From 4084288dd519b53b795a31ff7d88eb3f112ae913 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 28 Jan 2013 15:11:38 -0500 Subject: [PATCH] CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173) --- ...n-error-paths-of-message-dispatching.patch | 55 +++++++++++++++++++ libvirt.spec | 10 +++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch diff --git a/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch b/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch new file mode 100644 index 0000000..d3d529c --- /dev/null +++ b/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch @@ -0,0 +1,55 @@ +From 46532e3e8ed5f5a736a02f67d6c805492f9ca720 Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Fri, 4 Jan 2013 16:15:04 +0100 +Subject: [PATCH] rpc: Fix crash on error paths of message dispatching + +This patch resolves CVE-2013-0170: +https://bugzilla.redhat.com/show_bug.cgi?id=893450 + +When reading and dispatching of a message failed the message was freed +but wasn't removed from the message queue. + +After that when the connection was about to be closed the pointer for +the message was still present in the queue and it was passed to +virNetMessageFree which tried to call the callback function from an +uninitialized pointer. + +This patch removes the message from the queue before it's freed. + +* rpc/virnetserverclient.c: virNetServerClientDispatchRead: + - avoid use after free of RPC messages +--- + src/rpc/virnetserverclient.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c +index af0560e..446e1e9 100644 +--- a/src/rpc/virnetserverclient.c ++++ b/src/rpc/virnetserverclient.c +@@ -987,6 +987,7 @@ readmore: + + /* Decode the header so we can use it for routing decisions */ + if (virNetMessageDecodeHeader(msg) < 0) { ++ virNetMessageQueueServe(&client->rx); + virNetMessageFree(msg); + client->wantClose = true; + return; +@@ -996,6 +997,7 @@ readmore: + * file descriptors */ + if (msg->header.type == VIR_NET_CALL_WITH_FDS && + virNetMessageDecodeNumFDs(msg) < 0) { ++ virNetMessageQueueServe(&client->rx); + virNetMessageFree(msg); + client->wantClose = true; + return; /* Error */ +@@ -1005,6 +1007,7 @@ readmore: + for (i = msg->donefds ; i < msg->nfds ; i++) { + int rv; + if ((rv = virNetSocketRecvFD(client->sock, &(msg->fds[i]))) < 0) { ++ virNetMessageQueueServe(&client->rx); + virNetMessageFree(msg); + client->wantClose = true; + return; +-- +1.8.1 + diff --git a/libvirt.spec b/libvirt.spec index 8e82cc0..6a4ee70 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -341,7 +341,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.0.1 -Release: 4%{?dist}%{?extra_release} +Release: 5%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -353,6 +353,9 @@ URL: http://libvirt.org/ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz Patch1: %{name}-%{version}-build-work-around-broken-kernel-header.patch Patch2: %{name}-%{version}-build-further-fixes-for-broken-if_bridge.h.patch +# CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz +# 893450, bz 905173) +Patch3: 0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} @@ -1088,6 +1091,7 @@ of recent versions of Linux (and other OSes). %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %if ! %{with_xen} @@ -1998,6 +2002,10 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd %endif %changelog +* Mon Jan 28 2013 Cole Robinson - 1.0.1-5 +- CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz + #905173) + * Sun Jan 20 2013 Richard W.M. Jones - 1.0.1-4 - Rebuild for libnl soname breakage (RHBZ#901569).