Bug 504774 - off-by-1 buffer overflow in get_uuid_string() methods
off-by-1 buffer overflow in get_uuid_string() methods
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: perl-Sys-Virt (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Berrange
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-09 06:43 EDT by Daniel Berrange
Modified: 2009-09-02 05:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:49:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2009-06-09 06:43:16 EDT
Description of problem:
The C/XS implementation of the get_uuid_string() methods uses a fixed size buffer for the printable UUID that is one byte too small. This means the trailing NULL terminator overflows the buffer. If you are unlucky this can cause the Perl process to crash.

The fix is trivial and upstream

  http://libvirt.org/hg/libvirt-perl/rev/e0e8feb3350d

Version-Release number of selected component (if applicable):
0.2.0

How reproducible:
Sometimes

Steps to Reproduce:
1. Run a Perl programm calling get_uuid_string() in the Sys::Virt API
2.
3.
  
Actual results:
Sometimes it may crash

Expected results:
Never crashes

Additional info:
Comment 5 Daniel Berrange 2009-07-15 12:19:22 EDT
Built in perl-Sys-Virt-0.2.0-4.el5
Comment 8 Gunannan Ren 2009-07-28 04:57:11 EDT
I wrote a script to verify the bug, no error occurred based on the perl-Sys-Virt-0.2.0-4.el5 version

the scripts is follow:

#!/usr/bin/perl

use strict;
use warnings;
use Sys::Virt;

my $addr = "xen:///";
my $con = Sys::Virt->new(address => $addr, readonly => 1);

print "VMM type: ", $con->get_type(), "\n";

foreach ($con->list_domains) {
    print "Domain name :", $_->get_name(), "\n";
    my $count = 1000;
    my $num = 1;
    while ($count) {
        print "Get UUID count $num:", $_->get_uuid_string(), "\n";
        $count = $count - 1;
        $num = $num + 1;
    }
}
Comment 9 Daniel Berrange 2009-07-28 05:04:17 EDT
Since this is only a off-by-1 buffer overflow you have to be very unlucky for it to actually cause trouble. If there's even 1 byte of padding, or harmless data on the stack next to the uuid array it wouldn't cause a crash. I've never reproduced a crash myself, but it does crash on SUSE. By inspection the existing code is clearly wrong, so whether we can reproduce the problem or not is pretty irrelevant. The fix is neccessary.
Comment 10 Lawrence Lim 2009-07-30 02:55:06 EDT
llim->berrange: are we good to move the bug to verified based on comment #8, since its hard to reproduce?
Comment 11 Daniel Berrange 2009-07-30 05:42:58 EDT
Yeah, i think its fine to move it to verified.
Comment 14 errata-xmlrpc 2009-09-02 05:49:59 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1302.html

Note You need to log in before you can comment on or make changes to this bug.