[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] daemon: Fix crash in virTypedParameterArrayClear



On 07/30/2012 12:03 PM, Jiri Denemark wrote:
> On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote:
>>>> On 2012年07月30日 19:55, Jiri Denemark wrote:
>>>>> Daemon uses the following pattern when dispatching APIs with typed
>>>>> parameters:
>>>>>
>>>>>       VIR_ALLOC_N(params, nparams);
>>>>>       virDomain*(dom, params,&nparams, flags);
>>>>>       virTypedParameterArrayClear(params, nparams);
>>>>>
>>>>> In case nparams was originally set to 0, virDomain* API would fill it
>>>>> with the number of typed parameters it can provide and we would use this
>>>>> number (rather than zero) to clear params. Because VIR_ALLOC* returns
>>>>> non-NULL pointer even if size is 0, the code would end up walking
>>>>> through random memory. If we were lucky enough and the memory contained
>>>>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
>>>>> random pointer and crash.
>>>>>
>>>>> Let's make sure params stays NULL when nparams is 0.
>>>>>
>> Makes sense, ACK.
> 
> Pushed, thanks.

Per https://bugzilla.redhat.com/show_bug.cgi?id=844745, this has been
assigned CVE-2012-3445.  I'm therefore pushing backports of this patch
to v0.9.6-maint and v0.9.11-maint, and we will be releasing new minor
releases on the stable branches in the near future.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]