Bug 437086
| Summary: | xen: buffer overflow detected: qcow-create terminated | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | xen | Assignee: | Daniel Berrangé <berrange> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 5.2 | CC: | berrange, clalance, gozen, james.brown, jplans, kreilly, sputhenp, tao, xen-maint, yunfeng.zhao | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-01-20 21:11:34 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 437087, 437088 | ||||||
| Bug Blocks: | 391501, 448899, 449772, 454651 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2008-03-12 11:03:19 UTC
Closing this one -- when the local, uprivileged user has even no chance to create a malicious virt machine image (inproper input file detected by "glibc"), and provide it to the root to run it in order to force the whole kernel-xen crash, seems there is no way how this one could be misused. (But the clones still worthy to be fixed in particular rhel-5 xen packages). Have closed the clones, reopened this one (this is the proper handling of such cases). *** Bug 251330 has been marked as a duplicate of this bug. *** This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Ok, I finally understand why this is happening and why the upstream patch fixes it. The 'realpath()' method specification mandates that the second argument be exactly PATH_MAX in size. The qcow code was only giving it a 1024 byte array, and even though the path in question would fit in this, the GLibC FORTIFY_SOURCE checks were flagging the fact that the 2nd arg was not large enough to comply with spec and thus aborting. So, approve for 5.3 and 5.2.x z-stream if desired. Created attachment 311361 [details]
Fix buflens for args to realpath()
Built into xen-3.0.3-67.el5 Correction, xen-3.0.3-68.el5 Good news! I'll set the resolution code on the IT ticket to RHEL 5.3. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 5.3' This event sent from IssueTracker by gcase issue 170675 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0118.html |