render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
Source Code
GIT

Blame SOURCES/libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CVE-2018-5748.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   e6dfe8de0c79c6e33f32d28ad693090959172fa6
  2.   SOURCES
  3.   libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CVE-2018-5748.patch
Blob History Raw
e6dfe8 
From 5e5d757a039a60cba5ac89fe1998673c49a2d0b6 Mon Sep 17 00:00:00 2001
e6dfe8 
Message-Id: <5e5d757a039a60cba5ac89fe1998673c49a2d0b6@dist-git>
e6dfe8 
From: "Daniel P. Berrange" <berrange@redhat.com>
e6dfe8 
Date: Tue, 16 Jan 2018 17:00:11 +0000
e6dfe8 
Subject: [PATCH] qemu: avoid denial of service reading from QEMU monitor
e6dfe8 
 (CVE-2018-5748)
e6dfe8 
MIME-Version: 1.0
e6dfe8 
Content-Type: text/plain; charset=UTF-8
e6dfe8 
Content-Transfer-Encoding: 8bit
e6dfe8
e6dfe8 
We read from QEMU until seeing a \r\n pair to indicate a completed reply
e6dfe8 
or event. To avoid memory denial-of-service though, we must have a size
e6dfe8 
limit on amount of data we buffer. 10 MB is large enough that it ought
e6dfe8 
to cope with normal QEMU replies, and small enough that we're not
e6dfe8 
consuming unreasonable mem.
e6dfe8
e6dfe8 
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
e6dfe8 
(cherry picked from commit bc251ea91bcfddd2622fce6bce701a438b2e7276)
e6dfe8 
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
e6dfe8 
Reviewed-by: Ján Tomko <jtomko@redhat.com>
e6dfe8 
---
e6dfe8 
 src/qemu/qemu_monitor.c | 15 +++++++++++++++
e6dfe8 
 1 file changed, 15 insertions(+)
e6dfe8
e6dfe8 
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
e6dfe8 
index b6af209a83..d999f2d10c 100644
e6dfe8 
--- a/src/qemu/qemu_monitor.c
e6dfe8 
+++ b/src/qemu/qemu_monitor.c
e6dfe8 
@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
e6dfe8 
 #define DEBUG_IO 0
e6dfe8 
 #define DEBUG_RAW_IO 0
e6dfe8
e6dfe8 
+/* We read from QEMU until seeing a \r\n pair to indicate a
e6dfe8 
+ * completed reply or event. To avoid memory denial-of-service
e6dfe8 
+ * though, we must have a size limit on amount of data we
e6dfe8 
+ * buffer. 10 MB is large enough that it ought to cope with
e6dfe8 
+ * normal QEMU replies, and small enough that we're not
e6dfe8 
+ * consuming unreasonable mem.
e6dfe8 
+ */
e6dfe8 
+#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
e6dfe8 
+
e6dfe8 
 struct _qemuMonitor {
e6dfe8 
     virObjectLockable parent;
e6dfe8
e6dfe8 
@@ -574,6 +583,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
e6dfe8 
     int ret = 0;
e6dfe8
e6dfe8 
     if (avail < 1024) {
e6dfe8 
+        if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
e6dfe8 
+            virReportSystemError(ERANGE,
e6dfe8 
+                                 _("No complete monitor response found in %d bytes"),
e6dfe8 
+                                 QEMU_MONITOR_MAX_RESPONSE);
e6dfe8 
+            return -1;
e6dfe8 
+        }
e6dfe8 
         if (VIR_REALLOC_N(mon->buffer,
e6dfe8 
                           mon->bufferLength + 1024) < 0)
e6dfe8 
             return -1;
e6dfe8 
--
e6dfe8 
2.17.0
e6dfe8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation