CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173)

0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch

@@ -0,0 +1,55 @@
+From 46532e3e8ed5f5a736a02f67d6c805492f9ca720 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Fri, 4 Jan 2013 16:15:04 +0100
+Subject: [PATCH] rpc: Fix crash on error paths of message dispatching
+
+This patch resolves CVE-2013-0170:
+https://bugzilla.redhat.com/show_bug.cgi?id=893450
+
+When reading and dispatching of a message failed the message was freed
+but wasn't removed from the message queue.
+
+After that when the connection was about to be closed the pointer for
+the message was still present in the queue and it was passed to
+virNetMessageFree which tried to call the callback function from an
+uninitialized pointer.
+
+This patch removes the message from the queue before it's freed.
+
+* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
+    - avoid use after free of RPC messages
+---
+ src/rpc/virnetserverclient.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
+index af0560e..446e1e9 100644
+--- a/src/rpc/virnetserverclient.c
++++ b/src/rpc/virnetserverclient.c
+@@ -987,6 +987,7 @@ readmore:
+ 
+         /* Decode the header so we can use it for routing decisions */
+         if (virNetMessageDecodeHeader(msg) < 0) {
++            virNetMessageQueueServe(&client->rx);
+             virNetMessageFree(msg);
+             client->wantClose = true;
+             return;
+@@ -996,6 +997,7 @@ readmore:
+          * file descriptors */
+         if (msg->header.type == VIR_NET_CALL_WITH_FDS &&
+             virNetMessageDecodeNumFDs(msg) < 0) {
++            virNetMessageQueueServe(&client->rx);
+             virNetMessageFree(msg);
+             client->wantClose = true;
+             return; /* Error */
+@@ -1005,6 +1007,7 @@ readmore:
+         for (i = msg->donefds ; i < msg->nfds ; i++) {
+             int rv;
+             if ((rv = virNetSocketRecvFD(client->sock, &(msg->fds[i]))) < 0) {
++                virNetMessageQueueServe(&client->rx);
+                 virNetMessageFree(msg);
+                 client->wantClose = true;
+                 return;
+-- 
+1.8.1
+

libvirt.spec

@@ -341,7 +341,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.0.1
-Release: 4%{?dist}%{?extra_release}
+Release: 5%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -353,6 +353,9 @@ URL: http://libvirt.org/
 Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
 Patch1: %{name}-%{version}-build-work-around-broken-kernel-header.patch
 Patch2: %{name}-%{version}-build-further-fixes-for-broken-if_bridge.h.patch
+# CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz
+# 893450, bz 905173)
+Patch3: 0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
 
 %if %{with_libvirtd}
 Requires: libvirt-daemon = %{version}-%{release}
@@ -1088,6 +1091,7 @@ of recent versions of Linux (and other OSes).
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %if ! %{with_xen}
@@ -1998,6 +2002,10 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
 %endif
 
 %changelog
+* Mon Jan 28 2013 Cole Robinson <crobinso@redhat.com> - 1.0.1-5
+- CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz
+  #905173)
+
 * Sun Jan 20 2013 Richard W.M. Jones <rjones@redhat.com> - 1.0.1-4
 - Rebuild for libnl soname breakage (RHBZ#901569).