On 3/21/24 01:53, Daniel P. Berrangé wrote: > While the C API entry points will validate non-negative lengths > for various parameters, the RPC server de-serialization code > will need to allocate memory for arrays before entering the C > API. These allocations will thus happen before the non-negative > length check is performed. > > Passing a negative length to the g_new0 function will usually > result in a crash due to the negative length being treated as > a huge positive number. > > This was found and diagnosed by ALT Linux Team with AFLplusplus. > > CVE-2024-2494 > Found-by: Alexandr Shashkin <dutyrok@xxxxxxxxxxxx> > Co-developed-by: Alexander Kuznetsov <kuznetsovam@xxxxxxxxxxxx> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ > src/rpc/gendispatch.pl | 5 +++ > 2 files changed, 70 insertions(+) Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> Michal _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
