[libguestfs/f18] Fix a denial-of-service (double-free) which can be forced by guests.
Richard W.M. Jones
rjones at fedoraproject.org
Tue May 28 16:32:21 UTC 2013
commit 8676b6b94fe83c8dfe3f1403b460b7bc4195f052
Author: Richard W.M. Jones <rjones at redhat.com>
Date: Tue May 28 17:31:45 2013 +0100
Fix a denial-of-service (double-free) which can be forced by guests.
https://www.redhat.com/archives/libguestfs/2013-May/msg00079.html
...Fix-double-free-when-certain-guest-files-.patch | 72 ++++++++++++++++++++
libguestfs.spec | 16 +++--
2 files changed, 83 insertions(+), 5 deletions(-)
---
diff --git a/0001-inspection-Fix-double-free-when-certain-guest-files-.patch b/0001-inspection-Fix-double-free-when-certain-guest-files-.patch
new file mode 100644
index 0000000..9281e64
--- /dev/null
+++ b/0001-inspection-Fix-double-free-when-certain-guest-files-.patch
@@ -0,0 +1,72 @@
+From 93b76d6b7287e4f418292a73befbcc990686b296 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones at redhat.com>
+Date: Tue, 28 May 2013 16:15:59 +0100
+Subject: [PATCH] inspection: Fix double-free when certain guest files are
+ empty.
+
+The following commit:
+
+ commit 5a3da366268825b26b470cde35658b67c1d11cd4
+ Author: Richard W.M. Jones <rjones at redhat.com>
+ Date: Thu Jan 24 17:07:38 2013 +0000
+
+ inspect: Use CLEANUP_* macros in inspection code.
+
+can cause a double-free along an error path when certain guest files
+are empty where we expected those files to contain at least one line.
+
+This causes virt-inspector to crash when run on these guests.
+
+The following is a test case which demonstrates the crash.
+`f20rawhidex64' is a Fedora guest, but with small adjustments to the
+test you could use any Linux guest for this test.
+
+ $ qemu-img create -f qcow2 -b f20rawhidex64 /tmp/test.qcow2
+ Formatting '/tmp/test.qcow2', fmt=qcow2 size=21474836480 backing_file='f20rawhidex64' encryption=off cluster_size=65536 lazy_refcounts=off
+ $ guestfish -i -a /tmp/test.qcow2 -- rm /etc/redhat-release : touch /etc/redhat-release
+ $ virt-inspector /tmp/test.qcow2
+ *** glibc detected *** virt-inspector: double free or corruption (fasttop): 0x00007f18bc9925a0 ***
+ ======= Backtrace: =========
+ /lib64/libc.so.6(+0x34ecc7ca8e)[0x7f18b8e64a8e]
+ /lib64/libguestfs.so.0(+0x3f91898078)[0x7f18ba13c078]
+ /lib64/libguestfs.so.0(+0x3f91899761)[0x7f18ba13d761]
+ /lib64/libguestfs.so.0(+0x3f91896d12)[0x7f18ba13ad12]
+ /lib64/libguestfs.so.0(+0x3f91894140)[0x7f18ba138140]
+ /lib64/libguestfs.so.0(guestfs_inspect_os+0x35)[0x7f18ba0bcc35]
+ virt-inspector(main+0x547)[0x7f18ba7c57d7]
+ /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f18b8e09a05]
+ virt-inspector(+0x6665)[0x7f18ba7c7665]
+
+This is a denial of service, but not likely to be exploitable.
+
+(Found by Coverity)
+(cherry picked from commit fa6a76050d82894365dfe32916903ef7fee3ffcd)
+---
+ src/inspect-fs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/inspect-fs.c b/src/inspect-fs.c
+index b60725a..e4d3c28 100644
+--- a/src/inspect-fs.c
++++ b/src/inspect-fs.c
+@@ -530,7 +530,7 @@ guestfs___check_package_management (guestfs_h *g, struct inspect_fs *fs)
+ char *
+ guestfs___first_line_of_file (guestfs_h *g, const char *filename)
+ {
+- CLEANUP_FREE char **lines = NULL; /* sic: not CLEANUP_FREE_STRING_LIST */
++ char **lines = NULL; /* sic: not CLEANUP_FREE_STRING_LIST */
+ int64_t size;
+ char *ret;
+
+@@ -559,6 +559,8 @@ guestfs___first_line_of_file (guestfs_h *g, const char *filename)
+
+ ret = lines[0]; /* caller frees */
+
++ free (lines);
++
+ return ret;
+ }
+
+--
+1.8.2.1
+
diff --git a/libguestfs.spec b/libguestfs.spec
index b49b958..194d881 100644
--- a/libguestfs.spec
+++ b/libguestfs.spec
@@ -22,14 +22,15 @@ Summary: Access and modify virtual machine disk images
Name: libguestfs
Epoch: 1
Version: 1.20.6
-Release: 2%{?dist}
+Release: 3%{?dist}
License: LGPLv2+
Group: Development/Libraries
URL: http://libguestfs.org/
Source0: http://libguestfs.org/download/1.20-stable/%{name}-%{version}.tar.gz
-Patch0001: 0001-daemon-Properly-quote-arguments-for-tar-out-base64-o.patch
-Patch0002: 0002-tests-Add-a-regression-test-for-RHBZ-957772.patch
+Patch1: 0001-daemon-Properly-quote-arguments-for-tar-out-base64-o.patch
+Patch2: 0002-tests-Add-a-regression-test-for-RHBZ-957772.patch
+Patch3: 0001-inspection-Fix-double-free-when-certain-guest-files-.patch
# Basic build requirements:
BuildRequires: perl(Pod::Simple)
@@ -666,10 +667,11 @@ for %{name}.
%prep
%setup -q
-%patch0001 -p1
-%patch0002 -p1
+%patch1 -p1
+%patch2 -p1
# patch command does not set the mode correctly on this new file, so:
chmod +x tests/regressions/rhbz957772.sh
+%patch3 -p1
if [ "$(getenforce | tr '[A-Z]' '[a-z]')" != "disabled" ]; then
# For sVirt to work, the local temporary directory we use in the
@@ -1021,6 +1023,10 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/libguestfs
%changelog
+* Tue May 28 2013 Richard W.M. Jones <rjones at redhat.com> - 1:1.20.6-3
+- Fix a denial-of-service (double-free) which can be forced by guests.
+ https://www.redhat.com/archives/libguestfs/2013-May/msg00079.html
+
* Mon Apr 29 2013 Richard W.M. Jones <rjones at redhat.com> - 1:1.20.6-2
- Fix broken quoting in tar-out and base64-out commands (RHBZ#957797).
More information about the scm-commits
mailing list