External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-09 14:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add bounds checking on virDomainMigrate*Params RPC calls (CVE-2013-4292)

Browse Source 
The parameters for the virDomainMigrate*Params RPC calls were
not bounds checks, meaning a malicious client can cause libvirtd
to consume arbitrary memory

This issue was introduced in the 1.1.0 release of libvirt

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit fd6f6a4861)
This commit is contained in:
Daniel P. Berrange 2013-08-19 14:55:21 +01:00
parent 02340c7f67
commit dfae2d6208
3 changed files with 93 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
daemon/remote.c
View File

@ -4620,6 +4620,13 @@ remoteDispatchDomainMigrateBegin3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(dom = get_nonnull_domain(priv->conn, args->dom))) if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
goto cleanup; goto cleanup;
@ -4671,6 +4678,13 @@ remoteDispatchDomainMigratePrepare3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(params = remoteDeserializeTypedParameters(args->params.params_val, if (!(params = remoteDeserializeTypedParameters(args->params.params_val,
args->params.params_len, args->params.params_len,
0, &nparams))) 0, &nparams)))
@ -4726,6 +4740,13 @@ remoteDispatchDomainMigratePrepareTunnel3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(params = remoteDeserializeTypedParameters(args->params.params_val, if (!(params = remoteDeserializeTypedParameters(args->params.params_val,
args->params.params_len, args->params.params_len,
0, &nparams))) 0, &nparams)))
@ -4790,6 +4811,13 @@ remoteDispatchDomainMigratePerform3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(dom = get_nonnull_domain(priv->conn, args->dom))) if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
goto cleanup; goto cleanup;
@ -4845,6 +4873,13 @@ remoteDispatchDomainMigrateFinish3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(params = remoteDeserializeTypedParameters(args->params.params_val, if (!(params = remoteDeserializeTypedParameters(args->params.params_val,
args->params.params_len, args->params.params_len,
0, &nparams))) 0, &nparams)))
@ -4897,6 +4932,13 @@ remoteDispatchDomainMigrateConfirm3Params(
goto cleanup; goto cleanup;
} }
if (args->params.params_len > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
args->params.params_len, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (!(dom = get_nonnull_domain(priv->conn, args->dom))) if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
goto cleanup; goto cleanup;

42
src/remote/remote_driver.c
View File

@ -6037,6 +6037,13 @@ remoteDomainMigrateBegin3Params(virDomainPtr domain,
make_nonnull_domain(&args.dom, domain); make_nonnull_domain(&args.dom, domain);
args.flags = flags; args.flags = flags;
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (remoteSerializeTypedParameters(params, nparams, if (remoteSerializeTypedParameters(params, nparams,
&args.params.params_val, &args.params.params_val,
&args.params.params_len) < 0) { &args.params.params_len) < 0) {
@ -6096,6 +6103,13 @@ remoteDomainMigratePrepare3Params(virConnectPtr dconn,
memset(&args, 0, sizeof(args)); memset(&args, 0, sizeof(args));
memset(&ret, 0, sizeof(ret)); memset(&ret, 0, sizeof(ret));
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
if (remoteSerializeTypedParameters(params, nparams, if (remoteSerializeTypedParameters(params, nparams,
&args.params.params_val, &args.params.params_val,
&args.params.params_len) < 0) { &args.params.params_len) < 0) {
@ -6171,6 +6185,13 @@ remoteDomainMigratePrepareTunnel3Params(virConnectPtr dconn,
memset(&args, 0, sizeof(args)); memset(&args, 0, sizeof(args));
memset(&ret, 0, sizeof(ret)); memset(&ret, 0, sizeof(ret));
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
args.cookie_in.cookie_in_val = (char *)cookiein; args.cookie_in.cookie_in_val = (char *)cookiein;
args.cookie_in.cookie_in_len = cookieinlen; args.cookie_in.cookie_in_len = cookieinlen;
args.flags = flags; args.flags = flags;
@ -6250,6 +6271,13 @@ remoteDomainMigratePerform3Params(virDomainPtr dom,
memset(&args, 0, sizeof(args)); memset(&args, 0, sizeof(args));
memset(&ret, 0, sizeof(ret)); memset(&ret, 0, sizeof(ret));
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
make_nonnull_domain(&args.dom, dom); make_nonnull_domain(&args.dom, dom);
args.dconnuri = dconnuri == NULL ? NULL : (char **) &dconnuri; args.dconnuri = dconnuri == NULL ? NULL : (char **) &dconnuri;
args.cookie_in.cookie_in_val = (char *)cookiein; args.cookie_in.cookie_in_val = (char *)cookiein;
@ -6315,6 +6343,13 @@ remoteDomainMigrateFinish3Params(virConnectPtr dconn,
memset(&args, 0, sizeof(args)); memset(&args, 0, sizeof(args));
memset(&ret, 0, sizeof(ret)); memset(&ret, 0, sizeof(ret));
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
args.cookie_in.cookie_in_val = (char *)cookiein; args.cookie_in.cookie_in_val = (char *)cookiein;
args.cookie_in.cookie_in_len = cookieinlen; args.cookie_in.cookie_in_len = cookieinlen;
args.flags = flags; args.flags = flags;
@ -6380,6 +6415,13 @@ remoteDomainMigrateConfirm3Params(virDomainPtr domain,
memset(&args, 0, sizeof(args)); memset(&args, 0, sizeof(args));
if (nparams > REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX) {
virReportError(VIR_ERR_RPC,
_("Too many migration parameters '%d' for limit '%d'"),
nparams, REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX);
goto cleanup;
}
make_nonnull_domain(&args.dom, domain); make_nonnull_domain(&args.dom, domain);
args.cookie_in.cookie_in_len = cookieinlen; args.cookie_in.cookie_in_len = cookieinlen;
args.cookie_in.cookie_in_val = (char *) cookiein; args.cookie_in.cookie_in_val = (char *) cookiein;

15
src/remote/remote_protocol.x
View File

@ -234,6 +234,9 @@ const REMOTE_DOMAIN_DISK_ERRORS_MAX = 256;
*/ */
const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64; const REMOTE_NODE_MEMORY_PARAMETERS_MAX = 64;
/* Upper limit on migrate parameters */
const REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX = 64;
/* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */
typedef opaque remote_uuid[VIR_UUID_BUFLEN]; typedef opaque remote_uuid[VIR_UUID_BUFLEN];
@ -2770,7 +2773,7 @@ struct remote_domain_fstrim_args {
struct remote_domain_migrate_begin3_params_args { struct remote_domain_migrate_begin3_params_args {
remote_nonnull_domain dom; remote_nonnull_domain dom;
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
unsigned int flags; unsigned int flags;
}; };
@ -2780,7 +2783,7 @@ struct remote_domain_migrate_begin3_params_ret {
}; };
struct remote_domain_migrate_prepare3_params_args { struct remote_domain_migrate_prepare3_params_args {
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>; opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>;
unsigned int flags; unsigned int flags;
}; };
@ -2791,7 +2794,7 @@ struct remote_domain_migrate_prepare3_params_ret {
}; };
struct remote_domain_migrate_prepare_tunnel3_params_args { struct remote_domain_migrate_prepare_tunnel3_params_args {
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>; opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>;
unsigned int flags; unsigned int flags;
}; };
@ -2803,7 +2806,7 @@ struct remote_domain_migrate_prepare_tunnel3_params_ret {
struct remote_domain_migrate_perform3_params_args { struct remote_domain_migrate_perform3_params_args {
remote_nonnull_domain dom; remote_nonnull_domain dom;
remote_string dconnuri; remote_string dconnuri;
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>; opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>;
unsigned int flags; unsigned int flags;
}; };
@ -2813,7 +2816,7 @@ struct remote_domain_migrate_perform3_params_ret {
}; };
struct remote_domain_migrate_finish3_params_args { struct remote_domain_migrate_finish3_params_args {
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>; opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>;
unsigned int flags; unsigned int flags;
int cancelled; int cancelled;
@ -2826,7 +2829,7 @@ struct remote_domain_migrate_finish3_params_ret {
struct remote_domain_migrate_confirm3_params_args { struct remote_domain_migrate_confirm3_params_args {
remote_nonnull_domain dom; remote_nonnull_domain dom;
remote_typed_param params<>; remote_typed_param params<REMOTE_DOMAIN_MIGRATE_PARAM_LIST_MAX>;
opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>; opaque cookie_in<REMOTE_MIGRATE_COOKIE_MAX>;
unsigned int flags; unsigned int flags;
int cancelled; int cancelled;