Bug 997367
Summary: | CVE-2013-5651 Running numatune with invalid nodeset parameter crash libvirtd [rhel-6.5] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Hao Liu <hliu> | |
Component: | libvirt | Assignee: | Peter Krempa <pkrempa> | |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.5 | CC: | acathrow, ajia, cwei, dyuan, eblake, hliu, jdenemar, lsu, mzhan, pkrempa, pmatouse, tlavigne, zsong | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-0.10.2-23.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 997906 (view as bug list) | Environment: | ||
Last Closed: | 2013-11-21 09:08:13 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 997906, 1006493 |
Description
Hao Liu
2013-08-15 09:54:53 UTC
(In reply to Hao Liu from comment #0) > Steps to Reproduce: > 1. make sure a domain 'foo' is shut off. It's not necessary. > libvirtd backtrace: > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > util/bitmap.c:153 > #1 virBitmapParse (str=<value optimized out>, sep=0 '\000', > bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335 > #2 0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized > out>, params=<value optimized out>, nparams=1, flags=2) at > qemu/qemu_driver.c:8190 > #3 0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, > params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975 > #4 0x000000000042ad7e in remoteDispatchDomainSetNumaParameters > (server=<value optimized out>, client=<value optimized out>, msg=<value > optimized out>, rerr=0x7f52461adb80, > args=<value optimized out>, ret=<value optimized out>) at > remote_dispatch.h:5505 > #5 remoteDispatchDomainSetNumaParametersHelper (server=<value optimized > out>, client=<value optimized out>, msg=<value optimized out>, > rerr=0x7f52461adb80, args=<value optimized out>, > ret=<value optimized out>) at remote_dispatch.h:5475 > #6 0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, > server=0x1960180, client=0x1965700, msg=0x195cc10) at > rpc/virnetserverprogram.c:431 > #7 virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, > client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304 > #8 0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, > client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at > rpc/virnetserver.c:170 > #9 0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized > out>, opaque=0x1960180) at rpc/virnetserver.c:191 > #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) > at util/threadpool.c:144 > #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at > util/threads-pthread.c:161 > #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at > pthread_create.c:301 > #13 0x00007f524f6fca8d in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 This should be enough to debug. (In reply to Alex Jia from comment #1) > > libvirtd backtrace: > > > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)): > > #0 0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 > > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at > > util/bitmap.c:153 Eric, need we fix this on gnulib library? or fix this on caller? thanks. Patch on upstream: https://www.redhat.com/archives/libvir-list/2013-August/msg00723.html A more thorough version posted for review: https://www.redhat.com/archives/libvir-list/2013-August/msg00735.html Fixed upstream: commit 7efd5fd1b0225436cbbae1181ab41c2d3eca43f9 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:13:27 2013 +0200 virbitmaptest: Add test for out of bounds condition Previous patch fixed an issue where, when parsing a bitmap from the string, the bounds of the bitmap weren't checked. That flaw resulted into crashes. This test tests that case to avoid it in the future. commit 536d38128e749fa5b149b9e168224280c3ad348c Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:12:55 2013 +0200 virbitmaptest: Fix function header formatting commit 47b9127e883677a0d60d767030a147450e919a25 Author: Peter Krempa <pkrempa> Date: Fri Aug 16 12:22:32 2013 +0200 virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array The virBitmapParse function was calling virBitmapIsSet() function that requires the caller to check the bounds of the bitmap without checking them. This resulted into crashes when parsing a bitmap string that was exceeding the bounds used as argument. This patch refactors the function to use virBitmapSetBit without checking if the bit is set (this function does the checks internally) and then counts the bits in the bitmap afterwards (instead of keeping track while parsing the string). This patch also changes the "parse_error" label to a more common "error". The refactor should also get rid of the need to call sa_assert on the returned variable as the callpath should allow coverity to infer the possible return values. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367 Thanks to Alex Jia for tracking down the issue. This issue is introduced by commit 0fc8909. This bug is already public knowledge, but it is now being discussed on the closed libvirt-security list for its potential as a CVE. Please do not discuss the CVE specifics in public comments. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1581.html |