Re: [Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

On Tue, Jun 28, 2022 at 01:54:16PM +0200, Laszlo Ersek wrote: > Short log for the common submodule, commit range > f8de5508fe75..35b49ce142fb: > > Laszlo Ersek (2): > mlcustomize: factor out pkg install/update/uninstall from guestfs-tools > options: fix buffer overflow in get_keys() [CVE-2022-2211] > > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 > Signed-off-by: Laszlo Ersek <lersek(a)redhat.com&gt; > --- > > Notes: > "Commit 35b49ce142fb" needs to updated here, in both the submodule > checkout and the commit message, once the libguestfs-common series is > merged. > > common | 2 +- > docs/guestfs-security.pod | 28 ++++++++++++++++++++ > 2 files changed, 29 insertions(+), 1 deletion(-) > > diff --git a/common b/common > index f8de5508fe75..35b49ce142fb 160000 > --- a/common > +++ b/common > @@ -1 +1 @@ > -Subproject commit f8de5508fe755acca99c9ab40c501d6c3e2bcb1e > +Subproject commit 35b49ce142fb906bcf91edc6a6718d28c8fca9e3 > diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod > index 9ceef5623370..efa35b29d301 100644 > --- a/docs/guestfs-security.pod > +++ b/docs/guestfs-security.pod > @@ -404,10 +404,38 @@ S<C<guestfs_set_network (g, 1)>> (which is not the default). > The libvirt backend is not affected. > > The solution is to update qemu to a version containing the fix (see > L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>). > > +=head2 CVE-2022-2211 > + > +L<https://bugzilla.redhat.com/CVE-2022-2211> > + > +The C<get_keys> function in F<libguestfs-common/options/keys.c> collects > +those I<--key> options from the command line into a new array that match > +a particular block device that's being decrypted for inspection. The > +function intends to size the result array such that potentially all > +I<--key> options, plus a terminating C<NULL> element, fit into it. The > +code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore > +only one element is allocated before the C<NULL> terminator. > + > +Passing precisely two I<--key ID:...> options on the command line for > +the encrypted block device C<ID> causes C<get_keys> to overwrite the > +terminating C<NULL>, leading to an out-of-bounds read in > +C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>. > + > +Passing more than two I<--key ID:...> options on the command line for > +the encrypted block device C<ID> causes C<get_keys> itself to perform > +out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV> > +later on. > + > +This issue affects -- broadly speaking -- all libguestfs-based utilities > +that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>, > +C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>, > +C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>, > +C<virt-sysprep>, C<virt-tail>, C<virt-v2v>. > + > =head1 SEE ALSO Reviewed-by: Richard W.M. Jones <rjones(a)redhat.com&gt;