[libvirt] [PATCH 1/3] virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array

Eric Blake eblake at redhat.com
Fri Aug 30 12:11:20 UTC 2013

On 08/16/2013 04:32 AM, Peter Krempa wrote:
> The virBitmapParse function was calling virBitmapIsSet() function that
> requires the caller to check the bounds of the bitmap without checking
> them. This resulted into crashes when parsing a bitmap string that was
> exceeding the bounds used as argument.
> This patch refactors the function to use virBitmapSetBit without
> checking if the bit is set (this function does the checks internally)
> and then counts the bits in the bitmap afterwards (instead of keeping
> track while parsing the string).
> This patch also changes the "parse_error" label to a more common
> "error".
> The refactor should also get rid of the need to call sa_assert on the
> returned variable as the callpath should allow coverity to infer the
> possible return values.
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367
> Thanks to Alex Jia for tracking down the issue.
> ---
>  src/util/virbitmap.c | 38 +++++++++++++++-----------------------
>  1 file changed, 15 insertions(+), 23 deletions(-)

This patch is the fix for CVE-2013-5651.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130830/d8c3cea9/attachment-0001.sig>

More information about the libvir-list mailing list