[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching



On 01/29/2013 07:05 PM, Jim Fehlig wrote:

>>> Mention CVE-2013-0170 in the commit message, now that it is public:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=893450
>>>
>>>>
>>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
>>>>      - avoid use after free of RPC messages
>>>> ---
>>>>   src/rpc/virnetserverclient.c | 3 +++
>>>>   1 file changed, 3 insertions(+)
>>>
>>> ACK.  Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.
>>
>> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2
>> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was
>> introduced in 0.9.7
> 
> Hi Peter,
> 
> Looks like 0.9.6 was vulnerable since this made its way to the
> v0.9.6-maint branch as well.  Do you happen to know when this was
> introduced?

I did some more research:

The original problem was introduced in commit 4e00b1d (libvirt 0.9.3),
when we switched over to new RPC handling; there, we only had one faulty
error path.  Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the
problem, by adding two more faulty error paths.  Peter's test case when
originally reporting the CVE was on one of the error paths added in
0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I
still think it is possible to trigger the remaining faulty error path
when targeting libvirt 0.9.3, and agree with Cole's backport to the
v0.9.6-maint branch.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]