On 07/30/2012 12:03 PM, Jiri Denemark wrote: > On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote: >>>> On 2012年07月30日 19:55, Jiri Denemark wrote: >>>>> Daemon uses the following pattern when dispatching APIs with typed >>>>> parameters: >>>>> >>>>> VIR_ALLOC_N(params, nparams); >>>>> virDomain*(dom, params,&nparams, flags); >>>>> virTypedParameterArrayClear(params, nparams); >>>>> >>>>> In case nparams was originally set to 0, virDomain* API would fill it >>>>> with the number of typed parameters it can provide and we would use this >>>>> number (rather than zero) to clear params. Because VIR_ALLOC* returns >>>>> non-NULL pointer even if size is 0, the code would end up walking >>>>> through random memory. If we were lucky enough and the memory contained >>>>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a >>>>> random pointer and crash. >>>>> >>>>> Let's make sure params stays NULL when nparams is 0. >>>>> >> Makes sense, ACK. > > Pushed, thanks. Per https://bugzilla.redhat.com/show_bug.cgi?id=844745, this has been assigned CVE-2012-3445. I'm therefore pushing backports of this patch to v0.9.6-maint and v0.9.11-maint, and we will be releasing new minor releases on the stable branches in the near future. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list