diff --git a/774b21c1-CVE-2011-2511.patch b/774b21c1-CVE-2011-2511.patch new file mode 100644 index 0000000..adf52b9 --- /dev/null +++ b/774b21c1-CVE-2011-2511.patch @@ -0,0 +1,83 @@ +commit 774b21c163845170c9ffa873f5720d318812eaf6 +Author: Eric Blake +Date: Fri Jun 24 12:16:05 2011 -0600 + + remote: protect against integer overflow + + Integer overflow and remote code are never a nice mix. + + This has existed since commit 56cd414. + + * src/libvirt.c (virDomainGetVcpus): Reject overflow up front. + * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow + on sending rpc. + * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on + receiving rpc. + +Index: libvirt-0.9.2/daemon/remote.c +=================================================================== +--- libvirt-0.9.2.orig/daemon/remote.c ++++ libvirt-0.9.2/daemon/remote.c +@@ -61,6 +61,7 @@ + #include "network.h" + #include "libvirt/libvirt-qemu.h" + #include "command.h" ++#include "intprops.h" + + #define VIR_FROM_THIS VIR_FROM_REMOTE + +@@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemu + goto cleanup; + } + +- if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { ++ if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) || ++ args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { + virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX")); + goto cleanup; + } +Index: libvirt-0.9.2/src/libvirt.c +=================================================================== +--- libvirt-0.9.2.orig/src/libvirt.c ++++ libvirt-0.9.2/src/libvirt.c +@@ -39,6 +39,7 @@ + #include "util.h" + #include "memory.h" + #include "configmake.h" ++#include "intprops.h" + + #ifndef WITH_DRIVER_MODULES + # ifdef WITH_TEST +@@ -6805,8 +6806,8 @@ virDomainGetVcpus(virDomainPtr domain, v + + /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not + try to memcpy anything into a NULL pointer. */ +- if ((cpumaps == NULL && maplen != 0) +- || (cpumaps && maplen <= 0)) { ++ if (!cpumaps ? maplen != 0 ++ : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) { + virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__); + goto error; + } +Index: libvirt-0.9.2/src/remote/remote_driver.c +=================================================================== +--- libvirt-0.9.2.orig/src/remote/remote_driver.c ++++ libvirt-0.9.2/src/remote/remote_driver.c +@@ -84,6 +84,7 @@ + #include "ignore-value.h" + #include "files.h" + #include "command.h" ++#include "intprops.h" + + #define VIR_FROM_THIS VIR_FROM_REMOTE + +@@ -2032,7 +2033,8 @@ remoteDomainGetVcpus (virDomainPtr domai + maxinfo, REMOTE_VCPUINFO_MAX); + goto done; + } +- if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) { ++ if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) || ++ maxinfo * maplen > REMOTE_CPUMAPS_MAX) { + remoteError(VIR_ERR_RPC, + _("vCPU map buffer length exceeds maximum: %d > %d"), + maxinfo * maplen, REMOTE_CPUMAPS_MAX); diff --git a/libvirt.changes b/libvirt.changes index 8687282..a37f693 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jun 30 14:48:51 MDT 2011 - jfehlig@suse.de + +- VUL-0: libvirt: integer overflow in VirDomainGetVcpus + 774b21c1-CVE-2011-2511.patch + bnc#703084 + ------------------------------------------------------------------- Thu Jun 30 10:44:17 MDT 2011 - jfehlig@suse.de diff --git a/libvirt.spec b/libvirt.spec index df95fd6..ce5bcd4 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -352,6 +352,7 @@ Source0: %{name}-%{version}.tar.bz2 Source1: libvirtd.init Source2: libvirtd-relocation-server.fw # Upstream patches +Patch0: 774b21c1-CVE-2011-2511.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -467,6 +468,7 @@ Authors: %prep %setup -q +%patch0 -p1 %patch100 -p1 %patch101 %patch102 -p1