir}/libvirtd @@ -1418,12 +1444,14 @@ fi %if %{with_driver_modules} %if %{with_nwfilter} + %files daemon-config-nwfilter %defattr(-, root, root) %{_sysconfdir}/libvirt/nwfilter/*.xml %endif %if %{with_interface} + %files daemon-driver-interface %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1431,6 +1459,7 @@ fi %endif %if %{with_network} + %files daemon-driver-network %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1438,6 +1467,7 @@ fi %endif %if %{with_nodedev} + %files daemon-driver-nodedev %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1445,6 +1475,7 @@ fi %endif %if %{with_nwfilter} + %files daemon-driver-nwfilter %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1457,6 +1488,7 @@ fi %{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so %if %{with_storage} + %files daemon-driver-storage %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1464,6 +1496,7 @@ fi %endif %if %{with_qemu} + %files daemon-driver-qemu %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1471,6 +1504,7 @@ fi %endif %if %{with_lxc} + %files daemon-driver-lxc %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1478,6 +1512,7 @@ fi %endif %if %{with_uml} + %files daemon-driver-uml %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1485,6 +1520,7 @@ fi %endif %if %{with_xen} + %files daemon-driver-xen %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1492,6 +1528,7 @@ fi %endif %if %{with_libxl} + %files daemon-driver-libxl %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver @@ -1499,6 +1536,7 @@ fi %endif %if %{with_vbox} + %files daemon-driver-vbox %defattr(-, root, root) %{_libdir}/%{name}/connection-driver/libvirt_driver_vbox.so @@ -1506,30 +1544,35 @@ fi %endif # with_driver_modules %if %{with_qemu} + %files daemon-qemu %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-qemu.README %endif %if %{with_lxc} + %files daemon-lxc %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-lxc.README %endif %if %{with_uml} + %files daemon-uml %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-uml.README %endif %if %{with_xen} || %{with_libxl} + %files daemon-xen %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-xen.README %endif %if %{with_vbox} + %files daemon-vbox %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-vbox.README @@ -1608,6 +1651,7 @@ fi %doc %{_datadir}/gtk-doc/html/libvirt/* %if %{with_sanlock} + %files lock-sanlock %defattr(-, root, root) %doc %{_mandir}/man8/virt-sanlock-cleanup.8* @@ -1627,6 +1671,7 @@ fi %endif %if %{with_python} + %files python %defattr(-, root, root) %{py_sitedir}/libvirt.py*