[libvirt] CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173)
Cole Robinson
crobinso at fedoraproject.org
Mon Jan 28 20:11:42 UTC 2013
commit 4084288dd519b53b795a31ff7d88eb3f112ae913
Author: Cole Robinson <crobinso at redhat.com>
Date: Mon Jan 28 15:11:38 2013 -0500
CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz #905173)
...ash-on-error-paths-of-message-dispatching.patch | 55 ++++++++++++++++++++
libvirt.spec | 10 +++-
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch b/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
new file mode 100644
index 0000000..d3d529c
--- /dev/null
+++ b/0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
@@ -0,0 +1,55 @@
+From 46532e3e8ed5f5a736a02f67d6c805492f9ca720 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa at redhat.com>
+Date: Fri, 4 Jan 2013 16:15:04 +0100
+Subject: [PATCH] rpc: Fix crash on error paths of message dispatching
+
+This patch resolves CVE-2013-0170:
+https://bugzilla.redhat.com/show_bug.cgi?id=893450
+
+When reading and dispatching of a message failed the message was freed
+but wasn't removed from the message queue.
+
+After that when the connection was about to be closed the pointer for
+the message was still present in the queue and it was passed to
+virNetMessageFree which tried to call the callback function from an
+uninitialized pointer.
+
+This patch removes the message from the queue before it's freed.
+
+* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
+ - avoid use after free of RPC messages
+---
+ src/rpc/virnetserverclient.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
+index af0560e..446e1e9 100644
+--- a/src/rpc/virnetserverclient.c
++++ b/src/rpc/virnetserverclient.c
+@@ -987,6 +987,7 @@ readmore:
+
+ /* Decode the header so we can use it for routing decisions */
+ if (virNetMessageDecodeHeader(msg) < 0) {
++ virNetMessageQueueServe(&client->rx);
+ virNetMessageFree(msg);
+ client->wantClose = true;
+ return;
+@@ -996,6 +997,7 @@ readmore:
+ * file descriptors */
+ if (msg->header.type == VIR_NET_CALL_WITH_FDS &&
+ virNetMessageDecodeNumFDs(msg) < 0) {
++ virNetMessageQueueServe(&client->rx);
+ virNetMessageFree(msg);
+ client->wantClose = true;
+ return; /* Error */
+@@ -1005,6 +1007,7 @@ readmore:
+ for (i = msg->donefds ; i < msg->nfds ; i++) {
+ int rv;
+ if ((rv = virNetSocketRecvFD(client->sock, &(msg->fds[i]))) < 0) {
++ virNetMessageQueueServe(&client->rx);
+ virNetMessageFree(msg);
+ client->wantClose = true;
+ return;
+--
+1.8.1
+
diff --git a/libvirt.spec b/libvirt.spec
index 8e82cc0..6a4ee70 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -341,7 +341,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.0.1
-Release: 4%{?dist}%{?extra_release}
+Release: 5%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -353,6 +353,9 @@ URL: http://libvirt.org/
Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
Patch1: %{name}-%{version}-build-work-around-broken-kernel-header.patch
Patch2: %{name}-%{version}-build-further-fixes-for-broken-if_bridge.h.patch
+# CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz
+# 893450, bz 905173)
+Patch3: 0001-rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
%if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release}
@@ -1088,6 +1091,7 @@ of recent versions of Linux (and other OSes).
%setup -q
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
%if ! %{with_xen}
@@ -1998,6 +2002,10 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
%endif
%changelog
+* Mon Jan 28 2013 Cole Robinson <crobinso at redhat.com> - 1.0.1-5
+- CVE-2013-0170 libvirt: use-after-free in virNetMessageFree() (bz #893450, bz
+ #905173)
+
* Sun Jan 20 2013 Richard W.M. Jones <rjones at redhat.com> - 1.0.1-4
- Rebuild for libnl soname breakage (RHBZ#901569).
More information about the scm-commits
mailing list