[libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching
Jim Fehlig
jfehlig at suse.com
Thu Jan 31 23:19:42 UTC 2013
Eric Blake wrote:
> On 01/29/2013 07:05 PM, Jim Fehlig wrote:
>
>
>>>> Mention CVE-2013-0170 in the commit message, now that it is public:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=893450
>>>>
>>>>
>>>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
>>>>> - avoid use after free of RPC messages
>>>>> ---
>>>>> src/rpc/virnetserverclient.c | 3 +++
>>>>> 1 file changed, 3 insertions(+)
>>>>>
>>>> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.
>>>>
>>> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2
>>> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was
>>> introduced in 0.9.7
>>>
>> Hi Peter,
>>
>> Looks like 0.9.6 was vulnerable since this made its way to the
>> v0.9.6-maint branch as well. Do you happen to know when this was
>> introduced?
>>
>
> I did some more research:
>
Eric,
Thank you for the research and explanation, it was not expected but very
much appreciated. I was actually having quite the RTFM moment after
asking this question...
Regards,
Jim
> The original problem was introduced in commit 4e00b1d (libvirt 0.9.3),
> when we switched over to new RPC handling; there, we only had one faulty
> error path. Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the
> problem, by adding two more faulty error paths. Peter's test case when
> originally reporting the CVE was on one of the error paths added in
> 0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I
> still think it is possible to trigger the remaining faulty error path
> when targeting libvirt 0.9.3, and agree with Cole's backport to the
> v0.9.6-maint branch.
>
>
More information about the libvir-list
mailing list