Fix off-by-one error in udevListInterfacesByStatus

Ever since this function was introduced in 2012 it could've tried
filling in an extra interface name.  That was made worse in 2019 when
the caller functions started accepting NULL arrays of size 0.

This is assigned CVE-2024-1441.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Fixes: 5a33366f5c
Fixes: d6064e2759
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Martin Kletzander 2024-02-27 16:20:12 +01:00 committed by Jiri Denemark
parent 3584ed4c21
commit c664015fe3
2 changed files with 16 additions and 1 deletions

View File

@ -13,6 +13,21 @@ v10.1.0 (unreleased)
* **Security** * **Security**
* ``CVE-2024-1441``: Fix off-by-one error leading to a crash
In **libvirt-1.0.0** there were couple of interface listing APIs
introduced which had an off-by-one error. That error could lead to a
very rare crash if an array was passed to those functions which did
not fit all the interfaces.
In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
allow for NULL arrays with size 0 instead of rejecting all NULL
arrays. However that made the above issue significantly worse since
that off-by-one error now did not write beyond an array, but
dereferenced said NULL pointer making the crash certain in a
specific scenario in which a NULL array of size 0 was passed to the
aforementioned functions.
* **Removed features** * **Removed features**
* **New features** * **New features**

View File

@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
g_autoptr(virInterfaceDef) def = NULL; g_autoptr(virInterfaceDef) def = NULL;
/* Ensure we won't exceed the size of our array */ /* Ensure we won't exceed the size of our array */
if (count > names_len) if (count >= names_len)
break; break;
path = udev_list_entry_get_name(dev_entry); path = udev_list_entry_get_name(dev_entry);