[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 00/12] Ensure array bounds checking is present on all RPC calls



From: "Daniel P. Berrange" <berrange redhat com>

Missing bounds checking on array parameters is a security
issue for libvirtd, since it allows a client to make libvirtd
allocate unbounded memory.

Missing bounds checking on array return values is not a security
issue, but it is a robustness issue. If the RPC stream somehow
got corrupted, the client could end up allocating unbounded
memory.

The first patch in this series fixes the security flaw introduced
in version 1.1.0, and indentified during discussion of this patch:

  https://www.redhat.com/archives/libvir-list/2013-August/msg00787.html

The remaining patches address the robustness issues, and add a test
suite to prevent this flaw recurring.

Daniel P. Berrange (12):
  Add bounds checking on virDomainMigrate*Params RPC calls
    (CVE-2013-4292)
  Add bounds checking on virDomainGetJobStats RPC call
  Add bounds checking on
    virDomain{SnapshotListAllChildren,ListAllSnapshots} RPC calls
  Add bounds checking on virConnectListAllDomains RPC call
  Add bounds checking on virConnectListAllStoragePools RPC call
  Add bounds checking on virStoragePoolListAllVolumes RPC call
  Add bounds checking on virConnectListAllNetworks RPC call
  Add bounds checking on virConnectListAllInterfaces RPC call
  Add bounds checking on virConnectListAllNodeDevices RPC call
  Add bounds checking on virConnectListAllNWFilters RPC call
  Add bounds checking on virConnectListAllSecrets RPC call
  Prohibit unbounded arrays in XDR protocols

 cfg.mk                       |   6 ++
 daemon/remote.c              | 119 +++++++++++++++++++++++++++++++++++++++
 src/remote/remote_driver.c   | 130 +++++++++++++++++++++++++++++++++++++++++--
 src/remote/remote_protocol.x | 108 ++++++++++++++++++-----------------
 4 files changed, 304 insertions(+), 59 deletions(-)

-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]