On 08/16/2013 01:47 AM, Alex Jia wrote: > This issue is introduced by commit 0fc8909, the virBitmapIsSet() needs caller > to ensure 'b < bitmap->max_bit', but it's lost in the virBitmapParse() caller, > this will cause crash of libvirtd, with the patch, libvirtd no crash and can > get a expected error "Failed to parse nodeset". > > --- > The caller virBitmapGetBit() can make sure 'b < bitmap->max_bit', so don't > need to worry about higher caller for the virBitmapGetBit(), but the > virBitmapParse() is called by many XML parser function, not sure which one > can crash libvirtd with read-only client then probably require a CVE, I haven't > a good way to check them now and only manually check them one by one. If you are worried that a bug might be a CVE, it is best to practice responsible disclosure, and NOT post the patch upstream, but instead post to libvirt-security@xxxxxxxxxx. That way, the problem can be discussed without public disclosure, rather than calling attention to the fact and making it easier to design a 0-day exploit. But now that this is already publicly disclosed, we have to hurry up both the fix, and our analysis of whether it is exploitable. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list