File 8a3f8d95-CVE-2024-2494.patch of Package libvirt
xxxxxxxxxx1
commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f22
Author: Daniel P. Berrangé <berrange@redhat.com>3
Date: Fri Mar 15 10:47:50 2024 +00004
5
remote: check for negative array lengths before allocation6
7
While the C API entry points will validate non-negative lengths8
for various parameters, the RPC server de-serialization code9
will need to allocate memory for arrays before entering the C10
API. These allocations will thus happen before the non-negative11
length check is performed.12
13
Passing a negative length to the g_new0 function will usually14
result in a crash due to the negative length being treated as15
a huge positive number.16
17
This was found and diagnosed by ALT Linux Team with AFLplusplus.18
19
CVE-2024-249420
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>21
Found-by: Alexandr Shashkin <dutyrok@altlinux.org>22
Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>23
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>24
25
Index: libvirt-7.1.0/src/remote/remote_daemon_dispatch.c26
===================================================================27
--- libvirt-7.1.0.orig/src/remote/remote_daemon_dispatch.c28
+++ libvirt-7.1.0/src/remote/remote_daemon_dispatch.c29
30
if (!conn)31
goto cleanup;32
33
+ if (args->nparams < 0) {34
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));35
+ goto cleanup;36
+ }37
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {38
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));39
goto cleanup;40
41
if (!conn)42
goto cleanup;43
44
+ if (args->nparams < 0) {45
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));46
+ goto cleanup;47
+ }48
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {49
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));50
goto cleanup;51
52
goto cleanup;53
flags = args->flags;54
55
+ if (args->nparams < 0) {56
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));57
+ goto cleanup;58
+ }59
if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {60
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));61
goto cleanup;62
63
if (!(dom = get_nonnull_domain(conn, args->dom)))64
goto cleanup;65
66
+ if (args->ncpumaps < 0) {67
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));68
+ goto cleanup;69
+ }70
+ if (args->maplen < 0) {71
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));72
+ goto cleanup;73
+ }74
if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {75
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));76
goto cleanup;77
78
if (!(dom = get_nonnull_domain(conn, args->dom)))79
goto cleanup;80
81
+ if (args->maplen < 0) {82
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));83
+ goto cleanup;84
+ }85
+86
/* Allocate buffers to take the results */87
if (args->maplen > 0)88
cpumaps = g_new0(unsigned char, args->maplen);89
90
if (!(dom = get_nonnull_domain(conn, args->dom)))91
goto cleanup;92
93
+ if (args->maxinfo < 0) {94
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));95
+ goto cleanup;96
+ }97
+ if (args->maplen < 0) {98
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));99
+ goto cleanup;100
+ }101
if (args->maxinfo > REMOTE_VCPUINFO_MAX) {102
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));103
goto cleanup;104
105
106
flags = args->flags;107
108
+ if (args->nparams < 0) {109
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));110
+ goto cleanup;111
+ }112
if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {113
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));114
goto cleanup;115
116
117
flags = args->flags;118
119
+ if (args->nparams < 0) {120
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));121
+ goto cleanup;122
+ }123
if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {124
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));125
goto cleanup;126
127
128
flags = args->flags;129
130
+ if (args->nparams < 0) {131
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));132
+ goto cleanup;133
+ }134
if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {135
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));136
goto cleanup;137
138
139
flags = args->flags;140
141
+ if (args->nparams < 0) {142
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));143
+ goto cleanup;144
+ }145
if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {146
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));147
goto cleanup;148
149
150
flags = args->flags;151
152
+ if (args->nparams < 0) {153
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));154
+ goto cleanup;155
+ }156
if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {157
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));158
goto cleanup;159
160
if (!conn)161
goto cleanup;162
163
+ if (args->nparams < 0) {164
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));165
+ goto cleanup;166
+ }167
if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {168
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));169
goto cleanup;170
171
172
flags = args->flags;173
174
+ if (args->nparams < 0) {175
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));176
+ goto cleanup;177
+ }178
if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {179
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));180
goto cleanup;181
182
183
flags = args->flags;184
185
+ if (args->nparams < 0) {186
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));187
+ goto cleanup;188
+ }189
if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {190
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));191
goto cleanup;192
Index: libvirt-7.1.0/src/rpc/gendispatch.pl193
===================================================================194
--- libvirt-7.1.0.orig/src/rpc/gendispatch.pl195
+++ libvirt-7.1.0/src/rpc/gendispatch.pl196
197
print "\n";198
199
if ($single_ret_as_list) {200
+ print " if (args->$single_ret_list_max_var < 0) {\n";201
+ print " virReportError(VIR_ERR_RPC,\n";202
+ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";203
+ print " goto cleanup;\n";204
+ print " }\n";205
print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";206
print " virReportError(VIR_ERR_RPC,\n";207
print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";208