From 91c2742b7bf8b2f0d0ea31fce4749e3b7932f34d437ae0feafcd6d86c7d286b2 Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Wed, 29 Jun 2022 16:21:52 +0000
Subject: [PATCH 1/4] - CVE-2022-2211 - Fix buffer overflow in get_keys()  
 CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-v2v?expand=0&rev=27
---
 ...ions-fix-buffer-overflow-in-get_keys.patch | 116 ++++++++++++++++++
 virt-v2v.changes                              |   6 +
 virt-v2v.spec                                 |   2 +
 3 files changed, 124 insertions(+)
 create mode 100644 CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch

diff --git a/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch b/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
new file mode 100644
index 0000000..b966203
--- /dev/null
+++ b/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
@@ -0,0 +1,116 @@
+Subject: options: fix buffer overflow in get_keys() [CVE-2022-2211]
+From: Laszlo Ersek lersek@redhat.com Tue Jun 28 13:49:04 2022 +0200
+Date: Wed Jun 29 15:17:17 2022 +0200:
+Git: 35467027f657de76aca34b48a6f23e9608b23a57
+
+When calculating the greatest possible number of matching keys in
+get_keys(), the current expression
+
+  MIN (1, ks->nr_keys)
+
+is wrong -- it will return at most 1.
+
+If all "nr_keys" keys match however, then we require "nr_keys" non-NULL
+entries in the result array; in other words, we need
+
+  MAX (1, ks->nr_keys)
+
+(The comment just above the expression is correct; the code is wrong.)
+
+This buffer overflow is easiest to trigger in those guestfs tools that
+parse the "--key" option in C; that is, with "OPTION_key". For example,
+the command
+
+$ virt-cat $(seq -f '--key /dev/sda2:key:%g' 200) -d DOMAIN /no-such-file
+
+which passes 200 (different) passphrases for the LUKS-encrypted block
+device "/dev/sda2", crashes with a SIGSEGV.
+
+A slightly better reproducer from Rich Jones is the following, since it
+doesn't require an encrypted guest disk image:
+
+$ echo TEST | guestfish --keys-from-stdin -N part luks-format /dev/sda1 0
+$ virt-cat $(seq -f '--key /dev/sda1:key:%g' 200) -a test1.img /no-such-file
+Segmentation fault (core dumped)
+$ rm test1.img
+
+(
+
+  The buffer overflow is possible to trigger in OCaml-language tools as
+  well; that is, those that call "create_standard_options" with
+  ~key_opts:true.
+
+  Triggering the problem that way is less trivial. The reason is that when
+  the OCaml tools parse the "--key" options, they de-duplicate the options
+  first, based on the device identifier.
+
+  Thus, in theory, this de-duplication masks the issue, as (one would
+  think) only one "--key" option could belong to a single device, and
+  therefore the buffer overflow would not be triggered in practice.
+
+  This is not the case however: the de-duplication does not collapse keys
+  that are provided for the same device, but use different identifier
+  types (such as pathname of device node versus LUKS UUID) -- in that
+  situation, two entries in the keystore will match the device, and the
+  terminating NULL entry will not be present once get_keys() returns. In
+  this scenario, we don't have an out-of-bounds write, but an
+  out-of-bounds read, in decrypt_mountables() [options/decrypt.c].
+
+  There is *yet another* bug in get_keys() though that undoes the above
+  "masking". The "uuid" parameter of get_keys() may be NULL (for example
+  when the device to decrypt uses BitLocker and not LUKS). When this
+  happens, get_keys() adds all keys in the keystore to the result array.
+  Therefore, the out-of-bounds write is easy to trigger with
+  OCaml-language tools as well, as long as we attempt to decrypt a
+  BitLocker (not LUKS) device, and we pass the "--key" options with
+  different device identifiers.
+
+  Subsequent patches in this series fix all of the above; this patch fixes
+  the security bug.
+
+)
+
+Rather than replacing MIN with MAX, open-code the comparison, as we first
+set "len" to 1 anyway.
+
+While at it, rework the NULL-termination such that the (len+1) addition
+not go unchecked.
+
+Fixes: c10c8baedb88e7c2988a01b70fc5f81fa8e4885c
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20220628114915.5030-2-lersek@redhat.com>
+Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
+
+--- a/common/options/keys.c
++++ b/common/options/keys.c
+@@ -128,17 +128,23 @@ read_first_line_from_file (const char *f
+ char **
+ get_keys (struct key_store *ks, const char *device, const char *uuid)
+ {
+-  size_t i, j, len;
++  size_t i, j, nmemb;
+   char **r;
+   char *s;
+ 
+   /* We know the returned list must have at least one element and not
+    * more than ks->nr_keys.
+    */
+-  len = 1;
+-  if (ks)
+-    len = MIN (1, ks->nr_keys);
+-  r = calloc (len+1, sizeof (char *));
++  nmemb = 1;
++  if (ks && ks->nr_keys > nmemb)
++    nmemb = ks->nr_keys;
++
++  /* make room for the terminating NULL */
++  if (nmemb == (size_t)-1)
++    error (EXIT_FAILURE, 0, _("size_t overflow"));
++  nmemb++;
++
++  r = calloc (nmemb, sizeof (char *));
+   if (r == NULL)
+     error (EXIT_FAILURE, errno, "calloc");
+ 
diff --git a/virt-v2v.changes b/virt-v2v.changes
index 3f6d26d..4a1a771 100644
--- a/virt-v2v.changes
+++ b/virt-v2v.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com
+
+- CVE-2022-2211 - Fix buffer overflow in get_keys()
+  CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
+
 -------------------------------------------------------------------
 Thu May 26 11:39:38 MDT 2022 - carnold@suse.com
 
diff --git a/virt-v2v.spec b/virt-v2v.spec
index 72623fe..3725a89 100644
--- a/virt-v2v.spec
+++ b/virt-v2v.spec
@@ -30,6 +30,7 @@ Group:          System/Management
 URL:            https://github.com/libguestfs/virt-v2v
 Source0:        https://download.libguestfs.org/virt-v2v/%{source_directory}/%{name}-%{version}.tar.gz
 Source1:        https://download.libguestfs.org/virt-v2v/%{source_directory}/%{name}-%{version}.tar.gz.sig
+Patch1:         CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
 BuildRequires:  augeas-devel
 BuildRequires:  file-devel
 #BuildRequires: /usr/bin/pod2man
@@ -38,6 +39,7 @@ BuildRequires:  gettext-devel
 BuildRequires:  glib2-devel
 BuildRequires:  libguestfs-devel >= 1.42
 BuildRequires:  libjansson-devel
+BuildRequires:  libnbd
 BuildRequires:  libosinfo-devel
 BuildRequires:  libvirt-devel
 BuildRequires:  libxml2-devel

From dc8750f77e25819c9cb71d1b75ca8711bc377614069169bc32aece208fa4a16b Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Thu, 30 Jun 2022 16:45:25 +0000
Subject: [PATCH 2/4] - bsc#1201064 - Libguestfs: Buffer overflow in get_keys
 leads   to DOS - CVE-2022-2211

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-v2v?expand=0&rev=28
---
 virt-v2v.changes | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/virt-v2v.changes b/virt-v2v.changes
index 4a1a771..cada5bd 100644
--- a/virt-v2v.changes
+++ b/virt-v2v.changes
@@ -1,7 +1,8 @@
 -------------------------------------------------------------------
 Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com
 
-- CVE-2022-2211 - Fix buffer overflow in get_keys()
+- bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads
+  to DOS - CVE-2022-2211
   CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
 
 -------------------------------------------------------------------

From d3f81f6a34a5799c3258214d15ab86a6b1683758da147c033dfeba51de39441e Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Thu, 30 Jun 2022 21:25:57 +0000
Subject: [PATCH 3/4] - Drop BuildRequires libnbd

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-v2v?expand=0&rev=29
---
 virt-v2v.changes | 1 +
 virt-v2v.spec    | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/virt-v2v.changes b/virt-v2v.changes
index cada5bd..5644360 100644
--- a/virt-v2v.changes
+++ b/virt-v2v.changes
@@ -4,6 +4,7 @@ Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com
 - bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads
   to DOS - CVE-2022-2211
   CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
+- Drop BuildRequires libnbd
 
 -------------------------------------------------------------------
 Thu May 26 11:39:38 MDT 2022 - carnold@suse.com
diff --git a/virt-v2v.spec b/virt-v2v.spec
index 3725a89..cb6f5c9 100644
--- a/virt-v2v.spec
+++ b/virt-v2v.spec
@@ -39,7 +39,6 @@ BuildRequires:  gettext-devel
 BuildRequires:  glib2-devel
 BuildRequires:  libguestfs-devel >= 1.42
 BuildRequires:  libjansson-devel
-BuildRequires:  libnbd
 BuildRequires:  libosinfo-devel
 BuildRequires:  libvirt-devel
 BuildRequires:  libxml2-devel

From 0656843eb78241ff49a6109615bfef17f0d0ffb1cc0474fe7419a4cc5dd050a2 Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Thu, 30 Jun 2022 21:27:32 +0000
Subject: [PATCH 4/4] Remove partial comment from change log

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-v2v?expand=0&rev=30
---
 virt-v2v.changes | 1 -
 1 file changed, 1 deletion(-)

diff --git a/virt-v2v.changes b/virt-v2v.changes
index 5644360..cada5bd 100644
--- a/virt-v2v.changes
+++ b/virt-v2v.changes
@@ -4,7 +4,6 @@ Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com
 - bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads
   to DOS - CVE-2022-2211
   CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch
-- Drop BuildRequires libnbd
 
 -------------------------------------------------------------------
 Thu May 26 11:39:38 MDT 2022 - carnold@suse.com