A flaw was found in the RPC library APIs of libvirt. The RPC server de-serialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. A local unprivileged user could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 2270649]
Upstream patch: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/
Upstream merged fix is commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Author: Daniel P. Berrangé <berrange> Date: Fri Mar 15 10:47:50 2024 +0000 remote: check for negative array lengths before allocation While the C API entry points will validate non-negative lengths for various parameters, the RPC server de-serialization code will need to allocate memory for arrays before entering the C API. These allocations will thus happen before the non-negative length check is performed. Passing a negative length to the g_new0 function will usually result in a crash due to the negative length being treated as a huge positive number. This was found and diagnosed by ALT Linux Team with AFLplusplus. CVE-2024-2494 Reviewed-by: Michal Privoznik <mprivozn> Found-by: Alexandr Shashkin <dutyrok> Co-developed-by: Alexander Kuznetsov <kuznetsovam> Signed-off-by: Daniel P. Berrangé <berrange>
(In reply to Mauro Matteo Cascella from comment #3) > Upstream patch: > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/ https://monopolygo.io/ > BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/ What was the nature and impact of the fix implemented in commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2, authored by Daniel P. Berrangé, regarding remote allocation and negative array lengths in the codebase?