Ever since this function was introduced in 2012 it could've tried
filling in an extra interface name. That was made worse in 2019 when
the caller functions started accepting NULL arrays of size 0.
This is assigned CVE-2024-1441.
Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
Reported-by: Alexander Kuznetsov <kuznetsovam@xxxxxxxxxxxx>
Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx>
---
Pushed after review in libvirt-security since this has a CVE. Unfortunately I
forgot to split the NEWS update and the actual fix, so sorry to all
back-porters.
NEWS.rst | 15 +++++++++++++++
src/interface/interface_backend_udev.c | 2 +-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/NEWS.rst b/NEWS.rst
index ac64cf697435..69258880d2d3 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -13,6 +13,21 @@ v10.1.0 (unreleased)
* **Security**
+ * ``CVE-2024-1441``: Fix off-by-one error leading to a crash
+
+ In **libvirt-1.0.0** there were couple of interface listing APIs
+ introduced which had an off-by-one error. That error could lead to a
+ very rare crash if an array was passed to those functions which did
+ not fit all the interfaces.
+
+ In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
+ allow for NULL arrays with size 0 instead of rejecting all NULL
+ arrays. However that made the above issue significantly worse since
+ that off-by-one error now did not write beyond an array, but
+ dereferenced said NULL pointer making the crash certain in a
+ specific scenario in which a NULL array of size 0 was passed to the
+ aforementioned functions.
+
* **Removed features**
* **New features**
diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
index fb6799ed9406..40914830604e 100644
--- a/src/interface/interface_backend_udev.c
+++ b/src/interface/interface_backend_udev.c
@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
g_autoptr(virInterfaceDef) def = NULL;
/* Ensure we won't exceed the size of our array */
- if (count > names_len)
+ if (count >= names_len)
break;
path = udev_list_entry_get_name(dev_entry);
--
2.44.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
