Description of problem: The following bug has been reported to the upstream Xen bug tracker: qcow-create fails printing '*** buffer overflow detected ***' with a backtrace. Version applicable: Successfully reproduced on latest rhel-5 xen (xen-3.0.3-41.el5). How reproducible: Always Steps to reproduce: 1, dd if=/dev/zero of=backing.store.img bs=1M count=10 2, mke2fs -j backing.store.img 3, qcow-create 10 qcow.img backing.store.img Actual results: Buffer overflow experienced and qcow-create terminated. Expected results: Successfull qcow image creation || error message: "Inproper format of input file". Link to Xen upstream bug tracker: http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077 Link to proposed patch: http://bugzilla.xensource.com/bugzilla/attachment.cgi?id=679
Closing this one -- when the local, uprivileged user has even no chance to create a malicious virt machine image (inproper input file detected by "glibc"), and provide it to the root to run it in order to force the whole kernel-xen crash, seems there is no way how this one could be misused. (But the clones still worthy to be fixed in particular rhel-5 xen packages).
Have closed the clones, reopened this one (this is the proper handling of such cases).
*** Bug 251330 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Ok, I finally understand why this is happening and why the upstream patch fixes it. The 'realpath()' method specification mandates that the second argument be exactly PATH_MAX in size. The qcow code was only giving it a 1024 byte array, and even though the path in question would fit in this, the GLibC FORTIFY_SOURCE checks were flagging the fact that the 2nd arg was not large enough to comply with spec and thus aborting. So, approve for 5.3 and 5.2.x z-stream if desired.
Created attachment 311361 [details] Fix buflens for args to realpath()
Built into xen-3.0.3-67.el5
Correction, xen-3.0.3-68.el5
Good news! I'll set the resolution code on the IT ticket to RHEL 5.3. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 5.3' This event sent from IssueTracker by gcase issue 170675
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0118.html