jonathan/libvirt
1
0
Fork 0
forked from rpms/libvirt
Code Pull Requests Activity

Fix CVE-2023-2700 + bugfixes

Browse Source
This commit is contained in:
Andrew Lukoshko 2023-07-12 13:43:01 +00:00
parent 7578af5c27
commit 722e8085db
9 changed files with 593 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch Normal file
View File

@ -0,0 +1,53 @@
From 989a569c9c9da0fbf89aab7f292669366b2503f1 Mon Sep 17 00:00:00 2001
Message-Id: <989a569c9c9da0fbf89aab7f292669366b2503f1@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 30 Nov 2022 14:53:21 +0100
Subject: [PATCH] node_device_conf: Avoid memleak in
virNodeDeviceGetPCIVPDDynamicCap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virNodeDeviceGetPCIVPDDynamicCap() function is called from
virNodeDeviceGetPCIDynamicCaps() and therefore has to be a wee
bit more clever about adding VPD capability. Namely, it has to
remove the old one before adding a new one. This is how other
functions called from virNodeDeviceGetPCIDynamicCaps() behave
as well.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143235
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 64d32118540aca3d42bc5ee21c8b780cafe04bfa)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/conf/node_device_conf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index 16b9497faf..eee94a3900 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -3100,6 +3100,9 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
virPCIDeviceAddress devAddr;
g_autoptr(virPCIVPDResource) res = NULL;
+ g_clear_pointer(&devCapPCIDev->vpd, virPCIVPDResourceFree);
+ devCapPCIDev->flags &= ~VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
+
devAddr.domain = devCapPCIDev->domain;
devAddr.bus = devCapPCIDev->bus;
devAddr.slot = devCapPCIDev->slot;
@@ -3113,8 +3116,6 @@ virNodeDeviceGetPCIVPDDynamicCap(virNodeDevCapPCIDev *devCapPCIDev)
if ((res = virPCIDeviceGetVPD(pciDev))) {
devCapPCIDev->flags |= VIR_NODE_DEV_CAP_FLAG_PCI_VPD;
devCapPCIDev->vpd = g_steal_pointer(&res);
- } else {
- virPCIVPDResourceFree(g_steal_pointer(&devCapPCIDev->vpd));
}
}
return 0;
--
2.40.1

106
SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch Normal file
View File

@ -0,0 +1,106 @@
From 85b7d8295d72214b08f0fff93c473baaa88a569b Mon Sep 17 00:00:00 2001
Message-Id: <85b7d8295d72214b08f0fff93c473baaa88a569b@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 14 Feb 2022 15:57:21 +0100
Subject: [PATCH] qemu: Make 'struct _qemuMonitorMessage' private
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Move the declaration of the struct into 'qemu_monitor_priv.h' as other
code has no business in peeking into the monitor messages.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit f9ae469a6ebb17e0990096e826f049c1c46cd760)
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_monitor.h | 14 --------------
src/qemu/qemu_monitor_json.c | 3 +++
src/qemu/qemu_monitor_priv.h | 16 ++++++++++++++++
tests/qemucapsprobemock.c | 3 +++
4 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index a4a4edf5a6..d00967d84f 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -34,21 +34,7 @@
#include "virenum.h"
typedef struct _qemuMonitor qemuMonitor;
-
typedef struct _qemuMonitorMessage qemuMonitorMessage;
-struct _qemuMonitorMessage {
- int txFD;
-
- const char *txBuffer;
- int txOffset;
- int txLength;
-
- /* Used by the JSON monitor to hold reply / error */
- void *rxObject;
-
- /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
- bool finished;
-};
typedef enum {
QEMU_MONITOR_EVENT_PANIC_INFO_TYPE_NONE = 0,
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 34a46b9b41..7d8755246f 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -44,6 +44,9 @@
# include "libvirt_qemu_probes.h"
#endif
+#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
+#include "qemu_monitor_priv.h"
+
#define VIR_FROM_THIS VIR_FROM_QEMU
VIR_LOG_INIT("qemu.qemu_monitor_json");
diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
index 31bb3526b9..6115f830de 100644
--- a/src/qemu/qemu_monitor_priv.h
+++ b/src/qemu/qemu_monitor_priv.h
@@ -24,5 +24,21 @@
#include "qemu_monitor.h"
+
+struct _qemuMonitorMessage {
+ int txFD;
+
+ const char *txBuffer;
+ int txOffset;
+ int txLength;
+
+ /* Used by the JSON monitor to hold reply / error */
+ void *rxObject;
+
+ /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
+ bool finished;
+};
+
+
void
qemuMonitorResetCommandID(qemuMonitor *mon);
diff --git a/tests/qemucapsprobemock.c b/tests/qemucapsprobemock.c
index 915036d178..2717ed5d84 100644
--- a/tests/qemucapsprobemock.c
+++ b/tests/qemucapsprobemock.c
@@ -25,6 +25,9 @@
#include "qemu/qemu_monitor.h"
#include "qemu/qemu_monitor_json.h"
+#define LIBVIRT_QEMU_MONITOR_PRIV_H_ALLOW
+#include "qemu/qemu_monitor_priv.h"
+
#define REAL_SYM(realFunc) \
do { \
if (!realFunc && !(realFunc = dlsym(RTLD_NEXT, __FUNCTION__))) { \
--
2.40.1

45
SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch Normal file
View File

@ -0,0 +1,45 @@
From a4d8210ae9fd84740e01b96d28bfb6183f3f3270 Mon Sep 17 00:00:00 2001
Message-Id: <a4d8210ae9fd84740e01b96d28bfb6183f3f3270@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 14 Feb 2022 16:02:29 +0100
Subject: [PATCH] qemu: monitor: Drop old monitor fields from 'struct
_qemuMonitorMessage'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The fields are no longer used since we've deleted support for HMP-only
qemus. The HMP command pass-through works via a QMP command.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit c5eb99a9d9af8683789e99cc904671e343580058)
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_monitor.h | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index d2037914be..a4a4edf5a6 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -43,15 +43,10 @@ struct _qemuMonitorMessage {
int txOffset;
int txLength;
- /* Used by the text monitor reply / error */
- char *rxBuffer;
- int rxLength;
/* Used by the JSON monitor to hold reply / error */
void *rxObject;
- /* True if rxBuffer / rxObject are ready, or a
- * fatal error occurred on the monitor channel
- */
+ /* True if rxObject is ready, or a fatal error occurred on the monitor channel */
bool finished;
};
--
2.40.1

158
SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch Normal file
View File

@ -0,0 +1,158 @@
From c2ed5aeee7bf365877e0764699f032fb749630b0 Mon Sep 17 00:00:00 2001
Message-Id: <c2ed5aeee7bf365877e0764699f032fb749630b0@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 14 Feb 2022 16:07:41 +0100
Subject: [PATCH] qemu: monitor: Move declaration of struct _qemuMonitor to
qemu_monitor_priv.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In order to mock the SCM_RIGHTS sendmsg to simulate sending
filedescriptors to fake qemu in tests we need access to some fields of
'struct _qemuMonitor'. Move its declaration to the private header file.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 7c35c483eaa78eb847e0865cbb210d5355f75d7a)
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_monitor.c | 50 ---------------------------------
src/qemu/qemu_monitor_priv.h | 54 ++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 50 deletions(-)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 23638d3fe8..bba92592c5 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -65,56 +65,6 @@ VIR_LOG_INIT("qemu.qemu_monitor");
*/
#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
-struct _qemuMonitor {
- virObjectLockable parent;
-
- virCond notify;
-
- int fd;
-
- GMainContext *context;
- GSocket *socket;
- GSource *watch;
-
- virDomainObj *vm;
- char *domainName;
-
- qemuMonitorCallbacks *cb;
- void *callbackOpaque;
-
- /* If there's a command being processed this will be
- * non-NULL */
- qemuMonitorMessage *msg;
-
- /* Buffer incoming data ready for Text/QMP monitor
- * code to process & find message boundaries */
- size_t bufferOffset;
- size_t bufferLength;
- char *buffer;
-
- /* If anything went wrong, this will be fed back
- * the next monitor msg */
- virError lastError;
-
- /* Set to true when EOF is detected on the monitor */
- bool goteof;
-
- int nextSerial;
-
- bool waitGreeting;
-
- /* If found, path to the virtio memballoon driver */
- char *balloonpath;
- bool ballooninit;
-
- /* Log file context of the qemu process to dig for usable info */
- qemuMonitorReportDomainLogError logFunc;
- void *logOpaque;
- virFreeCallback logDestroy;
-
- /* true if qemu no longer wants 'props' sub-object of object-add */
- bool objectAddNoWrap;
-};
/**
* QEMU_CHECK_MONITOR_FULL:
diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
index 6115f830de..606aa79fbd 100644
--- a/src/qemu/qemu_monitor_priv.h
+++ b/src/qemu/qemu_monitor_priv.h
@@ -24,6 +24,8 @@
#include "qemu_monitor.h"
+#include <gio/gio.h>
+
struct _qemuMonitorMessage {
int txFD;
@@ -40,5 +42,57 @@ struct _qemuMonitorMessage {
};
+struct _qemuMonitor {
+ virObjectLockable parent;
+
+ virCond notify;
+
+ int fd;
+
+ GMainContext *context;
+ GSocket *socket;
+ GSource *watch;
+
+ virDomainObj *vm;
+ char *domainName;
+
+ qemuMonitorCallbacks *cb;
+ void *callbackOpaque;
+
+ /* If there's a command being processed this will be
+ * non-NULL */
+ qemuMonitorMessage *msg;
+
+ /* Buffer incoming data ready for Text/QMP monitor
+ * code to process & find message boundaries */
+ size_t bufferOffset;
+ size_t bufferLength;
+ char *buffer;
+
+ /* If anything went wrong, this will be fed back
+ * the next monitor msg */
+ virError lastError;
+
+ /* Set to true when EOF is detected on the monitor */
+ bool goteof;
+
+ int nextSerial;
+
+ bool waitGreeting;
+
+ /* If found, path to the virtio memballoon driver */
+ char *balloonpath;
+ bool ballooninit;
+
+ /* Log file context of the qemu process to dig for usable info */
+ qemuMonitorReportDomainLogError logFunc;
+ void *logOpaque;
+ virFreeCallback logDestroy;
+
+ /* true if qemu no longer wants 'props' sub-object of object-add */
+ bool objectAddNoWrap;
+};
+
+
void
qemuMonitorResetCommandID(qemuMonitor *mon);
--
2.40.1

58
SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch Normal file
View File

@ -0,0 +1,58 @@
From b3ffc8876adf777c7baefb6e467d7552c0a03251 Mon Sep 17 00:00:00 2001
Message-Id: <b3ffc8876adf777c7baefb6e467d7552c0a03251@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Wed, 9 Nov 2022 10:53:49 +0100
Subject: [PATCH] qemu: monitor: Store whether 'query-named-block-nodes'
supports 'flat' parameter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rather than having callers always pass this flag store it in the
qemuMonitor object. Following patches will convert the code to use this
internal flag.
In the future this will also simplify removal when all supported qemu
versions will support the new mode.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit b0e4ad5263c73a926b8246028c76c552b07fca74)
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_monitor.c | 4 +++-
src/qemu/qemu_monitor_priv.h | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index bba92592c5..99667fdf2f 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -610,8 +610,10 @@ qemuMonitorOpenInternal(virDomainObj *vm,
mon->cb = cb;
mon->callbackOpaque = opaque;
- if (priv)
+ if (priv) {
mon->objectAddNoWrap = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_JSON);
+ mon->queryNamedBlockNodesFlat = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
+ }
if (virSetCloseExec(mon->fd) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
diff --git a/src/qemu/qemu_monitor_priv.h b/src/qemu/qemu_monitor_priv.h
index 606aa79fbd..e32928805f 100644
--- a/src/qemu/qemu_monitor_priv.h
+++ b/src/qemu/qemu_monitor_priv.h
@@ -91,6 +91,8 @@ struct _qemuMonitor {
/* true if qemu no longer wants 'props' sub-object of object-add */
bool objectAddNoWrap;
+ /* query-named-block-nodes supports the 'flat' option */
+ bool queryNamedBlockNodesFlat;
};
--
2.40.1

54
SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch Normal file
View File

@ -0,0 +1,54 @@
From 31986239312c0e460800f5b9921f6593f1556015 Mon Sep 17 00:00:00 2001
Message-Id: <31986239312c0e460800f5b9921f6593f1556015@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Wed, 9 Nov 2022 10:45:27 +0100
Subject: [PATCH] qemu: qemuBlockGetNamedNodeData: Remove pointless error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We don't need automatic freeing for 'blockNamedNodeData' and we can
directly return it rather than checking it for NULL-ness first.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 3fe74ebd9037d695df906ed137d22a8d8d77e169)
Conflicts:
src/qemu/qemu_block.c
- qemuDomainObjEnter/ExitMonitor still needs 'driver'
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_block.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index aa566d0097..c9229d1918 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -3020,7 +3020,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
{
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
- g_autoptr(GHashTable) blockNamedNodeData = NULL;
+ GHashTable *blockNamedNodeData = NULL;
bool supports_flat = virQEMUCapsGet(priv->qemuCaps,
QEMU_CAPS_QMP_QUERY_NAMED_BLOCK_NODES_FLAT);
@@ -3031,10 +3031,7 @@ qemuBlockGetNamedNodeData(virDomainObj *vm,
qemuDomainObjExitMonitor(driver, vm);
- if (!blockNamedNodeData)
- return NULL;
-
- return g_steal_pointer(&blockNamedNodeData);
+ return blockNamedNodeData;
}
--
2.40.1

42
SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch Normal file
View File

@ -0,0 +1,42 @@
From f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a Mon Sep 17 00:00:00 2001
Message-Id: <f20062e1fe1e7bca8b97d2383f9e8a06f0f4111a@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Wed, 9 Nov 2022 11:06:25 +0100
Subject: [PATCH] qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat'
mode of query-named-block-nodes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
'query-named-block-nodes' in non-flat mode returns redundantly nested
data under the 'backing-image' field. Fortunately we don't need it when
updating the capacity stats.
This function was unfortunately not fixed originally when the support
for flat mode was added. Use the flat cached in the monitor object to
force flat mode if available.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit bbd4d4899391b3bd1906cce61a3634f42f4b1bdf)
https://bugzilla.redhat.com/show_bug.cgi?id=2170472
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/qemu/qemu_monitor_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 7d8755246f..789554e225 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -2679,7 +2679,7 @@ qemuMonitorJSONBlockStatsUpdateCapacityBlockdev(qemuMonitor *mon,
{
g_autoptr(virJSONValue) nodes = NULL;
- if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, false)))
+ if (!(nodes = qemuMonitorJSONQueryNamedBlockNodes(mon, mon->queryNamedBlockNodesFlat)))
return -1;
if (virJSONValueArrayForeachSteal(nodes,
--
2.40.1

57
SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch Normal file
View File

@ -0,0 +1,57 @@
From 0e91f4dc214d01e9d9537b1111ce67010530fd20 Mon Sep 17 00:00:00 2001
Message-Id: <0e91f4dc214d01e9d9537b1111ce67010530fd20@dist-git>
From: Tim Shearer <TShearer@adva.com>
Date: Mon, 1 May 2023 13:15:48 +0000
Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Repeatedly querying an SR-IOV PCI device's capabilities exposes a
memory leak caused by a failure to free the virPCIVirtualFunction
array within the parent struct's g_autoptr cleanup.
Valgrind output after getting a single interface's XML description
1000 times:
==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
==325982== by 0x4EE1F52: virReallocN (viralloc.c:52)
==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78)
==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288)
==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
Signed-off-by: Tim Shearer <tshearer@adva.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 6425a311b8ad19d6f9c0b315bf1d722551ea3585)
https://bugzilla.redhat.com/show_bug.cgi?id=2196351
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
---
src/util/virpci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util/virpci.c b/src/util/virpci.c
index 4949d1a3d4..2714d11a7d 100644
--- a/src/util/virpci.c
+++ b/src/util/virpci.c
@@ -2255,6 +2255,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
g_free(list->functions[i].ifname);
}
+ g_free(list->functions);
g_free(list);
}
--
2.40.1

21
SPECS/libvirt.spec
View File

@ -210,7 +210,7 @@
Summary: Library providing a simple virtualization API Summary: Library providing a simple virtualization API
Name: libvirt Name: libvirt
Version: 8.0.0 Version: 8.0.0
Release: 19%{?dist}%{?extra_release} Release: 19.2%{?dist}%{?extra_release}.alma
License: LGPLv2+ License: LGPLv2+
URL: https://libvirt.org/ URL: https://libvirt.org/
@ -306,6 +306,15 @@ Patch83: libvirt-vircpi-Add-PCIe-5.0-and-6.0-link-speeds.patch
Patch84: libvirt-conf-Make-VIR_DOMAIN_NET_TYPE_ETHERNET-not-share-host-view.patch Patch84: libvirt-conf-Make-VIR_DOMAIN_NET_TYPE_ETHERNET-not-share-host-view.patch
Patch85: libvirt-qemu-domain-Fix-logic-when-tainting-domain.patch Patch85: libvirt-qemu-domain-Fix-logic-when-tainting-domain.patch
Patch86: libvirt-qemu-agent-Make-fetching-of-can-offline-member-from-guest-query-vcpus-optional.patch Patch86: libvirt-qemu-agent-Make-fetching-of-can-offline-member-from-guest-query-vcpus-optional.patch
# Patches taken from Oracle Linux libvirt-8.0.0-19.0.2.module+el8.8.0+21112+1cc1a24b.src.rpm
Patch87: libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
Patch88: libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
Patch89: libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
Patch90: libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
Patch91: libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
Patch92: libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
Patch93: libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
Patch94: libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -2185,6 +2194,16 @@ exit 0
%changelog %changelog
* Wed Jul 12 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 8.0.0-19.2.alma
- qemu: monitor: Drop old monitor fields from 'struct _qemuMonitorMessage'
- qemu: Make 'struct _qemuMonitorMessage' private
- qemu: monitor: Move declaration of struct _qemuMonitor to qemu_monitor_priv.h
- qemu: qemuBlockGetNamedNodeData: Remove pointless error path
- qemu: monitor: Store whether 'query-named-block-nodes' supports 'flat' parameter
- qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat' mode of query-named-block-nodes
- virpci: Resolve leak in virPCIVirtualFunctionList cleanup [CVE-2023-2700]
- node_device_conf: Avoid memleak in virNodeDeviceGetPCIVPDDynamicCap() [CVE-2023-2700]
* Tue Mar 14 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-19 * Tue Mar 14 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-19
- qemu: domain: Fix logic when tainting domain (rhbz#2174447) - qemu: domain: Fix logic when tainting domain (rhbz#2174447)
- qemu: agent: Make fetching of 'can-offline' member from 'guest-query-vcpus' optional (rhbz#2174447) - qemu: agent: Make fetching of 'can-offline' member from 'guest-query-vcpus' optional (rhbz#2174447)