Bug 504774

Summary: off-by-1 buffer overflow in get_uuid_string() methods
Product: Red Hat Enterprise Linux 5 Reporter: Daniel Berrangé <berrange>
Component: perl-Sys-VirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: gren, llim, mjenner, sghosh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 09:49:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2009-06-09 10:43:16 UTC 
Description of problem:
The C/XS implementation of the get_uuid_string() methods uses a fixed size buffer for the printable UUID that is one byte too small. This means the trailing NULL terminator overflows the buffer. If you are unlucky this can cause the Perl process to crash.

The fix is trivial and upstream

  http://libvirt.org/hg/libvirt-perl/rev/e0e8feb3350d

Version-Release number of selected component (if applicable):
0.2.0

How reproducible:
Sometimes

Steps to Reproduce:
1. Run a Perl programm calling get_uuid_string() in the Sys::Virt API
2.
3.
  
Actual results:
Sometimes it may crash

Expected results:
Never crashes

Additional info:
Comment 5 Daniel Berrangé 2009-07-15 16:19:22 UTC 
Built in perl-Sys-Virt-0.2.0-4.el5
Comment 8 Gunannan Ren 2009-07-28 08:57:11 UTC 
I wrote a script to verify the bug, no error occurred based on the perl-Sys-Virt-0.2.0-4.el5 version

the scripts is follow:

#!/usr/bin/perl

use strict;
use warnings;
use Sys::Virt;

my $addr = "xen:///";
my $con = Sys::Virt->new(address => $addr, readonly => 1);

print "VMM type: ", $con->get_type(), "\n";

foreach ($con->list_domains) {
    print "Domain name :", $_->get_name(), "\n";
    my $count = 1000;
    my $num = 1;
    while ($count) {
        print "Get UUID count $num:", $_->get_uuid_string(), "\n";
        $count = $count - 1;
        $num = $num + 1;
    }
}
Comment 9 Daniel Berrangé 2009-07-28 09:04:17 UTC 
Since this is only a off-by-1 buffer overflow you have to be very unlucky for it to actually cause trouble. If there's even 1 byte of padding, or harmless data on the stack next to the uuid array it wouldn't cause a crash. I've never reproduced a crash myself, but it does crash on SUSE. By inspection the existing code is clearly wrong, so whether we can reproduce the problem or not is pretty irrelevant. The fix is neccessary.
Comment 10 Lawrence Lim 2009-07-30 06:55:06 UTC 
llim->berrange: are we good to move the bug to verified based on comment #8, since its hard to reproduce?
Comment 11 Daniel Berrangé 2009-07-30 09:42:58 UTC 
Yeah, i think its fine to move it to verified.
Comment 14 errata-xmlrpc 2009-09-02 09:49:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1302.html