[libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching

Guido Günther agx at sigxcpu.org
Sun Feb 3 17:18:57 UTC 2013 

Hi Eric,
On Tue, Jan 29, 2013 at 02:21:30PM -0700, Eric Blake wrote:
> On 01/29/2013 01:22 PM, Guido Günther wrote:
> > Hi,
> > On Mon, Jan 28, 2013 at 07:35:38PM +0100, Peter Krempa wrote:
> >> When reading and dispatching of a message failed the message was freed
> >> but wasn't removed from the message queue.
> >>
> >> After that when the connection was about to be closed the pointer for
> >> the message was still present in the queue and it was passed to
> >> virNetMessageFree which tried to call the callback function from an
> >> uninitialized pointer.
> > 
> > Debian stable is shipping 0.8.2. I checked and it seems this version
> > isn't affected siince we properly remove the message from the queue
> > before looking at it in daemon/libvirtd.c. I'd be great if somebody
> > could double check though!
> 
> 0.8.2 predates the RPC rewrite, and I concur with your assessment that
> back then, the code was _always_ clearing the queue:
> 
> v0.8.2:daemon/libvirtd.c:qemudDispatchClientRead():
> 
>         /* Grab the completed message */
>         struct qemud_client_message *msg =
> qemudClientMessageQueueServe(&client->rx);
>         struct qemud_client_filter *filter;
> 
>         /* Decode the header so we can use it for routing decisions */
>         if (remoteDecodeClientMessageHeader(msg) < 0) {
>             VIR_FREE(msg);
>             qemudDispatchClientFailure(client);
>         }
> 
> However, it does look like there might be a missing 'return' statement
> after that error is reported, especially given that the next error
> reporting a few lines later does an early return.

Thanks for double checking. It indeed looks like there's a return
missing (cc:'ing the Debian bugreport to make this information permanent
there too).
Cheers,
 -- Guido

> But the best way to determine if this version is actually vulnerable to
> the CVE would be trying the exploit, and seeing if libvirtd survives
> with proper error logging about an invalid client request; Peter may
> have more details on how best to attempt that (although it may be better
> to discuss those details off-list, even if the CVE is already public, so
> that others are less likely to maliciously use the exploit).


> 
> -- 
> Eric Blake   eblake redhat com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
>

More information about the libvir-list mailing list