From db2858c661756fb4a584e101c3ea43f794196fae Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Wed, 14 Aug 2013 20:00:13 -0400 Subject: [PATCH] CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz #996244) --- ...x-memory-corruption-in-legacy-driver.patch | 66 +++++++++++++++++++ libvirt.spec | 14 +++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 0001-xen-fix-memory-corruption-in-legacy-driver.patch diff --git a/0001-xen-fix-memory-corruption-in-legacy-driver.patch b/0001-xen-fix-memory-corruption-in-legacy-driver.patch new file mode 100644 index 0000000..34edbb0 --- /dev/null +++ b/0001-xen-fix-memory-corruption-in-legacy-driver.patch @@ -0,0 +1,66 @@ +From 0e671a1646df543eab683b38f6644f70d12fbee1 Mon Sep 17 00:00:00 2001 +Message-Id: <0e671a1646df543eab683b38f6644f70d12fbee1.1376524611.git.crobinso@redhat.com> +From: Jim Fehlig +Date: Mon, 5 Aug 2013 10:27:23 -0600 +Subject: [PATCH] xen: fix memory corruption in legacy driver + +Commit 632180d1 introduced memory corruption in xenDaemonListDefinedDomains +by starting to populate the names array at index -1, causing all sorts +of havoc in libvirtd such as aborts like the following + +*** Error in `/usr/sbin/libvirtd': double free or corruption (out): 0x00007fffe00ccf20 *** +======= Backtrace: ========= +/lib64/libc.so.6(+0x7abf6)[0x7ffff3fa0bf6] +/lib64/libc.so.6(+0x7b973)[0x7ffff3fa1973] +/lib64/libc.so.6(xdr_array+0xde)[0x7ffff403cbae] +/usr/sbin/libvirtd(+0x50251)[0x5555555a4251] +/lib64/libc.so.6(xdr_free+0x15)[0x7ffff403ccd5] +/usr/lib64/libvirt.so.0(+0x1fad34)[0x7ffff76b1d34] +/usr/lib64/libvirt.so.0(virNetServerProgramDispatch+0x1fc)[0x7ffff76b16f1] +/usr/lib64/libvirt.so.0(+0x1f214a)[0x7ffff76a914a] +/usr/lib64/libvirt.so.0(+0x1f222d)[0x7ffff76a922d] +/usr/lib64/libvirt.so.0(+0xbcc4f)[0x7ffff7573c4f] +/usr/lib64/libvirt.so.0(+0xbc5e5)[0x7ffff75735e5] +/lib64/libpthread.so.0(+0x7e0f)[0x7ffff48f7e0f] +/lib64/libc.so.6(clone+0x6d)[0x7ffff400e7dd] + +Fix by initializing ret to 0 and only setting to error on failure path. +--- + src/xen/xend_internal.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c +index 1ce36e6..f698c8d 100644 +--- a/src/xen/xend_internal.c ++++ b/src/xen/xend_internal.c +@@ -2896,7 +2896,7 @@ xenDaemonListDefinedDomains(virConnectPtr conn, + { + struct sexpr *root = NULL; + size_t i; +- int ret = -1; ++ int ret = 0; + struct sexpr *_for_i, *node; + + if (maxnames == 0) +@@ -2919,16 +2919,15 @@ xenDaemonListDefinedDomains(virConnectPtr conn, + break; + } + +- ret = 0; +- + cleanup: + sexpr_free(root); + return ret; + + error: +- for (i = 0; ret != -1 && i < ret; ++i) ++ for (i = 0; i < ret; ++i) + VIR_FREE(names[i]); + ++ ret = -1; + goto cleanup; + } + +-- +1.8.3.1 + diff --git a/libvirt.spec b/libvirt.spec index f418685..3661534 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -350,7 +350,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.1.1 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -361,6 +361,10 @@ URL: http://libvirt.org/ %endif Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz +# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz +# #996244) +Patch0001: 0001-xen-fix-memory-corruption-in-legacy-driver.patch + %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} %if %{with_network} @@ -1131,6 +1135,10 @@ of recent versions of Linux (and other OSes). %prep %setup -q +# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz +# #996244) +%patch0001 -p1 + %build %if ! %{with_xen} %define _without_xen --without-xen @@ -2069,6 +2077,10 @@ fi %endif %changelog +* Wed Aug 14 2013 Cole Robinson - 1.1.1-2 +- CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz + #996244) + * Tue Jul 30 2013 Daniel P. Berrange - 1.1.1-1 - Update to 1.1.1 release