On Tue, May 28, Richard W.M. Jones wrote: > > There's a denial of service attack possible from guests on any program > that does inspection (eg. virt-inspector, many other virt-* tools, > virt-v2v, OpenStack). > > The attack causes the host process to crash because of a double free. > It's probably not exploitable (definitely not on Fedora because of the > default memory hardening settings). > > This patch contains the fix and a reproducer: > > https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd
This is appearently incomplete, bt from a 1.20.4: head -n 10 libguestfs: recv_from_daemon: 44 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 7a | 00 00 00 01 | 00 12 34 24 | ... Program received signal SIGSEGV, Segmentation fault. 0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6 #1 0x00007ffff69de7e6 in strdup () from /lib64/libc.so.6 #2 0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96 #3 0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>, fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343 #4 guestfs___check_linux_root (g=0x65da50, fs=0x6665b0) at inspect-fs-unix.c:560 #5 0x00007ffff7b88522 in check_filesystem (is_partnum=<optimized out>, is_block=<optimized out>, device=<optimized out>, g=<optimized out>) at inspect-fs.c:238 #6 guestfs___check_for_filesystem_on (g=0x65da50, device=0x617930 "/dev/sda2", is_block=0, is_partnum=2) at inspect-fs.c:152 #7 0x00007ffff7b86980 in guestfs__inspect_os (g=0x65da50) at inspect.c:86 #8 0x00007ffff7b1c91b in guestfs_inspect_os (g=0x65da50) at actions-1.c:397 #9 0x0000000000406ba9 in main (argc=3, argv=<optimized out>) at virt-inspector.c:273 Looks like parse_lsb_release and parse_suse_release needs a similar change. I will test a patch. Olaf _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
