Bug 2270115 (CVE-2024-2494)
Summary: | CVE-2024-2494 libvirt: negative g_new0 length can lead to unbounded memory allocation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | ASSIGNED --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ailan, berrange, ddepaula, dunnsimsham, eblake, jdenemar, jferlan, jmaloy, jsuchane, knoel, pkrempa, security-response-team, ymankad |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2270649 | ||
Bug Blocks: | 2270120 |
Description
Mauro Matteo Cascella
2024-03-18 13:44:17 UTC
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 2270649] Upstream patch: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/ Upstream merged fix is commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Author: Daniel P. Berrangé <berrange> Date: Fri Mar 15 10:47:50 2024 +0000 remote: check for negative array lengths before allocation While the C API entry points will validate non-negative lengths for various parameters, the RPC server de-serialization code will need to allocate memory for arrays before entering the C API. These allocations will thus happen before the non-negative length check is performed. Passing a negative length to the g_new0 function will usually result in a crash due to the negative length being treated as a huge positive number. This was found and diagnosed by ALT Linux Team with AFLplusplus. CVE-2024-2494 Reviewed-by: Michal Privoznik <mprivozn> Found-by: Alexandr Shashkin <dutyrok> Co-developed-by: Alexander Kuznetsov <kuznetsovam> Signed-off-by: Daniel P. Berrangé <berrange> (In reply to Mauro Matteo Cascella from comment #3) > Upstream patch: > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/ https://monopolygo.io/ > BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/ What was the nature and impact of the fix implemented in commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2, authored by Daniel P. Berrangé, regarding remote allocation and negative array lengths in the codebase? This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2560 https://access.redhat.com/errata/RHSA-2024:2560 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3253 https://access.redhat.com/errata/RHSA-2024:3253 |