Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
import Ubuntu patches to fix CVE-2024-1441 CVE-2024-2496 Signed-off-by: Ashish Sharma <[email protected]> --- .../libvirt/libvirt/CVE-2024-1441.patch | 64 +++++++++++++ .../libvirt/libvirt/CVE-2024-2496.patch | 91 +++++++++++++++++++ recipes-extended/libvirt/libvirt_8.1.0.bb | 2 + 3 files changed, 157 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/CVE-2024-1441.patch create mode 100644 recipes-extended/libvirt/libvirt/CVE-2024-2496.patch diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch new file mode 100644 index 00000000..5a17e9c5 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch @@ -0,0 +1,64 @@ +From c664015fe3a7bf59db26686e9ed69af011c6ebb8 Mon Sep 17 00:00:00 2001 +From: Martin Kletzander <[email protected]> +Date: Tue, 27 Feb 2024 16:20:12 +0100 +Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ever since this function was introduced in 2012 it could've tried +filling in an extra interface name. That was made worse in 2019 when +the caller functions started accepting NULL arrays of size 0. + +This is assigned CVE-2024-1441. + +Signed-off-by: Martin Kletzander <[email protected]> +Reported-by: Alexander Kuznetsov <[email protected]> +Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca +Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 +Reviewed-by: J??n Tomko <[email protected]> + +Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10] +CVE: CVE-2024-1441 +Signed-off-by: Ashish Sharma <[email protected]> + + + NEWS.rst | 15 +++++++++++++++ + src/interface/interface_backend_udev.c | 2 +- + 2 files changed, 16 insertions(+), 1 deletion(-) + +#--- a/NEWS.rst +#+++ b/NEWS.rst +#@@ -312,6 +312,21 @@ v9.2.0 (2023-04-01) +# v9.1.0 (2023-03-01) +# =================== +# +#+ * ``CVE-2024-1441``: Fix off-by-one error leading to a crash +#+ +#+ In **libvirt-1.0.0** there were couple of interface listing APIs +#+ introduced which had an off-by-one error. That error could lead to a +#+ very rare crash if an array was passed to those functions which did +#+ not fit all the interfaces. +#+ +#+ In **libvirt-5.10** a check for non-NULL arrays has been adjusted to +#+ allow for NULL arrays with size 0 instead of rejecting all NULL +#+ arrays. However that made the above issue significantly worse since +#+ that off-by-one error now did not write beyond an array, but +#+ dereferenced said NULL pointer making the crash certain in a +#+ specific scenario in which a NULL array of size 0 was passed to the +#+ aforementioned functions. +#+ +# * **Removed features** +# +# * vbox: removed support for version 5.2 and 6.0 APIs +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -220,7 +220,7 @@ udevListInterfacesByStatus(virConnectPtr + g_autoptr(virInterfaceDef) def = NULL; + + /* Ensure we won't exceed the size of our array */ +- if (count > names_len) ++ if (count >= names_len) + break; + + path = udev_list_entry_get_name(dev_entry); diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch new file mode 100644 index 00000000..ec477b05 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch @@ -0,0 +1,91 @@ +Backport of: + +From 2ca94317ac642a70921947150ced8acc674ccdc8 Mon Sep 17 00:00:00 2001 +From: Dmitry Frolov <[email protected]> +Date: Tue, 12 Sep 2023 15:56:47 +0300 +Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value + check + +Reviewing the code I found that return value of function +udev_device_get_sysattr_value() is dereferenced without a check. +udev_device_get_sysattr_value() may return NULL by number of reasons. + +v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE() +v3: More checks added, to skip earlier. More verbose VIR_DEBUG. + +Signed-off-by: Dmitry Frolov <[email protected]> +Reviewed-by: Martin Kletzander <[email protected]> + +Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10] +CVE: CVE-2024-2496 +Signed-off-by: Ashish Sharma <[email protected]> + + + src/interface/interface_backend_udev.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -23,6 +23,7 @@ + #include <dirent.h> + #include <libudev.h> + ++#include "virlog.h" + #include "virerror.h" + #include "virfile.h" + #include "datatypes.h" +@@ -41,6 +42,8 @@ + + #define VIR_FROM_THIS VIR_FROM_INTERFACE + ++VIR_LOG_INIT("interface.interface_backend_udev"); ++ + struct udev_iface_driver { + struct udev *udev; + /* pid file FD, ensures two copies of the driver can't use the same root */ +@@ -355,11 +358,20 @@ udevConnectListAllInterfaces(virConnectP + const char *macaddr; + g_autoptr(virInterfaceDef) def = NULL; + +- path = udev_list_entry_get_name(dev_entry); +- dev = udev_device_new_from_syspath(udev, path); +- name = udev_device_get_sysname(dev); ++ if (!(path = udev_list_entry_get_name(dev_entry))) { ++ VIR_DEBUG("Skipping interface, path == NULL"); ++ continue; ++ } ++ if (!(dev = udev_device_new_from_syspath(udev, path))) { ++ VIR_DEBUG("Skipping interface '%s', dev == NULL", path); ++ continue; ++ } ++ if (!(name = udev_device_get_sysname(dev))) { ++ VIR_DEBUG("Skipping interface '%s', name == NULL", path); ++ continue; ++ } + macaddr = udev_device_get_sysattr_value(dev, "address"); +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + def = udevGetMinimalDefForDevice(dev); + if (!virConnectListAllInterfacesCheckACL(conn, def)) { +@@ -969,9 +981,9 @@ udevGetIfaceDef(struct udev *udev, const + + /* MTU */ + mtu_str = udev_device_get_sysattr_value(dev, "mtu"); +- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { ++ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, +- _("Could not parse MTU value '%s'"), mtu_str); ++ _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str)); + goto error; + } + ifacedef->mtu = mtu; +@@ -1094,7 +1106,7 @@ udevInterfaceIsActive(virInterfacePtr if + goto cleanup; + + /* Check if it's active or not */ +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + udev_device_unref(dev); + diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb index a88e0ee3..ef9c1c6e 100644 --- a/recipes-extended/libvirt/libvirt_8.1.0.bb +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb @@ -31,6 +31,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \ file://CVE-2023-2700.patch \ file://CVE-2024-2494.patch \ + file://CVE-2024-1441.patch \ + file://CVE-2024-2496.patch \ " SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934" -- 2.35.7
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8815): https://lists.yoctoproject.org/g/meta-virtualization/message/8815 Mute This Topic: https://lists.yoctoproject.org/mt/106885393/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
