On 3/21/24 01:53, Daniel P. Berrangé wrote:
While the C API entry points will validate non-negative lengths for various parameters, the RPC server de-serialization code will need to allocate memory for arrays before entering the C API. These allocations will thus happen before the non-negative length check is performed.
Passing a negative length to the g_new0 function will usually result in a crash due to the negative length being treated as a huge positive number.
This was found and diagnosed by ALT Linux Team with AFLplusplus.
CVE-2024-2494 Found-by: Alexandr Shashkin <dutyrok@altlinux.org> Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ src/rpc/gendispatch.pl | 5 +++ 2 files changed, 70 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal