From nobody Tue May 14 13:25:19 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1709296681187137.08139103151098; Fri, 1 Mar 2024 04:38:01 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id E38FC1954; Fri, 1 Mar 2024 07:37:59 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 74D0419D2; Fri, 1 Mar 2024 07:36:36 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id C6FA419D1; Fri, 1 Mar 2024 07:36:31 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E35F1192B for ; Fri, 1 Mar 2024 07:36:29 -0500 (EST) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-440-qzcS5nIWP4C5c-_oRjgyig-1; Fri, 01 Mar 2024 07:36:28 -0500 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-33e1d994f53so401761f8f.1 for ; Fri, 01 Mar 2024 04:36:27 -0800 (PST) Received: from wheatley.localdomain (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id bw1-20020a0560001f8100b0033db0c866f7sm4554345wrb.11.2024.03.01.04.36.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 04:36:25 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 6DA6F19A37770 for ; Fri, 1 Mar 2024 13:36:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: qzcS5nIWP4C5c-_oRjgyig-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709296587; x=1709901387; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wa/tLvUfTilza97VVC9oyg8jsFfGs2+GYKChXJvEBpc=; b=L+TtRt3ZF9/JzsMBW6CY5YR8AvEA8hZdqJgb04O8qubeVQV1uYMyvzcujgPV9cuE/5 YLiRuvnxzvtVm986gDN3tRVyIfY79RBM5ikC9/kbWUQKCNlWLPPzdbkqpeeN3TQnbxmd UY149xUyIhO9uITks+EUJvUM6MRIGQR/JujZdkX9xJO79DZmtVHUWlKLMlvgpkR/qZTj Ye8Sj5Ji1Oapb92u0rHajh8nHho4FVdLYEfwqXkCIBqOTa8koROAlVolF6nNKiOCvr0N bkF0cFmYNpxk1VREjnyn0f8LPzc6j5qs6RlCmd0nhQ9+OqKSnCrJrB7PfK5wy0vlQHbS BCZQ== X-Gm-Message-State: AOJu0Yxlgltd13SGOj/D0zwG6tGvt50eGAwr49xNCjIztVu6N/89AJ73 udvS79T7kty9PDIvEVEG7JuwfE0TJS4bDtefV2bO7qvUxCD8LTgBpv3jd5kcJngqb1GjDYuotJY 6IYWCwUzPyqoexQ/9hag3cjV11RLtFQtBDz3F7c13nWhMpfcFiOkMa7s0OvbTHEyLc5mx9RK9+u kLfL86Oz9428fUxjkKX+fc4/j2O8iWTE0RhcbOVJs= X-Received: by 2002:a5d:660d:0:b0:33e:206b:8112 with SMTP id n13-20020a5d660d000000b0033e206b8112mr1107772wru.14.1709296586896; Fri, 01 Mar 2024 04:36:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IEAdlaOsHAPUYmfmgdyBBBVo1Oct/mtgtammE8tkUDbFXTh8Wycsw1LUrndv3pFDMR3qxOyoQ== X-Received: by 2002:a5d:660d:0:b0:33e:206b:8112 with SMTP id n13-20020a5d660d000000b0033e206b8112mr1107754wru.14.1709296586411; Fri, 01 Mar 2024 04:36:26 -0800 (PST) From: Martin Kletzander To: devel@lists.libvirt.org Subject: [PATCH PUSHED] Fix off-by-one error in udevListInterfacesByStatus Date: Fri, 1 Mar 2024 13:34:59 +0100 Message-ID: X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: KRZO3ITJUVIKE2MHAB77OLQJM3JD2HUF X-Message-ID-Hash: KRZO3ITJUVIKE2MHAB77OLQJM3JD2HUF X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1709296682780100001 Ever since this function was introduced in 2012 it could've tried filling in an extra interface name. That was made worse in 2019 when the caller functions started accepting NULL arrays of size 0. This is assigned CVE-2024-1441. Signed-off-by: Martin Kletzander Reported-by: Alexander Kuznetsov Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 Reviewed-by: J=C3=A1n Tomko --- Pushed after review in libvirt-security since this has a CVE. Unfortunatel= y I forgot to split the NEWS update and the actual fix, so sorry to all back-porters. NEWS.rst | 15 +++++++++++++++ src/interface/interface_backend_udev.c | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/NEWS.rst b/NEWS.rst index ac64cf697435..69258880d2d3 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,21 @@ v10.1.0 (unreleased) =20 * **Security** =20 + * ``CVE-2024-1441``: Fix off-by-one error leading to a crash + + In **libvirt-1.0.0** there were couple of interface listing APIs + introduced which had an off-by-one error. That error could lead to a + very rare crash if an array was passed to those functions which did + not fit all the interfaces. + + In **libvirt-5.10** a check for non-NULL arrays has been adjusted to + allow for NULL arrays with size 0 instead of rejecting all NULL + arrays. However that made the above issue significantly worse since + that off-by-one error now did not write beyond an array, but + dereferenced said NULL pointer making the crash certain in a + specific scenario in which a NULL array of size 0 was passed to the + aforementioned functions. + * **Removed features** =20 * **New features** diff --git a/src/interface/interface_backend_udev.c b/src/interface/interfa= ce_backend_udev.c index fb6799ed9406..40914830604e 100644 --- a/src/interface/interface_backend_udev.c +++ b/src/interface/interface_backend_udev.c @@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn, g_autoptr(virInterfaceDef) def =3D NULL; =20 /* Ensure we won't exceed the size of our array */ - if (count > names_len) + if (count >=3D names_len) break; =20 path =3D udev_list_entry_get_name(dev_entry); --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org