From a3547ecbafe9ff38c4a8044706ca90afd3f7ea2b9d821965d4c5b4a15dc6c51d Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Wed, 1 Aug 2012 17:43:38 +0000
Subject: [PATCH] - daemon: Fix crash in virTypedParameterArrayClear  
 CVE-2012-3445   6039a2cb-CVE-2012-3445.patch   bnc#773955

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=219
---
 6039a2cb-CVE-2012-3445.patch | 99 ++++++++++++++++++++++++++++++++++++
 libvirt.changes              |  8 +++
 libvirt.spec                 |  2 +
 3 files changed, 109 insertions(+)
 create mode 100644 6039a2cb-CVE-2012-3445.patch

diff --git a/6039a2cb-CVE-2012-3445.patch b/6039a2cb-CVE-2012-3445.patch
new file mode 100644
index 0000000..fcfb7d1
--- /dev/null
+++ b/6039a2cb-CVE-2012-3445.patch
@@ -0,0 +1,99 @@
+commit 6039a2cb49c8af4c68460d2faf365a7e1c686c7b
+Author: Jiri Denemark <jdenemar@redhat.com>
+Date:   Mon Jul 30 12:14:54 2012 +0200
+
+    daemon: Fix crash in virTypedParameterArrayClear
+    
+    Daemon uses the following pattern when dispatching APIs with typed
+    parameters:
+    
+        VIR_ALLOC_N(params, nparams);
+        virDomain*(dom, params, &nparams, flags);
+        virTypedParameterArrayClear(params, nparams);
+    
+    In case nparams was originally set to 0, virDomain* API would fill it
+    with the number of typed parameters it can provide and we would use this
+    number (rather than zero) to clear params. Because VIR_ALLOC* returns
+    non-NULL pointer even if size is 0, the code would end up walking
+    through random memory. If we were lucky enough and the memory contained
+    7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
+    random pointer and crash.
+    
+    Let's make sure params stays NULL when nparams is 0.
+
+Index: libvirt-0.9.11.4/daemon/remote.c
+===================================================================
+--- libvirt-0.9.11.4.orig/daemon/remote.c
++++ libvirt-0.9.11.4/daemon/remote.c
+@@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParamete
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0)
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0)
+         goto no_memory;
+ 
+     if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
+@@ -1019,7 +1019,7 @@ remoteDispatchDomainGetSchedulerParamete
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0)
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0)
+         goto no_memory;
+ 
+     if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
+@@ -1200,7 +1200,7 @@ remoteDispatchDomainBlockStatsFlags(virN
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
+@@ -1674,7 +1674,7 @@ remoteDispatchDomainGetMemoryParameters(
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
+@@ -1739,7 +1739,7 @@ remoteDispatchDomainGetNumaParameters(vi
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
+@@ -1804,7 +1804,7 @@ remoteDispatchDomainGetBlkioParameters(v
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
+@@ -2064,7 +2064,7 @@ remoteDispatchDomainGetBlockIoTune(virNe
+         goto cleanup;
+     }
+ 
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
+@@ -3563,7 +3563,7 @@ remoteDispatchDomainGetInterfaceParamete
+         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+     }
+-    if (VIR_ALLOC_N(params, nparams) < 0) {
++    if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
+         virReportOOMError();
+         goto cleanup;
+     }
diff --git a/libvirt.changes b/libvirt.changes
index 5a7a5c0..84cbf97 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Aug  1 11:42:58 MDT 2012 - jfehlig@suse.com
+
+- daemon: Fix crash in virTypedParameterArrayClear
+  CVE-2012-3445
+  6039a2cb-CVE-2012-3445.patch
+  bnc#773955
+
 -------------------------------------------------------------------
 Tue Jul 10 09:17:01 MDT 2012 - jfehlig@suse.com
 
diff --git a/libvirt.spec b/libvirt.spec
index 2844635..6d5b1dc 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -416,6 +416,7 @@ Patch1:         57349ffc-lxc-ctrl.patch
 Patch2:         0dda594d-libvirtd-shutdown-deadlock.patch
 Patch3:         9c77bf04-fix-virnetserver-refcnt.patch
 Patch4:         4036aa91-systemd.patch
+Patch5:         6039a2cb-CVE-2012-3445.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
@@ -556,6 +557,7 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1