[libvirt/f14] update to 0.8.3-10
Laine Stump
laine at fedoraproject.org
Wed Jul 6 01:20:21 UTC 2011
commit 50fe0d263acb74c956f1fe2a55a614d694c80992
Author: Laine Stump <laine at laine.org>
Date: Tue Jul 5 21:19:29 2011 -0400
update to 0.8.3-10
Fix for CVE-2011-2178, regression introduced in disk probe logic,
Bug 709775
...3-remote-protect-against-integer-overflow.patch | 106 ++++++++++++++++++++
libvirt.spec | 9 ++-
2 files changed, 114 insertions(+), 1 deletions(-)
---
diff --git a/libvirt-0.8.3-remote-protect-against-integer-overflow.patch b/libvirt-0.8.3-remote-protect-against-integer-overflow.patch
new file mode 100644
index 0000000..dd4c5e3
--- /dev/null
+++ b/libvirt-0.8.3-remote-protect-against-integer-overflow.patch
@@ -0,0 +1,106 @@
+From 584f9cee6926b57a19cc8bb36ea77124bdcfed94 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake at redhat.com>
+Date: Fri, 24 Jun 2011 12:16:05 -0600
+Subject: [PATCH] remote: protect against integer overflow
+
+https://bugzilla.redhat.com/show_bug.cgi?id=717204
+CVE-2011-2511 - integer overflow in VirDomainGetVcpus
+
+Integer overflow and remote code are never a nice mix.
+
+This has existed since commit 56cd414.
+
+* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
+* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
+ on sending rpc.
+* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
+ receiving rpc.
+
+(cherry picked from commit 774b21c163845170c9ffa873f5720d318812eaf6)
+
+Conflicts:
+
+ daemon/remote.c
+ src/remote/remote_driver.c
+ src/libvirt.c
+
+Change to internal.h required to avoid backporting 89d994ad.
+---
+ daemon/remote.c | 3 ++-
+ src/internal.h | 17 +++++++++++++++++
+ src/libvirt.c | 4 ++--
+ src/remote/remote_driver.c | 3 ++-
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 7464957..c6f7007 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1697,7 +1697,8 @@ remoteDispatchDomainGetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED,
+ return -1;
+ }
+
+- if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
++ if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
++ args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+ virDomainFree(dom);
+ remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
+ return -1;
+diff --git a/src/internal.h b/src/internal.h
+index fab3e11..53447a9 100644
+--- a/src/internal.h
++++ b/src/internal.h
+@@ -226,4 +226,21 @@
+ } \
+ } while (0)
+
++/* branch-specific: we don't want to update gnulib on the branch, so this
++ * backports just one required macro from newer gnulib's intprops.h.
++ * This version requires that both a and b are 'int', rather than
++ * the fully type-generic version from gnulib. */
++# define INT_MULTIPLY_OVERFLOW(a, b) \
++ ((b) < 0 \
++ ? ((a) < 0 \
++ ? (a) < INT_MAX / (b) \
++ : (b) == -1 \
++ ? 0 \
++ : INT_MIN / (b) < (a)) \
++ : (b) == 0 \
++ ? 0 \
++ : ((a) < 0 \
++ ? (a) < INT_MIN / (b) \
++ : INT_MAX / (b) < (a)))
++
+ #endif /* __VIR_INTERNAL_H__ */
+diff --git a/src/libvirt.c b/src/libvirt.c
+index 1213ecf..6a584fb 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -5218,8 +5218,8 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,
+
+ /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
+ try to memcpy anything into a NULL pointer. */
+- if ((cpumaps == NULL && maplen != 0)
+- || (cpumaps && maplen <= 0)) {
++ if (!cpumaps ? maplen != 0
++ : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
+ virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
+ goto error;
+ }
+diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
+index cb0d8e1..0d9b425 100644
+--- a/src/remote/remote_driver.c
++++ b/src/remote/remote_driver.c
+@@ -2467,7 +2467,8 @@ remoteDomainGetVcpus (virDomainPtr domain,
+ maxinfo, REMOTE_VCPUINFO_MAX);
+ goto done;
+ }
+- if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
++ if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
++ maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+ remoteError(VIR_ERR_RPC,
+ _("vCPU map buffer length exceeds maximum: %d > %d"),
+ maxinfo * maplen, REMOTE_CPUMAPS_MAX);
+--
+1.7.3.4
+
diff --git a/libvirt.spec b/libvirt.spec
index 66f34bd..239a08e 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -185,7 +185,7 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.8.3
-Release: 9%{?dist}%{?extra_release}
+Release: 10%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
@@ -196,6 +196,8 @@ Patch4: %{name}-%{version}-fix-var-lib-libvirt-permissions.patch
# Patches 5, 6 CVE-2011-1486
Patch5: %{name}-%{version}-threadsafe-libvirtd-error-reporting.patch
Patch6: %{name}-%{version}-avoid-resetting-errors.patch
+# Patch 7 CVE-2011-2511
+Patch7: %{name}-%{version}-remote-protect-against-integer-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/
@@ -438,6 +440,7 @@ of recent versions of Linux (and other OSes).
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
%build
%if ! %{with_xen}
@@ -928,6 +931,10 @@ fi
%endif
%changelog
+* Tue Jul 5 2011 Laine Stump <laine at redhat.com> 0.8.3-10
+- Fix for CVE-2011-2511, integer overflow in VirDomainGetVcpus,
+ Bug 717204
+
* Tue Apr 5 2011 Laine Stump <laine at redhat.com> 0.8.3-9
- Fix incorrect release version in specfile ChangeLog
More information about the scm-commits
mailing list