libvirt: Fix CVE-2024-1441 and CVE-2024-2496

Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10] import Ubuntu patches to fix CVE-2024-1441 CVE-2024-2496 Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Ashish Sharma <asharma@mvista.com> 2024-06-26 11:51:53 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2024-07-10 03:53:08 +0000
commit: c8d800054fca0e537f5afb44eec6ad767f36741b (patch)
tree: 49e3f1f055e1c24294b5f450dfaaa08033fa6a73
parent: 8b356b91ed0d4bcab72350a2ddcef880f4fa5c26 (diff)
download: meta-virtualization-c8d800054fca0e537f5afb44eec6ad767f36741b.tar.gz
3 files changed, 157 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch
new file mode 100644
index 00000000..5a17e9c5
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch
@@ -0,0 +1,64 @@
+From c664015fe3a7bf59db26686e9ed69af011c6ebb8 Mon Sep 17 00:00:00 2001
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Tue, 27 Feb 2024 16:20:12 +0100
+Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Ever since this function was introduced in 2012 it could've tried
+filling in an extra interface name.  That was made worse in 2019 when
+the caller functions started accepting NULL arrays of size 0.
+This is assigned CVE-2024-1441.
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
+Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
+CVE: CVE-2024-1441
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ NEWS.rst                               | 15 +++++++++++++++
+ src/interface/interface_backend_udev.c |  2 +-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+#--- a/NEWS.rst
+#+++ b/NEWS.rst
+#@@ -312,6 +312,21 @@ v9.2.0 (2023-04-01)
+# v9.1.0 (2023-03-01)
+# ===================
+# 
+#+  * ``CVE-2024-1441``: Fix off-by-one error leading to a crash
+#+
+#+    In **libvirt-1.0.0** there were couple of interface listing APIs
+#+    introduced which had an off-by-one error.  That error could lead to a
+#+    very rare crash if an array was passed to those functions which did
+#+    not fit all the interfaces.
+#+
+#+    In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
+#+    allow for NULL arrays with size 0 instead of rejecting all NULL
+#+    arrays.  However that made the above issue significantly worse since
+#+    that off-by-one error now did not write beyond an array, but
+#+    dereferenced said NULL pointer making the crash certain in a
+#+    specific scenario in which a NULL array of size 0 was passed to the
+#+    aforementioned functions.
+#+
+# * **Removed features**
+# 
+#   * vbox: removed support for version 5.2 and 6.0 APIs
+--- a/src/interface/interface_backend_udev.c
+++ b/src/interface/interface_backend_udev.c
+@@ -220,7 +220,7 @@ udevListInterfacesByStatus(virConnectPtr
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+         /* Ensure we won't exceed the size of our array */
+-        if (count > names_len)
+        if (count >= names_len)
+             break;
+ 
+         path = udev_list_entry_get_name(dev_entry);
diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch
new file mode 100644
index 00000000..ec477b05
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch
@@ -0,0 +1,91 @@
+Backport of:
+From 2ca94317ac642a70921947150ced8acc674ccdc8 Mon Sep 17 00:00:00 2001
+From: Dmitry Frolov <frolov@swemel.ru>
+Date: Tue, 12 Sep 2023 15:56:47 +0300
+Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
+ check
+Reviewing the code I found that return value of function
+udev_device_get_sysattr_value() is dereferenced without a check.
+udev_device_get_sysattr_value() may return NULL by number of reasons.
+v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
+v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
+CVE: CVE-2024-2496
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+--- a/src/interface/interface_backend_udev.c
+++ b/src/interface/interface_backend_udev.c
+@@ -23,6 +23,7 @@
+ #include <dirent.h>
+ #include <libudev.h>
+ 
+#include "virlog.h"
+ #include "virerror.h"
+ #include "virfile.h"
+ #include "datatypes.h"
+@@ -41,6 +42,8 @@
+ 
+ #define VIR_FROM_THIS VIR_FROM_INTERFACE
+ 
+VIR_LOG_INIT("interface.interface_backend_udev");
+
+ struct udev_iface_driver {
+     struct udev *udev;
+     /* pid file FD, ensures two copies of the driver can't use the same root */
+@@ -355,11 +358,20 @@ udevConnectListAllInterfaces(virConnectP
+         const char *macaddr;
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+-        path = udev_list_entry_get_name(dev_entry);
+-        dev = udev_device_new_from_syspath(udev, path);
+-        name = udev_device_get_sysname(dev);
+        if (!(path = udev_list_entry_get_name(dev_entry))) {
+            VIR_DEBUG("Skipping interface, path == NULL");
+            continue;
+        }
+        if (!(dev = udev_device_new_from_syspath(udev, path))) {
+            VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
+            continue;
+        }
+        if (!(name = udev_device_get_sysname(dev))) {
+            VIR_DEBUG("Skipping interface '%s', name == NULL", path);
+            continue;
+        }
+         macaddr = udev_device_get_sysattr_value(dev, "address");
+-        status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
+        status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+         def = udevGetMinimalDefForDevice(dev);
+         if (!virConnectListAllInterfacesCheckACL(conn, def)) {
+@@ -969,9 +981,9 @@ udevGetIfaceDef(struct udev *udev, const
+ 
+     /* MTU */
+     mtu_str = udev_device_get_sysattr_value(dev, "mtu");
+-    if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+    if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+-                _("Could not parse MTU value '%s'"), mtu_str);
+                _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str));
+         goto error;
+     }
+     ifacedef->mtu = mtu;
+@@ -1094,7 +1106,7 @@ udevInterfaceIsActive(virInterfacePtr if
+        goto cleanup;
+ 
+     /* Check if it's active or not */
+-    status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
+    status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+     udev_device_unref(dev);
+ 
diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb
index a88e0ee3..ef9c1c6e 100644
--- a/recipes-extended/libvirt/libvirt_8.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -31,6 +31,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
           file://CVE-2023-2700.patch \
           file://CVE-2024-2494.patch \
+           file://CVE-2024-1441.patch \
+           file://CVE-2024-2496.patch \
          "
 SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"
author	Ashish Sharma <asharma@mvista.com>	2024-06-26 11:51:53 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2024-07-10 03:53:08 +0000
commit	c8d800054fca0e537f5afb44eec6ad767f36741b (patch)
tree	49e3f1f055e1c24294b5f450dfaaa08033fa6a73
parent	8b356b91ed0d4bcab72350a2ddcef880f4fa5c26 (diff)
download	meta-virtualization-c8d800054fca0e537f5afb44eec6ad767f36741b.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch new file mode 100644 index 00000000..5a17e9c5 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2024-1441.patch
@@ -0,0 +1,64 @@
		1	From c664015fe3a7bf59db26686e9ed69af011c6ebb8 Mon Sep 17 00:00:00 2001
		2	From: Martin Kletzander <mkletzan@redhat.com>
		3	Date: Tue, 27 Feb 2024 16:20:12 +0100
		4	Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Ever since this function was introduced in 2012 it could've tried
		10	filling in an extra interface name. That was made worse in 2019 when
		11	the caller functions started accepting NULL arrays of size 0.
		12
		13	This is assigned CVE-2024-1441.
		14
		15	Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
		16	Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
		17	Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
		18	Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
		19	Reviewed-by: Ján Tomko <jtomko@redhat.com>
		20
		21	Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
		22	CVE: CVE-2024-1441
		23	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		24
		25
		26	NEWS.rst \| 15 +++++++++++++++
		27	src/interface/interface_backend_udev.c \| 2 +-
		28	2 files changed, 16 insertions(+), 1 deletion(-)
		29
		30	#--- a/NEWS.rst
		31	#+++ b/NEWS.rst
		32	#@@ -312,6 +312,21 @@ v9.2.0 (2023-04-01)
		33	# v9.1.0 (2023-03-01)
		34	# ===================
		35	#
		36	#+ * ``CVE-2024-1441``: Fix off-by-one error leading to a crash
		37	#+
		38	#+ In libvirt-1.0.0 there were couple of interface listing APIs
		39	#+ introduced which had an off-by-one error. That error could lead to a
		40	#+ very rare crash if an array was passed to those functions which did
		41	#+ not fit all the interfaces.
		42	#+
		43	#+ In libvirt-5.10 a check for non-NULL arrays has been adjusted to
		44	#+ allow for NULL arrays with size 0 instead of rejecting all NULL
		45	#+ arrays. However that made the above issue significantly worse since
		46	#+ that off-by-one error now did not write beyond an array, but
		47	#+ dereferenced said NULL pointer making the crash certain in a
		48	#+ specific scenario in which a NULL array of size 0 was passed to the
		49	#+ aforementioned functions.
		50	#+
		51	# * Removed features
		52	#
		53	# * vbox: removed support for version 5.2 and 6.0 APIs
		54	--- a/src/interface/interface_backend_udev.c
		55	+++ b/src/interface/interface_backend_udev.c
		56	@@ -220,7 +220,7 @@ udevListInterfacesByStatus(virConnectPtr
		57	g_autoptr(virInterfaceDef) def = NULL;
		58
		59	/* Ensure we won't exceed the size of our array */
		60	- if (count > names_len)
		61	+ if (count >= names_len)
		62	break;
		63
		64	path = udev_list_entry_get_name(dev_entry);


diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch new file mode 100644 index 00000000..ec477b05 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2024-2496.patch
@@ -0,0 +1,91 @@
		1	Backport of:
		2
		3	From 2ca94317ac642a70921947150ced8acc674ccdc8 Mon Sep 17 00:00:00 2001
		4	From: Dmitry Frolov <frolov@swemel.ru>
		5	Date: Tue, 12 Sep 2023 15:56:47 +0300
		6	Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
		7	check
		8
		9	Reviewing the code I found that return value of function
		10	udev_device_get_sysattr_value() is dereferenced without a check.
		11	udev_device_get_sysattr_value() may return NULL by number of reasons.
		12
		13	v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
		14	v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
		15
		16	Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
		17	Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
		18
		19	Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
		20	CVE: CVE-2024-2496
		21	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		22
		23
		24	src/interface/interface_backend_udev.c \| 26 +++++++++++++++++++-------
		25	1 file changed, 19 insertions(+), 7 deletions(-)
		26
		27	--- a/src/interface/interface_backend_udev.c
		28	+++ b/src/interface/interface_backend_udev.c
		29	@@ -23,6 +23,7 @@
		30	#include <dirent.h>
		31	#include <libudev.h>
		32
		33	+#include "virlog.h"
		34	#include "virerror.h"
		35	#include "virfile.h"
		36	#include "datatypes.h"
		37	@@ -41,6 +42,8 @@
		38
		39	#define VIR_FROM_THIS VIR_FROM_INTERFACE
		40
		41	+VIR_LOG_INIT("interface.interface_backend_udev");
		42	+
		43	struct udev_iface_driver {
		44	struct udev *udev;
		45	/* pid file FD, ensures two copies of the driver can't use the same root */
		46	@@ -355,11 +358,20 @@ udevConnectListAllInterfaces(virConnectP
		47	const char *macaddr;
		48	g_autoptr(virInterfaceDef) def = NULL;
		49
		50	- path = udev_list_entry_get_name(dev_entry);
		51	- dev = udev_device_new_from_syspath(udev, path);
		52	- name = udev_device_get_sysname(dev);
		53	+ if (!(path = udev_list_entry_get_name(dev_entry))) {
		54	+ VIR_DEBUG("Skipping interface, path == NULL");
		55	+ continue;
		56	+ }
		57	+ if (!(dev = udev_device_new_from_syspath(udev, path))) {
		58	+ VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
		59	+ continue;
		60	+ }
		61	+ if (!(name = udev_device_get_sysname(dev))) {
		62	+ VIR_DEBUG("Skipping interface '%s', name == NULL", path);
		63	+ continue;
		64	+ }
		65	macaddr = udev_device_get_sysattr_value(dev, "address");
		66	- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
		67	+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
		68
		69	def = udevGetMinimalDefForDevice(dev);
		70	if (!virConnectListAllInterfacesCheckACL(conn, def)) {
		71	@@ -969,9 +981,9 @@ udevGetIfaceDef(struct udev *udev, const
		72
		73	/* MTU */
		74	mtu_str = udev_device_get_sysattr_value(dev, "mtu");
		75	- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
		76	+ if (!mtu_str \|\| virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
		77	virReportError(VIR_ERR_INTERNAL_ERROR,
		78	- _("Could not parse MTU value '%s'"), mtu_str);
		79	+ _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str));
		80	goto error;
		81	}
		82	ifacedef->mtu = mtu;
		83	@@ -1094,7 +1106,7 @@ udevInterfaceIsActive(virInterfacePtr if
		84	goto cleanup;
		85
		86	/* Check if it's active or not */
		87	- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
		88	+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
		89
		90	udev_device_unref(dev);
		91


diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb index a88e0ee3..ef9c1c6e 100644 --- a/recipes-extended/libvirt/libvirt_8.1.0.bb +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -31,6 +31,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \	31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
32	file://CVE-2023-2700.patch \	32	file://CVE-2023-2700.patch \
33	file://CVE-2024-2494.patch \	33	file://CVE-2024-2494.patch \
		34	file://CVE-2024-1441.patch \
		35	file://CVE-2024-2496.patch \
34	"	36	"
35		37
36	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"	38	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"