Hello community, here is the log from the commit of package libvirt for openSUSE:11.3 checked in at Wed Jul 6 18:31:27 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/libvirt/libvirt.changes 2011-04-06 17:25:00.000000000 +0200 +++ 11.3/libvirt/libvirt.changes 2011-07-01 20:47:31.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Jun 30 14:48:51 MDT 2011 - jfeh...@suse.de + +- VUL-0: libvirt: integer overflow in VirDomainGetVcpus + add-intprops-supp.patch + 774b21c1-CVE-2011-2511.patch + bnc#703084 + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- 774b21c1-CVE-2011-2511.patch add-intprops-supp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.Z5JabV/_old 2011-07-06 18:31:01.000000000 +0200 +++ /var/tmp/diff_new_pack.Z5JabV/_new 2011-07-06 18:31:01.000000000 +0200 @@ -117,7 +117,7 @@ Group: Development/Libraries/C and C++ AutoReqProv: yes Version: 0.8.1 -Release: 4.<RELEASE8> +Release: 4.<RELEASE10> Summary: A C toolkit to interract with the virtualization capabilities of Linux # The client side, i.e. shared libs and virsh are in a subpackage Requires: %{name}-client = %{version}-%{release} @@ -170,6 +170,8 @@ Patch26: 094c6f4a-hap-fix.patch Patch27: 71753cb7-CVE-2011-1146.patch Patch28: f44bfb7f-CVE-2011-1486.patch +Patch29: add-intprops-supp.patch +Patch30: 774b21c1-CVE-2011-2511.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch102: clone.patch @@ -311,6 +313,8 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 %patch100 -p1 %patch102 %patch103 -p1 ++++++ 774b21c1-CVE-2011-2511.patch ++++++ commit 774b21c163845170c9ffa873f5720d318812eaf6 Author: Eric Blake <ebl...@redhat.com> Date: Fri Jun 24 12:16:05 2011 -0600 remote: protect against integer overflow Integer overflow and remote code are never a nice mix. This has existed since commit 56cd414. * src/libvirt.c (virDomainGetVcpus): Reject overflow up front. * src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow on sending rpc. * daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on receiving rpc. Index: libvirt-0.8.1/daemon/remote.c =================================================================== --- libvirt-0.8.1.orig/daemon/remote.c +++ libvirt-0.8.1/daemon/remote.c @@ -57,6 +57,7 @@ #include "memory.h" #include "util.h" #include "stream.h" +#include "intprops-supp.h" #define VIR_FROM_THIS VIR_FROM_REMOTE #define REMOTE_DEBUG(fmt, ...) DEBUG(fmt, __VA_ARGS__) @@ -1652,7 +1653,8 @@ remoteDispatchDomainGetVcpus (struct qem return -1; } - if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) || + args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) { virDomainFree(dom); remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX")); return -1; Index: libvirt-0.8.1/src/libvirt.c =================================================================== --- libvirt-0.8.1.orig/src/libvirt.c +++ libvirt-0.8.1/src/libvirt.c @@ -41,6 +41,7 @@ #include "uuid.h" #include "util.h" #include "memory.h" +#include "intprops-supp.h" #ifndef WITH_DRIVER_MODULES # ifdef WITH_TEST @@ -5148,8 +5149,8 @@ virDomainGetVcpus(virDomainPtr domain, v /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not try to memcpy anything into a NULL pointer. */ - if ((cpumaps == NULL && maplen != 0) - || (cpumaps && maplen <= 0)) { + if (!cpumaps ? maplen != 0 + : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) { virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__); goto error; } Index: libvirt-0.8.1/src/remote/remote_driver.c =================================================================== --- libvirt-0.8.1.orig/src/remote/remote_driver.c +++ libvirt-0.8.1/src/remote/remote_driver.c @@ -89,6 +89,7 @@ #include "util.h" #include "event.h" #include "ignore-value.h" +#include "intprops-supp.h" #define VIR_FROM_THIS VIR_FROM_REMOTE @@ -2460,7 +2461,8 @@ remoteDomainGetVcpus (virDomainPtr domai maxinfo, REMOTE_VCPUINFO_MAX); goto done; } - if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) { + if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) || + maxinfo * maplen > REMOTE_CPUMAPS_MAX) { remoteError(VIR_ERR_RPC, _("vCPU map buffer length exceeds maximum: %d > %d"), maxinfo * maplen, REMOTE_CPUMAPS_MAX); ++++++ add-intprops-supp.patch ++++++ Index: libvirt-0.8.8/src/intprops-supp.h =================================================================== --- /dev/null +++ libvirt-0.8.8/src/intprops-supp.h @@ -0,0 +1,92 @@ +/* -*- buffer-read-only: t -*- vi: set ro: */ +/* DO NOT EDIT! GENERATED AUTOMATICALLY! */ +/* intprops.h -- properties of integer types + + Copyright (C) 2001-2005, 2009-2011 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by Paul Eggert. */ + +/* NB: Adds some macros from newer gnulib intprops.h */ + +#ifndef _GL_INTPROPS_SUPP_H +#define _GL_INTPROPS_SUPP_H + +#include <limits.h> + +/* Return a integer value, converted to the same type as the integer + expression E after integer type promotion. V is the unconverted value. + E should not have side effects. */ +#define _GL_INT_CONVERT(e, v) (0 * (e) + (v)) + +/* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see + <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00406.html>. */ +#define _GL_INT_NEGATE_CONVERT(e, v) (0 * (e) - (v)) + +/* Return 1 if the integer expression E, after integer promotion, has + a signed type. E should not have side effects. */ +#define _GL_INT_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0) + +/* True if the signed integer expression E uses two's complement. */ +#define _GL_INT_TWOS_COMPLEMENT(e) (~ _GL_INT_CONVERT (e, 0) == -1) + +/* The maximum and minimum values for the type of the expression E, + after integer promotion. E should not have side effects. */ +#define _GL_INT_MINIMUM(e) \ + (_GL_INT_SIGNED (e) \ + ? - _GL_INT_TWOS_COMPLEMENT (e) - _GL_SIGNED_INT_MAXIMUM (e) \ + : _GL_INT_CONVERT (e, 0)) +#define _GL_INT_MAXIMUM(e) \ + (_GL_INT_SIGNED (e) \ + ? _GL_SIGNED_INT_MAXIMUM (e) \ + : _GL_INT_NEGATE_CONVERT (e, 1)) +#define _GL_SIGNED_INT_MAXIMUM(e) \ + (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1) + +/* Return 1 if A * B would overflow in [MIN,MAX] arithmetic. + See above for restrictions. Avoid && and || as they tickle + bugs in Sun C 5.11 2010/08/13 and other compilers; see + <http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00401.html>. */ +#define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max) \ + ((b) < 0 \ + ? ((a) < 0 \ + ? (a) < (max) / (b) \ + : (b) == -1 \ + ? 0 \ + : (min) / (b) < (a)) \ + : (b) == 0 \ + ? 0 \ + : ((a) < 0 \ + ? (a) < (min) / (b) \ + : (max) / (b) < (a))) + +#define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \ + (((min) == 0 && (((a) < 0 && 0 < (b)) || ((b) < 0 && 0 < (a)))) \ + || INT_MULTIPLY_RANGE_OVERFLOW (a, b, min, max)) + + +#define INT_MULTIPLY_OVERFLOW(a, b) \ + _GL_BINARY_OP_OVERFLOW (a, b, _GL_MULTIPLY_OVERFLOW) + +/* Return 1 if the expression A <op> B would overflow, + where OP_RESULT_OVERFLOW (A, B, MIN, MAX) does the actual test, + assuming MIN and MAX are the minimum and maximum for the result type. + Arguments should be free of side effects. */ +#define _GL_BINARY_OP_OVERFLOW(a, b, op_result_overflow) \ + op_result_overflow (a, b, \ + _GL_INT_MINIMUM (0 * (b) + (a)), \ + _GL_INT_MAXIMUM (0 * (b) + (a))) + +#endif /* _GL_INTPROPS_SUPP_H */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org