[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] ATTN: Denial of service attack possible on libguestfs 1.21.x, libguestfs.1.22.0

On Tue, May 28, Richard W.M. Jones wrote:

> There's a denial of service attack possible from guests on any program
> that does inspection (eg. virt-inspector, many other virt-* tools,
> virt-v2v, OpenStack).
> The attack causes the host process to crash because of a double free.
> It's probably not exploitable (definitely not on Fedora because of the
> default memory hardening settings).
> This patch contains the fix and a reproducer:
> https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd

This is appearently incomplete, bt from a 1.20.4:

head -n 10
libguestfs: recv_from_daemon: 44 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 7a | 00 00 00 01 | 00 12 34 24 | ...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
#1  0x00007ffff69de7e6 in strdup () from /lib64/libc.so.6
#2  0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96
#3  0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>, fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343
#4  guestfs___check_linux_root (g=0x65da50, fs=0x6665b0) at inspect-fs-unix.c:560
#5  0x00007ffff7b88522 in check_filesystem (is_partnum=<optimized out>, is_block=<optimized out>, device=<optimized out>, g=<optimized out>) at inspect-fs.c:238
#6  guestfs___check_for_filesystem_on (g=0x65da50, device=0x617930 "/dev/sda2", is_block=0, is_partnum=2) at inspect-fs.c:152
#7  0x00007ffff7b86980 in guestfs__inspect_os (g=0x65da50) at inspect.c:86
#8  0x00007ffff7b1c91b in guestfs_inspect_os (g=0x65da50) at actions-1.c:397
#9  0x0000000000406ba9 in main (argc=3, argv=<optimized out>) at virt-inspector.c:273

Looks like parse_lsb_release and parse_suse_release needs a similar
change. I will test a patch.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]