Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching
On 01/29/2013 07:05 PM, Jim Fehlig wrote:
>> Mention CVE-2013-0170 in the commit message, now that it is
public:
>> https://bugzilla.redhat.com/show_bug.cgi?id=893450
>>
>>>
>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
>>> - avoid use after free of RPC messages
>>> ---
>>> src/rpc/virnetserverclient.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>
>> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well.
>
> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2
> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was
> introduced in 0.9.7
Hi Peter,
Looks like 0.9.6 was vulnerable since this made its way to the
v0.9.6-maint branch as well. Do you happen to know when this was
introduced?
I did some more research:
The original problem was introduced in commit 4e00b1d (libvirt 0.9.3),
when we switched over to new RPC handling; there, we only had one faulty
error path. Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the
problem, by adding two more faulty error paths. Peter's test case when
originally reporting the CVE was on one of the error paths added in
0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I
still think it is possible to trigger the remaining faulty error path
when targeting libvirt 0.9.3, and agree with Cole's backport to the
v0.9.6-maint branch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)