Re: [PATCH] daemon: Fix crash in virTypedParameterArrayClear

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/30/2012 12:03 PM, Jiri Denemark wrote:
> On Mon, Jul 30, 2012 at 22:52:23 +0800, Osier Yang wrote:
>>>> On 2012年07月30日 19:55, Jiri Denemark wrote:
>>>>> Daemon uses the following pattern when dispatching APIs with typed
>>>>> parameters:
>>>>>
>>>>>       VIR_ALLOC_N(params, nparams);
>>>>>       virDomain*(dom, params,&nparams, flags);
>>>>>       virTypedParameterArrayClear(params, nparams);
>>>>>
>>>>> In case nparams was originally set to 0, virDomain* API would fill it
>>>>> with the number of typed parameters it can provide and we would use this
>>>>> number (rather than zero) to clear params. Because VIR_ALLOC* returns
>>>>> non-NULL pointer even if size is 0, the code would end up walking
>>>>> through random memory. If we were lucky enough and the memory contained
>>>>> 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
>>>>> random pointer and crash.
>>>>>
>>>>> Let's make sure params stays NULL when nparams is 0.
>>>>>
>> Makes sense, ACK.
> 
> Pushed, thanks.

Per https://bugzilla.redhat.com/show_bug.cgi?id=844745, this has been
assigned CVE-2012-3445.  I'm therefore pushing backports of this patch
to v0.9.6-maint and v0.9.11-maint, and we will be releasing new minor
releases on the stable branches in the near future.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]