diff options
author | Changqing Li <changqing.li@windriver.com> | 2023-08-07 14:42:32 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2023-08-12 03:28:14 +0000 |
commit | 155bc6583734853149118da5bdc5fd2361043f3b (patch) | |
tree | bea9912ed183a4234aecc7c3f937b7d2ecb44df9 | |
parent | b2bac21615b16dfd281646ee8b0f1e384981633e (diff) | |
download | meta-virtualization-155bc6583734853149118da5bdc5fd2361043f3b.tar.gz |
libvirt: fix CVE-2023-3750/CVE-2023-2700
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
-rw-r--r-- | recipes-extended/libvirt/libvirt/CVE-2023-2700.patch | 54 | ||||
-rw-r--r-- | recipes-extended/libvirt/libvirt/CVE-2023-3750.patch | 59 | ||||
-rw-r--r-- | recipes-extended/libvirt/libvirt_9.2.0.bb | 2 |
3 files changed, 115 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch new file mode 100644 index 00000000..4711b1be --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 1fc978bc032f53b61d00271d620d7fe1a134efe3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tim Shearer <TShearer@adva.com> | ||
3 | Date: Mon, 1 May 2023 13:15:48 +0000 | ||
4 | Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Repeatedly querying an SR-IOV PCI device's capabilities exposes a | ||
10 | memory leak caused by a failure to free the virPCIVirtualFunction | ||
11 | array within the parent struct's g_autoptr cleanup. | ||
12 | |||
13 | Valgrind output after getting a single interface's XML description | ||
14 | 1000 times: | ||
15 | |||
16 | ==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635 | ||
17 | ==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437) | ||
18 | ==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4) | ||
19 | ==325982== by 0x4EE1F52: virReallocN (viralloc.c:52) | ||
20 | ==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78) | ||
21 | ==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183) | ||
22 | ==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288) | ||
23 | ==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389) | ||
24 | ==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256) | ||
25 | ==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969) | ||
26 | ==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099) | ||
27 | ==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677) | ||
28 | ==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355) | ||
29 | |||
30 | Signed-off-by: Tim Shearer <tshearer@adva.com> | ||
31 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||
32 | |||
33 | CVE: CVE-2023-2700 | ||
34 | Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585#874a1e768ade6ceb4538931cbc06248e73223306] | ||
35 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
36 | --- | ||
37 | src/util/virpci.c | 1 + | ||
38 | 1 file changed, 1 insertion(+) | ||
39 | |||
40 | diff --git a/src/util/virpci.c b/src/util/virpci.c | ||
41 | index 7800966..a44f70f 100644 | ||
42 | --- a/src/util/virpci.c | ||
43 | +++ b/src/util/virpci.c | ||
44 | @@ -2253,6 +2253,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list) | ||
45 | g_free(list->functions[i].ifname); | ||
46 | } | ||
47 | |||
48 | + g_free(list->functions); | ||
49 | g_free(list); | ||
50 | } | ||
51 | |||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch new file mode 100644 index 00000000..13ead87b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 3fe8b15323a4666564c519f32fd4ab072c472051 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Krempa <pkrempa@redhat.com> | ||
3 | Date: Thu, 13 Jul 2023 16:16:37 +0200 | ||
4 | Subject: [PATCH] storage: Fix returning of locked objects from | ||
5 | 'virStoragePoolObjListSearch' | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | CVE-2023-3750 | ||
11 | |||
12 | 'virStoragePoolObjListSearch' explicitly documents that it's returning | ||
13 | a pointer to a locked and ref'd pool that maches the lookup function. | ||
14 | |||
15 | This was not the case as in commit 0c4b391e2a9 (released in | ||
16 | libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD' | ||
17 | which auto-unlocked it when leaving the scope, even when the code was | ||
18 | originally "leaking" the lock. | ||
19 | |||
20 | Revert the corresponding conversion and add a comment that this function | ||
21 | is intentionally leaking a locked object. | ||
22 | |||
23 | Fixes: 0c4b391e2a9 | ||
24 | Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851 | ||
25 | Signed-off-by: Peter Krempa <pkrempa@redhat.com> | ||
26 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||
27 | |||
28 | CVE: CVE-2023-3750 | ||
29 | Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098] | ||
30 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
31 | --- | ||
32 | src/conf/virstorageobj.c | 7 ++++++- | ||
33 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
34 | |||
35 | diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c | ||
36 | index 7010e97..59fa5da 100644 | ||
37 | --- a/src/conf/virstorageobj.c | ||
38 | +++ b/src/conf/virstorageobj.c | ||
39 | @@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload, | ||
40 | virStoragePoolObj *obj = (virStoragePoolObj *) payload; | ||
41 | struct _virStoragePoolObjListSearchData *data = | ||
42 | (struct _virStoragePoolObjListSearchData *)opaque; | ||
43 | - VIR_LOCK_GUARD lock = virObjectLockGuard(obj); | ||
44 | |||
45 | + virObjectLock(obj); | ||
46 | + | ||
47 | + /* If we find the matching pool object we must return while the object is | ||
48 | + * locked as the caller wants to return a locked object. */ | ||
49 | if (data->searcher(obj, data->opaque)) | ||
50 | return 1; | ||
51 | |||
52 | + virObjectUnlock(obj); | ||
53 | + | ||
54 | return 0; | ||
55 | } | ||
56 | |||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||
diff --git a/recipes-extended/libvirt/libvirt_9.2.0.bb b/recipes-extended/libvirt/libvirt_9.2.0.bb index 5e704704..9f97aa11 100644 --- a/recipes-extended/libvirt/libvirt_9.2.0.bb +++ b/recipes-extended/libvirt/libvirt_9.2.0.bb | |||
@@ -30,6 +30,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ | |||
30 | file://gnutls-helper.py \ | 30 | file://gnutls-helper.py \ |
31 | file://0001-prevent-gendispatch.pl-generating-build-path-in-code.patch \ | 31 | file://0001-prevent-gendispatch.pl-generating-build-path-in-code.patch \ |
32 | file://0001-messon.build-remove-build-path-information-to-avoid-.patch \ | 32 | file://0001-messon.build-remove-build-path-information-to-avoid-.patch \ |
33 | file://CVE-2023-3750.patch \ | ||
34 | file://CVE-2023-2700.patch \ | ||
33 | " | 35 | " |
34 | 36 | ||
35 | SRC_URI[libvirt.sha256sum] = "a07f501e99093ac1374888312be32182e799de17407ed7547d0e469fae8188c5" | 37 | SRC_URI[libvirt.sha256sum] = "a07f501e99093ac1374888312be32182e799de17407ed7547d0e469fae8188c5" |