From b159bbdc98543ed6fcbd95905edf138531dc4ace Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Thu, 25 Jul 2013 17:53:26 -0400 Subject: [PATCH] CVE-2013-4153: Fix double free of returned JSON (bz #986408, bz #986383) CVE-2013-4154: Crash of libvirtd if guest agent not configured (bz #986386, bz #986406) --- ...free-of-returned-JSON-array-in-qemuA.patch | 32 +++++++ ...sh-of-libvirtd-without-guest-agent-c.patch | 92 +++++++++++++++++++ libvirt.spec | 19 +++- sources | 1 - 4 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 0002-qemu-Fix-double-free-of-returned-JSON-array-in-qemuA.patch create mode 100644 0003-qemu-Prevent-crash-of-libvirtd-without-guest-agent-c.patch diff --git a/0002-qemu-Fix-double-free-of-returned-JSON-array-in-qemuA.patch b/0002-qemu-Fix-double-free-of-returned-JSON-array-in-qemuA.patch new file mode 100644 index 0000000..85bb8e0 --- /dev/null +++ b/0002-qemu-Fix-double-free-of-returned-JSON-array-in-qemuA.patch @@ -0,0 +1,32 @@ +From dfc692350a04a70b4ca65667c30869b3bfdaf034 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Peter Krempa +Date: Tue, 16 Jul 2013 15:39:06 +0200 +Subject: [PATCH] qemu: Fix double free of returned JSON array in + qemuAgentGetVCPUs() + +A part of the returned monitor response was freed twice and caused +crashes of the daemon when using guest agent cpu count retrieval. + + # virsh vcpucount dom --guest + +Introduced in v1.0.6-48-gc6afcb0 +--- + src/qemu/qemu_agent.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c +index aca5ff3..72bf211 100644 +--- a/src/qemu/qemu_agent.c ++++ b/src/qemu/qemu_agent.c +@@ -1529,7 +1529,6 @@ qemuAgentGetVCPUs(qemuAgentPtr mon, + cleanup: + virJSONValueFree(cmd); + virJSONValueFree(reply); +- virJSONValueFree(data); + return ret; + } + +-- +1.8.3.1 + diff --git a/0003-qemu-Prevent-crash-of-libvirtd-without-guest-agent-c.patch b/0003-qemu-Prevent-crash-of-libvirtd-without-guest-agent-c.patch new file mode 100644 index 0000000..1cd931a --- /dev/null +++ b/0003-qemu-Prevent-crash-of-libvirtd-without-guest-agent-c.patch @@ -0,0 +1,92 @@ +From 96518d4316b711c72205117f8d5c967d5127bbb6 Mon Sep 17 00:00:00 2001 +Message-Id: <96518d4316b711c72205117f8d5c967d5127bbb6.1374788370.git.crobinso@redhat.com> +From: Alex Jia +Date: Tue, 16 Jul 2013 17:30:20 +0800 +Subject: [PATCH] qemu: Prevent crash of libvirtd without guest agent + configuration + +If users haven't configured guest agent then qemuAgentCommand() will +dereference a NULL 'mon' pointer, which causes crash of libvirtd when +using agent based cpu (un)plug. + +With the patch, when the qemu-ga service isn't running in the guest, +a expected error "error: Guest agent is not responding: Guest agent +not available for now" will be raised, and the error "error: argument +unsupported: QEMU guest agent is not configured" is raised when the +guest hasn't configured guest agent. + +GDB backtrace: + + (gdb) bt + #0 virNetServerFatalSignal (sig=11, siginfo=, context=) at rpc/virnetserver.c:326 + #1 + #2 qemuAgentCommand (mon=0x0, cmd=0x7f39300017b0, reply=0x7f394b090910, seconds=-2) at qemu/qemu_agent.c:975 + #3 0x00007f39429507f6 in qemuAgentGetVCPUs (mon=0x0, info=0x7f394b0909b8) at qemu/qemu_agent.c:1475 + #4 0x00007f39429d9857 in qemuDomainGetVcpusFlags (dom=, flags=9) at qemu/qemu_driver.c:4849 + #5 0x00007f3957dffd8d in virDomainGetVcpusFlags (domain=0x7f39300009c0, flags=8) at libvirt.c:9843 + +How to reproduce? + + # To start a guest without guest agent configuration + # then run the following cmdline + + # virsh vcpucount foobar --guest + error: End of file while reading data: Input/output error + error: One or more references were leaked after disconnect from the hypervisor + error: Failed to reconnect to the hypervisor + +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=984821 + +Signed-off-by: Alex Jia +Signed-off-by: Peter Krempa +--- + src/qemu/qemu_driver.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index b4a668a..95dd591 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -4122,6 +4122,19 @@ qemuDomainSetVcpusFlags(virDomainPtr dom, unsigned int nvcpus, + goto endjob; + } + ++ if (priv->agentError) { ++ virReportError(VIR_ERR_AGENT_UNRESPONSIVE, "%s", ++ _("QEMU guest agent is not " ++ "available due to an error")); ++ goto endjob; ++ } ++ ++ if (!priv->agent) { ++ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s", ++ _("QEMU guest agent is not configured")); ++ goto endjob; ++ } ++ + qemuDomainObjEnterAgent(vm); + ncpuinfo = qemuAgentGetVCPUs(priv->agent, &cpuinfo); + qemuDomainObjExitAgent(vm); +@@ -4839,6 +4852,19 @@ qemuDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; + ++ if (priv->agentError) { ++ virReportError(VIR_ERR_AGENT_UNRESPONSIVE, "%s", ++ _("QEMU guest agent is not " ++ "available due to an error")); ++ goto endjob; ++ } ++ ++ if (!priv->agent) { ++ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s", ++ _("QEMU guest agent is not configured")); ++ goto endjob; ++ } ++ + if (!virDomainObjIsActive(vm)) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("domain is not running")); +-- +1.8.3.1 + diff --git a/libvirt.spec b/libvirt.spec index a7121c0..8609228 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -350,7 +350,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.1.0 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -363,6 +363,12 @@ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz # CVE-2013-2230 libvirt: multiple registered events crash Patch0001: 0001-Fix-crash-when-multiple-event-callbacks-were-registe.patch +# CVE-2013-4153: Fix double free of returned JSON (bz #986408, bz +# #986383) +Patch0002: 0002-qemu-Fix-double-free-of-returned-JSON-array-in-qemuA.patch +# CVE-2013-4154: Crash of libvirtd if guest agent not configured (bz +# #986386, bz #986406) +Patch0003: 0003-qemu-Prevent-crash-of-libvirtd-without-guest-agent-c.patch %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} @@ -1136,6 +1142,12 @@ of recent versions of Linux (and other OSes). # CVE-2013-2230 libvirt: multiple registered events crash %patch0001 -p1 +# CVE-2013-4153: Fix double free of returned JSON (bz #986408, bz +# #986383) +%patch0002 -p1 +# CVE-2013-4154: Crash of libvirtd if guest agent not configured (bz +# #986386, bz #986406) +%patch0003 -p1 %build %if ! %{with_xen} @@ -2072,6 +2084,11 @@ fi %endif %changelog +* Thu Jul 25 2013 Cole Robinson - 1.1.0-4 +- CVE-2013-4153: Fix double free of returned JSON (bz #986408, bz #986383) +- CVE-2013-4154: Crash of libvirtd if guest agent not configured (bz #986386, + bz #986406) + * Wed Jul 17 2013 Daniel P. Berrange - 1.1.0-3 - Rebuild for change in Xen library ABI/soname diff --git a/sources b/sources index 9188e8b..fdd3fb0 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -a4a09a981f902c4d6aa5138c753d64fd libvirt-1.0.6.tar.gz f980a84719033e9efca01048da505dfb libvirt-1.1.0.tar.gz