From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 28 Jun 2022 13:54:16 +0200 Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211 Short log for the common submodule, commit range f8de5508fe75..35467027f657: Laszlo Ersek (2): mlcustomize: factor out pkg install/update/uninstall from guestfs-tools options: fix buffer overflow in get_keys() [CVE-2022-2211] Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 Signed-off-by: Laszlo Ersek Message-Id: <20220628115418.5376-2-lersek@redhat.com> Reviewed-by: Richard W.M. Jones Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53. For the cherry pick I only added one submodule commit: options: fix buffer overflow in get_keys() [CVE-2022-2211] --- common | 2 +- docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) Submodule common be09523d6..1174b443a: diff --git a/common/options/keys.c b/common/options/keys.c index 798315c..d27a712 100644 --- a/common/options/keys.c +++ b/common/options/keys.c @@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename) char ** get_keys (struct key_store *ks, const char *device, const char *uuid) { - size_t i, j, len; + size_t i, j, nmemb; char **r; char *s; /* We know the returned list must have at least one element and not * more than ks->nr_keys. */ - len = 1; - if (ks) - len = MIN (1, ks->nr_keys); - r = calloc (len+1, sizeof (char *)); + nmemb = 1; + if (ks && ks->nr_keys > nmemb) + nmemb = ks->nr_keys; + + /* make room for the terminating NULL */ + if (nmemb == (size_t)-1) + error (EXIT_FAILURE, 0, _("size_t overflow")); + nmemb++; + + r = calloc (nmemb, sizeof (char *)); if (r == NULL) error (EXIT_FAILURE, errno, "calloc"); diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod index 9ceef5623..efa35b29d 100644 --- a/docs/guestfs-security.pod +++ b/docs/guestfs-security.pod @@ -406,6 +406,34 @@ The libvirt backend is not affected. The solution is to update qemu to a version containing the fix (see L). +=head2 CVE-2022-2211 + +L + +The C function in F collects +those I<--key> options from the command line into a new array that match +a particular block device that's being decrypted for inspection. The +function intends to size the result array such that potentially all +I<--key> options, plus a terminating C element, fit into it. The +code mistakenly uses the C macro instead of C, and therefore +only one element is allocated before the C terminator. + +Passing precisely two I<--key ID:...> options on the command line for +the encrypted block device C causes C to overwrite the +terminating C, leading to an out-of-bounds read in +C, file F. + +Passing more than two I<--key ID:...> options on the command line for +the encrypted block device C causes C itself to perform +out-of-bounds writes. The most common symptom is a crash with C +later on. + +This issue affects -- broadly speaking -- all libguestfs-based utilities +that accept I<--key>, namely: C, C, C, +C, C, C, C, +C, C, C, C, +C, C, C. + =head1 SEE ALSO L, -- 2.31.1