11:06 a.m.
There's a denial of service attack possible from guests on any program
that does inspection (eg. virt-inspector, many other virt-* tools,
virt-v2v, OpenStack).
The attack causes the host process to crash because of a double free.
It's probably not exploitable (definitely not on Fedora because of the
default memory hardening settings).
This patch contains the fix and a reproducer:
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe3291...
This affects libguestfs >= 1.21.6 and libguestfs 1.22.0 and 1.23.0.
I will include the fix in libguestfs >= 1.22.1 and >= 1.23.1.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
11:27 a.m.
On Tue, May 28, 2013 at 05:06:45PM +0100, Richard W.M. Jones wrote:
There's a denial of service attack possible from guests on any program
that does inspection (eg. virt-inspector, many other virt-* tools,
virt-v2v, OpenStack).
The attack causes the host process to crash because of a double free.
It's probably not exploitable (definitely not on Fedora because of the
default memory hardening settings).
This patch contains the fix and a reproducer:
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe3291...
This affects libguestfs >= 1.21.6 and libguestfs 1.22.0 and 1.23.0.
I will include the fix in libguestfs >= 1.22.1 and >= 1.23.1.
Actually this also affects the libguestfs 1.20 branch because
I managed to backport the original bug there. Go me.
I will fix this in libguestfs >= 1.20.7.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
1:04 p.m.
New subject: CVE-2013-2124 (was: Re: ATTN: Denial of service attack possible on libguestfs)
This issue has been assigned CVE-2013-2124.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
5:54 a.m.
New subject: CVE-2013-2124 (was: Re: ATTN: Denial of service attack possible on libguestfs)
The complete fix for CVE-2013-2124 requires:
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe3291...
https://github.com/libguestfs/libguestfs/commit/ae8bb84ecd46d7b6ef557a877...
https://github.com/libguestfs/libguestfs/commit/1c9dfd079aa6d7893f72c5fd1...
It will be fixed upstream in:
= 1.20.8
= 1.22.2
= 1.23.2
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
6:03 p.m.
On Tue, May 28, Richard W.M. Jones wrote:
There's a denial of service attack possible from guests on any program
that does inspection (eg. virt-inspector, many other virt-* tools,
virt-v2v, OpenStack).
The attack causes the host process to crash because of a double free.
It's probably not exploitable (definitely not on Fedora because of the
default memory hardening settings).
This patch contains the fix and a reproducer:
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe3291...
This is appearently incomplete, bt from a 1.20.4:
head -n 10
libguestfs: recv_from_daemon: 44 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 7a | 00 00 00
01 | 00 12 34 24 | ...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
#1 0x00007ffff69de7e6 in strdup () from /lib64/libc.so.6
#2 0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96
#3 0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>,
fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343
#4 guestfs___check_linux_root (g=0x65da50, fs=0x6665b0) at inspect-fs-unix.c:560
#5 0x00007ffff7b88522 in check_filesystem (is_partnum=<optimized out>,
is_block=<optimized out>, device=<optimized out>, g=<optimized out>) at
inspect-fs.c:238
#6 guestfs___check_for_filesystem_on (g=0x65da50, device=0x617930 "/dev/sda2",
is_block=0, is_partnum=2) at inspect-fs.c:152
#7 0x00007ffff7b86980 in guestfs__inspect_os (g=0x65da50) at inspect.c:86
#8 0x00007ffff7b1c91b in guestfs_inspect_os (g=0x65da50) at actions-1.c:397
#9 0x0000000000406ba9 in main (argc=3, argv=<optimized out>) at
virt-inspector.c:273
Looks like parse_lsb_release and parse_suse_release needs a similar
change. I will test a patch.
Olaf
2:35 a.m.
On Fri, May 31, 2013 at 01:03:24AM +0200, Olaf Hering wrote:
#2 0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0)
at alloc.c:96
#3 0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>,
fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343
This is a different problem:
lines = guestfs_head_n (g, 10, filename);
if (lines == NULL)
return -1;
/* First line is dist release name */
fs->product_name = safe_strdup (g, lines[0]); <<<---
if (fs->product_name == NULL)
goto out;
The code doesn't check that lines[0] != NULL.
I don't see a problem in parse_lsb_release however. Do you have a
stack trace from that?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
2:39 a.m.
This should fix it I think.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
8:11 a.m.
On Fri, May 31, 2013 at 08:39:08AM +0100, Richard W.M. Jones wrote:
+ if (lines[0] != NULL)
+ goto out;
+
This actually managed to introduce (another) bug because the
test is the wrong way around :-(
Fixed upstream.
On the up side, I've started to perform fuzz testing of the inspection
code, and it was in fact this fuzz testing which found this new bug,
and would have found the old bug as well.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
4189
days inactive
4195
days old
8 comments
2 participants
participants (2)
-
Olaf Hering -
Richard W.M. Jones