[libvirt] [PATCH] daemon: Fix crash in virTypedParameterArrayClear
Eric Blake
eblake at redhat.com
Wed Aug 1 22:18:29 UTC 2012
On 07/30/2012 12:03 PM, Jiri Denemark wrote:
> On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote:
>>>> On 2012年07月30日 19:55, Jiri Denemark wrote:
>>>>> Daemon uses the following pattern when dispatching APIs with typed
>>>>> parameters:
>>>>>
>>>>> VIR_ALLOC_N(params, nparams);
>>>>> virDomain*(dom, params,&nparams, flags);
>>>>> virTypedParameterArrayClear(params, nparams);
>>>>>
>>>>> In case nparams was originally set to 0, virDomain* API would fill it
>>>>> with the number of typed parameters it can provide and we would use this
>>>>> number (rather than zero) to clear params. Because VIR_ALLOC* returns
>>>>> non-NULL pointer even if size is 0, the code would end up walking
>>>>> through random memory. If we were lucky enough and the memory contained
>>>>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
>>>>> random pointer and crash.
>>>>>
>>>>> Let's make sure params stays NULL when nparams is 0.
>>>>>
>> Makes sense, ACK.
>
> Pushed, thanks.
Per https://bugzilla.redhat.com/show_bug.cgi?id=844745, this has been
assigned CVE-2012-3445. I'm therefore pushing backports of this patch
to v0.9.6-maint and v0.9.11-maint, and we will be releasing new minor
releases on the stable branches in the near future.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120801/c9bfc047/attachment-0001.sig>
More information about the libvir-list
mailing list