libvirt: Backport fix for CVE-2024-2494

Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Ashish Sharma <asharma@mvista.com> 2024-05-22 07:28:33 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-05-28 19:10:32 +0000
commit: 69f5a594ce90c601121fb640dbb2a9603ee1aadd (patch)
tree: 62b2a18d1090567e07d2d22c51d21dc61ac48dc7
parent: 8f0eb65edaf6d280294c33446a9bb073a50b8c14 (diff)
download: meta-virtualization-69f5a594ce90c601121fb640dbb2a9603ee1aadd.tar.gz
2 files changed, 221 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch
new file mode 100644
index 00000000..99c5eec9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch
@@ -0,0 +1,220 @@
+From 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 15 Mar 2024 10:47:50 +0000
+Subject: [PATCH] remote: check for negative array lengths before allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+While the C API entry points will validate non-negative lengths
+for various parameters, the RPC server de-serialization code
+will need to allocate memory for arrays before entering the C
+API. These allocations will thus happen before the non-negative
+length check is performed.
+Passing a negative length to the g_new0 function will usually
+result in a crash due to the negative length being treated as
+a huge positive number.
+This was found and diagnosed by ALT Linux Team with AFLplusplus.
+CVE-2024-2494
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
+Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+CVE: CVE-2024-2494
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++
+ src/rpc/gendispatch.pl              |  5 +++
+ 2 files changed, 70 insertions(+)
+diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
+index aaabd1e56c..01dcac4b12 100644
+--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
+@@ -2291,6 +2291,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
+     if (!conn)
+         goto cleanup;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
+     if (!conn)
+         goto cleanup;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
+         goto cleanup;
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
+    if (args->ncpumaps < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
+        goto cleanup;
+    }
+    if (args->maplen < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+        goto cleanup;
+    }
+     if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
+         goto cleanup;
+@@ -2811,6 +2831,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
+    if (args->maplen < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+        goto cleanup;
+    }
+
+     /* Allocate buffers to take the results */
+     if (args->maplen > 0)
+         cpumaps = g_new0(unsigned char, args->maplen);
+@@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
+     if (!(dom = get_nonnull_domain(conn, args->dom)))
+         goto cleanup;
+ 
+    if (args->maxinfo < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
+        goto cleanup;
+    }
+    if (args->maplen < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
+        goto cleanup;
+    }
+     if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
+         goto cleanup;
+@@ -3096,6 +3129,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3216,6 +3257,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
+     if (!conn)
+         goto cleanup;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -5081,6 +5138,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+@@ -5301,6 +5362,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+ 
+     flags = args->flags;
+ 
+    if (args->nparams < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+        goto cleanup;
+    }
+     if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
+         virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+         goto cleanup;
+diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
+index 5ce988c5ae..c5842dc796 100755
+--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
+@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") {
+         print "\n";
+ 
+         if ($single_ret_as_list) {
+            print "    if (args->$single_ret_list_max_var < 0) {\n";
+            print "        virReportError(VIR_ERR_RPC,\n";
+            print "                       \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
+            print "        goto cleanup;\n";
+            print "    }\n";
+             print "    if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
+             print "        virReportError(VIR_ERR_RPC,\n";
+             print "                       \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
+-- 
+GitLab
diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb
index 63cf4914..a88e0ee3 100644
--- a/recipes-extended/libvirt/libvirt_8.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://gnutls-helper.py \
           file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
           file://CVE-2023-2700.patch \
+           file://CVE-2024-2494.patch \
          "
 SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"
author	Ashish Sharma <asharma@mvista.com>	2024-05-22 07:28:33 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2024-05-28 19:10:32 +0000
commit	69f5a594ce90c601121fb640dbb2a9603ee1aadd (patch)
tree	62b2a18d1090567e07d2d22c51d21dc61ac48dc7
parent	8f0eb65edaf6d280294c33446a9bb073a50b8c14 (diff)
download	meta-virtualization-69f5a594ce90c601121fb640dbb2a9603ee1aadd.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch new file mode 100644 index 00000000..99c5eec9 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch
@@ -0,0 +1,220 @@
		1	From 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
		3	Date: Fri, 15 Mar 2024 10:47:50 +0000
		4	Subject: [PATCH] remote: check for negative array lengths before allocation
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	While the C API entry points will validate non-negative lengths
		10	for various parameters, the RPC server de-serialization code
		11	will need to allocate memory for arrays before entering the C
		12	API. These allocations will thus happen before the non-negative
		13	length check is performed.
		14
		15	Passing a negative length to the g_new0 function will usually
		16	result in a crash due to the negative length being treated as
		17	a huge positive number.
		18
		19	This was found and diagnosed by ALT Linux Team with AFLplusplus.
		20
		21	CVE-2024-2494
		22	Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
		23	Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
		24	Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
		25	Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
		26
		27	CVE: CVE-2024-2494
		28	Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2]
		29	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		30
		31	src/remote/remote_daemon_dispatch.c \| 65 +++++++++++++++++++++++++++++
		32	src/rpc/gendispatch.pl \| 5 +++
		33	2 files changed, 70 insertions(+)
		34
		35	diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
		36	index aaabd1e56c..01dcac4b12 100644
		37	--- a/src/remote/remote_daemon_dispatch.c
		38	+++ b/src/remote/remote_daemon_dispatch.c
		39	@@ -2291,6 +2291,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
		40	if (!conn)
		41	goto cleanup;
		42
		43	+ if (args->nparams < 0) {
		44	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		45	+ goto cleanup;
		46	+ }
		47	if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
		48	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		49	goto cleanup;
		50	@@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
		51	if (!conn)
		52	goto cleanup;
		53
		54	+ if (args->nparams < 0) {
		55	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		56	+ goto cleanup;
		57	+ }
		58	if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
		59	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		60	goto cleanup;
		61	@@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
		62	goto cleanup;
		63	flags = args->flags;
		64
		65	+ if (args->nparams < 0) {
		66	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		67	+ goto cleanup;
		68	+ }
		69	if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
		70	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		71	goto cleanup;
		72	@@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
		73	if (!(dom = get_nonnull_domain(conn, args->dom)))
		74	goto cleanup;
		75
		76	+ if (args->ncpumaps < 0) {
		77	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
		78	+ goto cleanup;
		79	+ }
		80	+ if (args->maplen < 0) {
		81	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
		82	+ goto cleanup;
		83	+ }
		84	if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
		85	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
		86	goto cleanup;
		87	@@ -2811,6 +2831,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
		88	if (!(dom = get_nonnull_domain(conn, args->dom)))
		89	goto cleanup;
		90
		91	+ if (args->maplen < 0) {
		92	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
		93	+ goto cleanup;
		94	+ }
		95	+
		96	/* Allocate buffers to take the results */
		97	if (args->maplen > 0)
		98	cpumaps = g_new0(unsigned char, args->maplen);
		99	@@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
		100	if (!(dom = get_nonnull_domain(conn, args->dom)))
		101	goto cleanup;
		102
		103	+ if (args->maxinfo < 0) {
		104	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
		105	+ goto cleanup;
		106	+ }
		107	+ if (args->maplen < 0) {
		108	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
		109	+ goto cleanup;
		110	+ }
		111	if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
		112	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
		113	goto cleanup;
		114	@@ -3096,6 +3129,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
		115
		116	flags = args->flags;
		117
		118	+ if (args->nparams < 0) {
		119	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		120	+ goto cleanup;
		121	+ }
		122	if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
		123	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		124	goto cleanup;
		125	@@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
		126
		127	flags = args->flags;
		128
		129	+ if (args->nparams < 0) {
		130	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		131	+ goto cleanup;
		132	+ }
		133	if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
		134	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		135	goto cleanup;
		136	@@ -3216,6 +3257,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
		137
		138	flags = args->flags;
		139
		140	+ if (args->nparams < 0) {
		141	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		142	+ goto cleanup;
		143	+ }
		144	if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
		145	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		146	goto cleanup;
		147	@@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
		148
		149	flags = args->flags;
		150
		151	+ if (args->nparams < 0) {
		152	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		153	+ goto cleanup;
		154	+ }
		155	if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
		156	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		157	goto cleanup;
		158	@@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
		159
		160	flags = args->flags;
		161
		162	+ if (args->nparams < 0) {
		163	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		164	+ goto cleanup;
		165	+ }
		166	if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
		167	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		168	goto cleanup;
		169	@@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
		170	if (!conn)
		171	goto cleanup;
		172
		173	+ if (args->nparams < 0) {
		174	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		175	+ goto cleanup;
		176	+ }
		177	if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
		178	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		179	goto cleanup;
		180	@@ -5081,6 +5138,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
		181
		182	flags = args->flags;
		183
		184	+ if (args->nparams < 0) {
		185	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		186	+ goto cleanup;
		187	+ }
		188	if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
		189	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		190	goto cleanup;
		191	@@ -5301,6 +5362,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
		192
		193	flags = args->flags;
		194
		195	+ if (args->nparams < 0) {
		196	+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
		197	+ goto cleanup;
		198	+ }
		199	if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
		200	virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
		201	goto cleanup;
		202	diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
		203	index 5ce988c5ae..c5842dc796 100755
		204	--- a/src/rpc/gendispatch.pl
		205	+++ b/src/rpc/gendispatch.pl
		206	@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") {
		207	print "\n";
		208
		209	if ($single_ret_as_list) {
		210	+ print " if (args->$single_ret_list_max_var < 0) {\n";
		211	+ print " virReportError(VIR_ERR_RPC,\n";
		212	+ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
		213	+ print " goto cleanup;\n";
		214	+ print " }\n";
		215	print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
		216	print " virReportError(VIR_ERR_RPC,\n";
		217	print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
		218	--
		219	GitLab
		220


diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb index 63cf4914..a88e0ee3 100644 --- a/recipes-extended/libvirt/libvirt_8.1.0.bb +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
30	file://gnutls-helper.py \	30	file://gnutls-helper.py \
31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \	31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
32	file://CVE-2023-2700.patch \	32	file://CVE-2023-2700.patch \
		33	file://CVE-2024-2494.patch \
33	"	34	"
34		35
35	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"	36	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"