CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz #996244)

This commit is contained in:
Cole Robinson 2013-08-14 20:00:13 -04:00
parent 53adb9aaba
commit db2858c661
2 changed files with 79 additions and 1 deletions

View File

@ -0,0 +1,66 @@
From 0e671a1646df543eab683b38f6644f70d12fbee1 Mon Sep 17 00:00:00 2001
Message-Id: <0e671a1646df543eab683b38f6644f70d12fbee1.1376524611.git.crobinso@redhat.com>
From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 5 Aug 2013 10:27:23 -0600
Subject: [PATCH] xen: fix memory corruption in legacy driver
Commit 632180d1 introduced memory corruption in xenDaemonListDefinedDomains
by starting to populate the names array at index -1, causing all sorts
of havoc in libvirtd such as aborts like the following
*** Error in `/usr/sbin/libvirtd': double free or corruption (out): 0x00007fffe00ccf20 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7abf6)[0x7ffff3fa0bf6]
/lib64/libc.so.6(+0x7b973)[0x7ffff3fa1973]
/lib64/libc.so.6(xdr_array+0xde)[0x7ffff403cbae]
/usr/sbin/libvirtd(+0x50251)[0x5555555a4251]
/lib64/libc.so.6(xdr_free+0x15)[0x7ffff403ccd5]
/usr/lib64/libvirt.so.0(+0x1fad34)[0x7ffff76b1d34]
/usr/lib64/libvirt.so.0(virNetServerProgramDispatch+0x1fc)[0x7ffff76b16f1]
/usr/lib64/libvirt.so.0(+0x1f214a)[0x7ffff76a914a]
/usr/lib64/libvirt.so.0(+0x1f222d)[0x7ffff76a922d]
/usr/lib64/libvirt.so.0(+0xbcc4f)[0x7ffff7573c4f]
/usr/lib64/libvirt.so.0(+0xbc5e5)[0x7ffff75735e5]
/lib64/libpthread.so.0(+0x7e0f)[0x7ffff48f7e0f]
/lib64/libc.so.6(clone+0x6d)[0x7ffff400e7dd]
Fix by initializing ret to 0 and only setting to error on failure path.
---
src/xen/xend_internal.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c
index 1ce36e6..f698c8d 100644
--- a/src/xen/xend_internal.c
+++ b/src/xen/xend_internal.c
@@ -2896,7 +2896,7 @@ xenDaemonListDefinedDomains(virConnectPtr conn,
{
struct sexpr *root = NULL;
size_t i;
- int ret = -1;
+ int ret = 0;
struct sexpr *_for_i, *node;
if (maxnames == 0)
@@ -2919,16 +2919,15 @@ xenDaemonListDefinedDomains(virConnectPtr conn,
break;
}
- ret = 0;
-
cleanup:
sexpr_free(root);
return ret;
error:
- for (i = 0; ret != -1 && i < ret; ++i)
+ for (i = 0; i < ret; ++i)
VIR_FREE(names[i]);
+ ret = -1;
goto cleanup;
}
--
1.8.3.1

View File

@ -350,7 +350,7 @@
Summary: Library providing a simple virtualization API Summary: Library providing a simple virtualization API
Name: libvirt Name: libvirt
Version: 1.1.1 Version: 1.1.1
Release: 1%{?dist}%{?extra_release} Release: 2%{?dist}%{?extra_release}
License: LGPLv2+ License: LGPLv2+
Group: Development/Libraries Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -361,6 +361,10 @@ URL: http://libvirt.org/
%endif %endif
Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
# #996244)
Patch0001: 0001-xen-fix-memory-corruption-in-legacy-driver.patch
%if %{with_libvirtd} %if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon = %{version}-%{release}
%if %{with_network} %if %{with_network}
@ -1131,6 +1135,10 @@ of recent versions of Linux (and other OSes).
%prep %prep
%setup -q %setup -q
# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
# #996244)
%patch0001 -p1
%build %build
%if ! %{with_xen} %if ! %{with_xen}
%define _without_xen --without-xen %define _without_xen --without-xen
@ -2069,6 +2077,10 @@ fi
%endif %endif
%changelog %changelog
* Wed Aug 14 2013 Cole Robinson <crobinso@redhat.com> - 1.1.1-2
- CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
#996244)
* Tue Jul 30 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.1-1 * Tue Jul 30 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.1-1
- Update to 1.1.1 release - Update to 1.1.1 release