render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
Source Code
GIT

Blame SOURCES/libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CVE-2018-5748.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   4e77bfdfea4c6a8e5ea531518443174d9209892c
  2.   SOURCES
  3.   libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CVE-2018-5748.patch
Blob History Raw
147b37 
From 5e5d757a039a60cba5ac89fe1998673c49a2d0b6 Mon Sep 17 00:00:00 2001
147b37 
Message-Id: <5e5d757a039a60cba5ac89fe1998673c49a2d0b6@dist-git>
147b37 
From: "Daniel P. Berrange" <berrange@redhat.com>
147b37 
Date: Tue, 16 Jan 2018 17:00:11 +0000
147b37 
Subject: [PATCH] qemu: avoid denial of service reading from QEMU monitor
147b37 
 (CVE-2018-5748)
147b37 
MIME-Version: 1.0
147b37 
Content-Type: text/plain; charset=UTF-8
147b37 
Content-Transfer-Encoding: 8bit
147b37
147b37 
We read from QEMU until seeing a \r\n pair to indicate a completed reply
147b37 
or event. To avoid memory denial-of-service though, we must have a size
147b37 
limit on amount of data we buffer. 10 MB is large enough that it ought
147b37 
to cope with normal QEMU replies, and small enough that we're not
147b37 
consuming unreasonable mem.
147b37
147b37 
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
147b37 
(cherry picked from commit bc251ea91bcfddd2622fce6bce701a438b2e7276)
147b37 
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
147b37 
Reviewed-by: Ján Tomko <jtomko@redhat.com>
147b37 
---
147b37 
 src/qemu/qemu_monitor.c | 15 +++++++++++++++
147b37 
 1 file changed, 15 insertions(+)
147b37
147b37 
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
147b37 
index b6af209a83..d999f2d10c 100644
147b37 
--- a/src/qemu/qemu_monitor.c
147b37 
+++ b/src/qemu/qemu_monitor.c
147b37 
@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
147b37 
 #define DEBUG_IO 0
147b37 
 #define DEBUG_RAW_IO 0
147b37
147b37 
+/* We read from QEMU until seeing a \r\n pair to indicate a
147b37 
+ * completed reply or event. To avoid memory denial-of-service
147b37 
+ * though, we must have a size limit on amount of data we
147b37 
+ * buffer. 10 MB is large enough that it ought to cope with
147b37 
+ * normal QEMU replies, and small enough that we're not
147b37 
+ * consuming unreasonable mem.
147b37 
+ */
147b37 
+#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
147b37 
+
147b37 
 struct _qemuMonitor {
147b37 
     virObjectLockable parent;
147b37
147b37 
@@ -574,6 +583,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
147b37 
     int ret = 0;
147b37
147b37 
     if (avail < 1024) {
147b37 
+        if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
147b37 
+            virReportSystemError(ERANGE,
147b37 
+                                 _("No complete monitor response found in %d bytes"),
147b37 
+                                 QEMU_MONITOR_MAX_RESPONSE);
147b37 
+            return -1;
147b37 
+        }
147b37 
         if (VIR_REALLOC_N(mon->buffer,
147b37 
                           mon->bufferLength + 1024) < 0)
147b37 
             return -1;
147b37 
--
147b37 
2.17.0
147b37

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation