[libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching
Eric Blake
eblake at redhat.com
Wed Jan 30 17:01:38 UTC 2013
On 01/29/2013 07:05 PM, Jim Fehlig wrote:
>>> Mention CVE-2013-0170 in the commit message, now that it is public:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=893450
>>>
>>>>
>>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
>>>> - avoid use after free of RPC messages
>>>> ---
>>>> src/rpc/virnetserverclient.c | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>
>>> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.
>>
>> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2
>> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was
>> introduced in 0.9.7
>
> Hi Peter,
>
> Looks like 0.9.6 was vulnerable since this made its way to the
> v0.9.6-maint branch as well. Do you happen to know when this was
> introduced?
I did some more research:
The original problem was introduced in commit 4e00b1d (libvirt 0.9.3),
when we switched over to new RPC handling; there, we only had one faulty
error path. Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the
problem, by adding two more faulty error paths. Peter's test case when
originally reporting the CVE was on one of the error paths added in
0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I
still think it is possible to trigger the remaining faulty error path
when targeting libvirt 0.9.3, and agree with Cole's backport to the
v0.9.6-maint branch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130130/8941c34a/attachment-0001.sig>
More information about the libvir-list
mailing list