ACL checks were performed after parsing a user provided XML in its entirety
which could be written in a way that would make libvirt allocate too much memory
and crash.

Instead parse just the identifiers out of which only name and UUID are needed
for ACL checks, perform those and then parse the whole definition.  In order not
to pass bogus UUID to the ACL functions, rewrite any generated UUID in the first
step with a nil UUID since the ACLs cannot be written to expect a particular
generated UUID as that would not make sense.

If squashing the patches is preferred, let me know.

Fixes: CVE-2025-12748
Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru>

Martin Kletzander (7):
  conf: Add virDomainDefIDsParseString
  bhyve: Check ACLs before parsing the whole domain XML
  libxl: Check ACLs before parsing the whole domain XML
  lxc: Check ACLs before parsing the whole domain XML
  vz: Check ACLs before parsing the whole domain XML
  ch: Check ACLs before parsing the whole domain XML
  qemu: Check ACLs before parsing the whole domain XML

 src/bhyve/bhyve_driver.c  | 24 ++++++++---
 src/ch/ch_driver.c        | 76 +++++++++++++++++++++++----------
 src/conf/domain_conf.c    | 29 +++++++++++++
 src/conf/domain_conf.h    |  3 ++
 src/libvirt_private.syms  |  1 +
 src/libxl/libxl_driver.c  | 20 ++++++---
 src/lxc/lxc_driver.c      | 22 +++++++---
 src/qemu/qemu_driver.c    | 90 ++++++++++++++++++++-------------------
 src/qemu/qemu_migration.c | 21 ++++++++-
 src/qemu/qemu_migration.h |  4 +-
 src/qemu/qemu_saveimage.c | 25 +++++++++--
 src/qemu/qemu_saveimage.h |  4 +-
 src/qemu/qemu_snapshot.c  |  4 +-
 src/vz/vz_driver.c        | 18 +++++---
 14 files changed, 243 insertions(+), 98 deletions(-)

-- 
2.51.2

On 11/7/25 12:26, Martin Kletzander via Devel wrote:
> ACL checks were performed after parsing a user provided XML in its entirety
> which could be written in a way that would make libvirt allocate too much memory
> and crash.
> 
> Instead parse just the identifiers out of which only name and UUID are needed
> for ACL checks, perform those and then parse the whole definition.  In order not
> to pass bogus UUID to the ACL functions, rewrite any generated UUID in the first
> step with a nil UUID since the ACLs cannot be written to expect a particular
> generated UUID as that would not make sense.
> 
> If squashing the patches is preferred, let me know.
> 
> Fixes: CVE-2025-12748
> Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru>
> 
> Martin Kletzander (7):
>   conf: Add virDomainDefIDsParseString
>   bhyve: Check ACLs before parsing the whole domain XML
>   libxl: Check ACLs before parsing the whole domain XML
>   lxc: Check ACLs before parsing the whole domain XML
>   vz: Check ACLs before parsing the whole domain XML
>   ch: Check ACLs before parsing the whole domain XML
>   qemu: Check ACLs before parsing the whole domain XML
> 
>  src/bhyve/bhyve_driver.c  | 24 ++++++++---
>  src/ch/ch_driver.c        | 76 +++++++++++++++++++++++----------
>  src/conf/domain_conf.c    | 29 +++++++++++++
>  src/conf/domain_conf.h    |  3 ++
>  src/libvirt_private.syms  |  1 +
>  src/libxl/libxl_driver.c  | 20 ++++++---
>  src/lxc/lxc_driver.c      | 22 +++++++---
>  src/qemu/qemu_driver.c    | 90 ++++++++++++++++++++-------------------
>  src/qemu/qemu_migration.c | 21 ++++++++-
>  src/qemu/qemu_migration.h |  4 +-
>  src/qemu/qemu_saveimage.c | 25 +++++++++--
>  src/qemu/qemu_saveimage.h |  4 +-
>  src/qemu/qemu_snapshot.c  |  4 +-
>  src/vz/vz_driver.c        | 18 +++++---
>  14 files changed, 243 insertions(+), 98 deletions(-)
> 

You get bonus points for fixing save image code in CH driver, but that's
sooo broken anyways that basically we're unable to restore from a saved
image anyway. But hey, at least we don't deplete memory :-D

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal