CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz #996244)

2013-08-14 20:00:13 -04:00 · 2013-08-14 20:00:13 -04:00 · db2858c661
parent 53adb9aaba
commit db2858c661
2 changed files with 79 additions and 1 deletions
--- a/0001-xen-fix-memory-corruption-in-legacy-driver.patch
+++ b/0001-xen-fix-memory-corruption-in-legacy-driver.patch
@ -0,0 +1,66 @@
+From 0e671a1646df543eab683b38f6644f70d12fbee1 Mon Sep 17 00:00:00 2001
+Message-Id: <0e671a1646df543eab683b38f6644f70d12fbee1.1376524611.git.crobinso@redhat.com>
+From: Jim Fehlig <jfehlig@suse.com>
+Date: Mon, 5 Aug 2013 10:27:23 -0600
+Subject: [PATCH] xen: fix memory corruption in legacy driver
+
+Commit 632180d1 introduced memory corruption in xenDaemonListDefinedDomains
+by starting to populate the names array at index -1, causing all sorts
+of havoc in libvirtd such as aborts like the following
+
+*** Error in `/usr/sbin/libvirtd': double free or corruption (out): 0x00007fffe00ccf20 ***
+======= Backtrace: =========
+/lib64/libc.so.6(+0x7abf6)[0x7ffff3fa0bf6]
+/lib64/libc.so.6(+0x7b973)[0x7ffff3fa1973]
+/lib64/libc.so.6(xdr_array+0xde)[0x7ffff403cbae]
+/usr/sbin/libvirtd(+0x50251)[0x5555555a4251]
+/lib64/libc.so.6(xdr_free+0x15)[0x7ffff403ccd5]
+/usr/lib64/libvirt.so.0(+0x1fad34)[0x7ffff76b1d34]
+/usr/lib64/libvirt.so.0(virNetServerProgramDispatch+0x1fc)[0x7ffff76b16f1]
+/usr/lib64/libvirt.so.0(+0x1f214a)[0x7ffff76a914a]
+/usr/lib64/libvirt.so.0(+0x1f222d)[0x7ffff76a922d]
+/usr/lib64/libvirt.so.0(+0xbcc4f)[0x7ffff7573c4f]
+/usr/lib64/libvirt.so.0(+0xbc5e5)[0x7ffff75735e5]
+/lib64/libpthread.so.0(+0x7e0f)[0x7ffff48f7e0f]
+/lib64/libc.so.6(clone+0x6d)[0x7ffff400e7dd]
+
+Fix by initializing ret to 0 and only setting to error on failure path.
+---
+ src/xen/xend_internal.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c
+index 1ce36e6..f698c8d 100644
+--- a/src/xen/xend_internal.c
+++ b/src/xen/xend_internal.c
+@@ -2896,7 +2896,7 @@ xenDaemonListDefinedDomains(virConnectPtr conn,
+ {
+     struct sexpr *root = NULL;
+     size_t i;
+-    int ret = -1;
+    int ret = 0;
+     struct sexpr *_for_i, *node;
+ 
+     if (maxnames == 0)
+@@ -2919,16 +2919,15 @@ xenDaemonListDefinedDomains(virConnectPtr conn,
+             break;
+     }
+ 
+-    ret = 0;
+-
+ cleanup:
+     sexpr_free(root);
+     return ret;
+ 
+ error:
+-    for (i = 0; ret != -1 && i < ret; ++i)
+    for (i = 0; i < ret; ++i)
+         VIR_FREE(names[i]);
+ 
+    ret = -1;
+     goto cleanup;
+ }
+ 
+-- 
+1.8.3.1
+
--- a/libvirt.spec
+++ b/libvirt.spec
@ -350,7 +350,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.1.1
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -361,6 +361,10 @@ URL: http://libvirt.org/
 %endif
 Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz

+# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
+# #996244)
+Patch0001: 0001-xen-fix-memory-corruption-in-legacy-driver.patch
+
 %if %{with_libvirtd}
 Requires: libvirt-daemon = %{version}-%{release}
    %if %{with_network}
@ -1131,6 +1135,10 @@ of recent versions of Linux (and other OSes).
 %prep
 %setup -q

+# CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
+# #996244)
+%patch0001 -p1
+
 %build
 %if ! %{with_xen}
    %define _without_xen --without-xen
@ -2069,6 +2077,10 @@ fi
 %endif

 %changelog
+* Wed Aug 14 2013 Cole Robinson <crobinso@redhat.com> - 1.1.1-2
+- CVE-2013-4239: xen: memory corruption in legacy driver (bz #996241, bz
+  #996244)
+
 * Tue Jul 30 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.1-1
 - Update to 1.1.1 release