On 11/7/25 12:26, Martin Kletzander via Devel wrote:
ACL checks were performed after parsing a user provided XML in its entirety which could be written in a way that would make libvirt allocate too much memory and crash.
Instead parse just the identifiers out of which only name and UUID are needed for ACL checks, perform those and then parse the whole definition. In order not to pass bogus UUID to the ACL functions, rewrite any generated UUID in the first step with a nil UUID since the ACLs cannot be written to expect a particular generated UUID as that would not make sense.
If squashing the patches is preferred, let me know.
Fixes: CVE-2025-12748 Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru>
Martin Kletzander (7): conf: Add virDomainDefIDsParseString bhyve: Check ACLs before parsing the whole domain XML libxl: Check ACLs before parsing the whole domain XML lxc: Check ACLs before parsing the whole domain XML vz: Check ACLs before parsing the whole domain XML ch: Check ACLs before parsing the whole domain XML qemu: Check ACLs before parsing the whole domain XML
src/bhyve/bhyve_driver.c | 24 ++++++++--- src/ch/ch_driver.c | 76 +++++++++++++++++++++++---------- src/conf/domain_conf.c | 29 +++++++++++++ src/conf/domain_conf.h | 3 ++ src/libvirt_private.syms | 1 + src/libxl/libxl_driver.c | 20 ++++++--- src/lxc/lxc_driver.c | 22 +++++++--- src/qemu/qemu_driver.c | 90 ++++++++++++++++++++------------------- src/qemu/qemu_migration.c | 21 ++++++++- src/qemu/qemu_migration.h | 4 +- src/qemu/qemu_saveimage.c | 25 +++++++++-- src/qemu/qemu_saveimage.h | 4 +- src/qemu/qemu_snapshot.c | 4 +- src/vz/vz_driver.c | 18 +++++--- 14 files changed, 243 insertions(+), 98 deletions(-)
You get bonus points for fixing save image code in CH driver, but that's sooo broken anyways that basically we're unable to restore from a saved image anyway. But hey, at least we don't deplete memory :-D Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal