Description of problem: The C/XS implementation of the get_uuid_string() methods uses a fixed size buffer for the printable UUID that is one byte too small. This means the trailing NULL terminator overflows the buffer. If you are unlucky this can cause the Perl process to crash. The fix is trivial and upstream http://libvirt.org/hg/libvirt-perl/rev/e0e8feb3350d Version-Release number of selected component (if applicable): 0.2.0 How reproducible: Sometimes Steps to Reproduce: 1. Run a Perl programm calling get_uuid_string() in the Sys::Virt API 2. 3. Actual results: Sometimes it may crash Expected results: Never crashes Additional info:
Built in perl-Sys-Virt-0.2.0-4.el5
I wrote a script to verify the bug, no error occurred based on the perl-Sys-Virt-0.2.0-4.el5 version the scripts is follow: #!/usr/bin/perl use strict; use warnings; use Sys::Virt; my $addr = "xen:///"; my $con = Sys::Virt->new(address => $addr, readonly => 1); print "VMM type: ", $con->get_type(), "\n"; foreach ($con->list_domains) { print "Domain name :", $_->get_name(), "\n"; my $count = 1000; my $num = 1; while ($count) { print "Get UUID count $num:", $_->get_uuid_string(), "\n"; $count = $count - 1; $num = $num + 1; } }
Since this is only a off-by-1 buffer overflow you have to be very unlucky for it to actually cause trouble. If there's even 1 byte of padding, or harmless data on the stack next to the uuid array it wouldn't cause a crash. I've never reproduced a crash myself, but it does crash on SUSE. By inspection the existing code is clearly wrong, so whether we can reproduce the problem or not is pretty irrelevant. The fix is neccessary.
llim->berrange: are we good to move the bug to verified based on comment #8, since its hard to reproduce?
Yeah, i think its fine to move it to verified.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1302.html