From 155bc6583734853149118da5bdc5fd2361043f3b Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 7 Aug 2023 14:42:32 +0800 Subject: libvirt: fix CVE-2023-3750/CVE-2023-2700 Signed-off-by: Changqing Li Signed-off-by: Bruce Ashfield --- .../libvirt/libvirt/CVE-2023-2700.patch | 54 ++++++++++++++++++++ .../libvirt/libvirt/CVE-2023-3750.patch | 59 ++++++++++++++++++++++ recipes-extended/libvirt/libvirt_9.2.0.bb | 2 + 3 files changed, 115 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-2700.patch create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-3750.patch diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch new file mode 100644 index 00000000..4711b1be --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch @@ -0,0 +1,54 @@ +From 1fc978bc032f53b61d00271d620d7fe1a134efe3 Mon Sep 17 00:00:00 2001 +From: Tim Shearer +Date: Mon, 1 May 2023 13:15:48 +0000 +Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Repeatedly querying an SR-IOV PCI device's capabilities exposes a +memory leak caused by a failure to free the virPCIVirtualFunction +array within the parent struct's g_autoptr cleanup. + +Valgrind output after getting a single interface's XML description +1000 times: + +==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635 +==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437) +==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4) +==325982== by 0x4EE1F52: virReallocN (viralloc.c:52) +==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78) +==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183) +==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288) +==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389) +==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256) +==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969) +==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099) +==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677) +==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355) + +Signed-off-by: Tim Shearer +Reviewed-by: Ján Tomko + +CVE: CVE-2023-2700 +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585#874a1e768ade6ceb4538931cbc06248e73223306] +Signed-off-by: Changqing Li +--- + src/util/virpci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/virpci.c b/src/util/virpci.c +index 7800966..a44f70f 100644 +--- a/src/util/virpci.c ++++ b/src/util/virpci.c +@@ -2253,6 +2253,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list) + g_free(list->functions[i].ifname); + } + ++ g_free(list->functions); + g_free(list); + } + +-- +2.25.1 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch new file mode 100644 index 00000000..13ead87b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch @@ -0,0 +1,59 @@ +From 3fe8b15323a4666564c519f32fd4ab072c472051 Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Thu, 13 Jul 2023 16:16:37 +0200 +Subject: [PATCH] storage: Fix returning of locked objects from + 'virStoragePoolObjListSearch' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2023-3750 + +'virStoragePoolObjListSearch' explicitly documents that it's returning +a pointer to a locked and ref'd pool that maches the lookup function. + +This was not the case as in commit 0c4b391e2a9 (released in +libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD' +which auto-unlocked it when leaving the scope, even when the code was +originally "leaking" the lock. + +Revert the corresponding conversion and add a comment that this function +is intentionally leaking a locked object. + +Fixes: 0c4b391e2a9 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851 +Signed-off-by: Peter Krempa +Reviewed-by: Ján Tomko + +CVE: CVE-2023-3750 +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098] +Signed-off-by: Changqing Li +--- + src/conf/virstorageobj.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c +index 7010e97..59fa5da 100644 +--- a/src/conf/virstorageobj.c ++++ b/src/conf/virstorageobj.c +@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload, + virStoragePoolObj *obj = (virStoragePoolObj *) payload; + struct _virStoragePoolObjListSearchData *data = + (struct _virStoragePoolObjListSearchData *)opaque; +- VIR_LOCK_GUARD lock = virObjectLockGuard(obj); + ++ virObjectLock(obj); ++ ++ /* If we find the matching pool object we must return while the object is ++ * locked as the caller wants to return a locked object. */ + if (data->searcher(obj, data->opaque)) + return 1; + ++ virObjectUnlock(obj); ++ + return 0; + } + +-- +2.25.1 + diff --git a/recipes-extended/libvirt/libvirt_9.2.0.bb b/recipes-extended/libvirt/libvirt_9.2.0.bb index 5e704704..9f97aa11 100644 --- a/recipes-extended/libvirt/libvirt_9.2.0.bb +++ b/recipes-extended/libvirt/libvirt_9.2.0.bb @@ -30,6 +30,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://gnutls-helper.py \ file://0001-prevent-gendispatch.pl-generating-build-path-in-code.patch \ file://0001-messon.build-remove-build-path-information-to-avoid-.patch \ + file://CVE-2023-3750.patch \ + file://CVE-2023-2700.patch \ " SRC_URI[libvirt.sha256sum] = "a07f501e99093ac1374888312be32182e799de17407ed7547d0e469fae8188c5" -- cgit v1.2.3-54-g00ecf