rpm/libvirt
SHA256
1
0
Fork 0
forked from pool/libvirt
Code Pull Requests Activity

- daemon: Fix crash in virTypedParameterArrayClear

Browse Source 
CVE-2012-3445
  6039a2cb-CVE-2012-3445.patch
  bnc#773955

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=219
This commit is contained in:
James Fehlig 2012-08-01 17:43:38 +00:00 committed by Git OBS Bridge
parent f7a4f1af0a
commit a3547ecbaf
3 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
6039a2cb-CVE-2012-3445.patch Normal file
View File

@ -0,0 +1,99 @@
commit 6039a2cb49c8af4c68460d2faf365a7e1c686c7b
Author: Jiri Denemark <jdenemar@redhat.com>
Date: Mon Jul 30 12:14:54 2012 +0200
daemon: Fix crash in virTypedParameterArrayClear
Daemon uses the following pattern when dispatching APIs with typed
parameters:
VIR_ALLOC_N(params, nparams);
virDomain*(dom, params, &nparams, flags);
virTypedParameterArrayClear(params, nparams);
In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.
Let's make sure params stays NULL when nparams is 0.
Index: libvirt-0.9.11.4/daemon/remote.c
===================================================================
--- libvirt-0.9.11.4.orig/daemon/remote.c
+++ libvirt-0.9.11.4/daemon/remote.c
@@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0)
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
@@ -1019,7 +1019,7 @@ remoteDispatchDomainGetSchedulerParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0)
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0)
goto no_memory;
if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
@@ -1200,7 +1200,7 @@ remoteDispatchDomainBlockStatsFlags(virN
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1674,7 +1674,7 @@ remoteDispatchDomainGetMemoryParameters(
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1739,7 +1739,7 @@ remoteDispatchDomainGetNumaParameters(vi
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -1804,7 +1804,7 @@ remoteDispatchDomainGetBlkioParameters(v
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -2064,7 +2064,7 @@ remoteDispatchDomainGetBlockIoTune(virNe
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}
@@ -3563,7 +3563,7 @@ remoteDispatchDomainGetInterfaceParamete
virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
}
- if (VIR_ALLOC_N(params, nparams) < 0) {
+ if (nparams && VIR_ALLOC_N(params, nparams) < 0) {
virReportOOMError();
goto cleanup;
}

8
libvirt.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Aug 1 11:42:58 MDT 2012 - jfehlig@suse.com
- daemon: Fix crash in virTypedParameterArrayClear
CVE-2012-3445
6039a2cb-CVE-2012-3445.patch
bnc#773955
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jul 10 09:17:01 MDT 2012 - jfehlig@suse.com Tue Jul 10 09:17:01 MDT 2012 - jfehlig@suse.com

2
libvirt.spec
View File

@ -416,6 +416,7 @@ Patch1: 57349ffc-lxc-ctrl.patch
Patch2: 0dda594d-libvirtd-shutdown-deadlock.patch Patch2: 0dda594d-libvirtd-shutdown-deadlock.patch
Patch3: 9c77bf04-fix-virnetserver-refcnt.patch Patch3: 9c77bf04-fix-virnetserver-refcnt.patch
Patch4: 4036aa91-systemd.patch Patch4: 4036aa91-systemd.patch
Patch5: 6039a2cb-CVE-2012-3445.patch
# Need to go upstream # Need to go upstream
Patch100: xen-name-for-devid.patch Patch100: xen-name-for-devid.patch
Patch101: clone.patch Patch101: clone.patch
@ -556,6 +557,7 @@ Authors:
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch100 -p1 %patch100 -p1
%patch101 %patch101
%patch102 -p1 %patch102 -p1