Blame SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch

196f39
From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001
196f39
From: Laszlo Ersek <lersek@redhat.com>
196f39
Date: Tue, 28 Jun 2022 13:54:16 +0200
196f39
Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211
196f39
196f39
Short log for the common submodule, commit range
196f39
f8de5508fe75..35467027f657:
196f39
196f39
Laszlo Ersek (2):
196f39
      mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
196f39
      options: fix buffer overflow in get_keys() [CVE-2022-2211]
196f39
196f39
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
196f39
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
196f39
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
196f39
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
196f39
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
196f39
196f39
Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53.
196f39
For the cherry pick I only added one submodule commit:
196f39
196f39
options: fix buffer overflow in get_keys() [CVE-2022-2211]
196f39
---
196f39
 common                    |  2 +-
196f39
 docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
196f39
 2 files changed, 29 insertions(+), 1 deletion(-)
196f39
196f39
Submodule common be09523d6..1174b443a:
196f39
diff --git a/common/options/keys.c b/common/options/keys.c
196f39
index 798315c..d27a712 100644
196f39
--- a/common/options/keys.c
196f39
+++ b/common/options/keys.c
196f39
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
196f39
 char **
196f39
 get_keys (struct key_store *ks, const char *device, const char *uuid)
196f39
 {
196f39
-  size_t i, j, len;
196f39
+  size_t i, j, nmemb;
196f39
   char **r;
196f39
   char *s;
196f39
 
196f39
   /* We know the returned list must have at least one element and not
196f39
    * more than ks->nr_keys.
196f39
    */
196f39
-  len = 1;
196f39
-  if (ks)
196f39
-    len = MIN (1, ks->nr_keys);
196f39
-  r = calloc (len+1, sizeof (char *));
196f39
+  nmemb = 1;
196f39
+  if (ks && ks->nr_keys > nmemb)
196f39
+    nmemb = ks->nr_keys;
196f39
+
196f39
+  /* make room for the terminating NULL */
196f39
+  if (nmemb == (size_t)-1)
196f39
+    error (EXIT_FAILURE, 0, _("size_t overflow"));
196f39
+  nmemb++;
196f39
+
196f39
+  r = calloc (nmemb, sizeof (char *));
196f39
   if (r == NULL)
196f39
     error (EXIT_FAILURE, errno, "calloc");
196f39
 
196f39
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
196f39
index 9ceef5623..efa35b29d 100644
196f39
--- a/docs/guestfs-security.pod
196f39
+++ b/docs/guestfs-security.pod
196f39
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
196f39
 The solution is to update qemu to a version containing the fix (see
196f39
 L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
196f39
 
196f39
+=head2 CVE-2022-2211
196f39
+
196f39
+L<https://bugzilla.redhat.com/CVE-2022-2211>
196f39
+
196f39
+The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
196f39
+those I<--key> options from the command line into a new array that match
196f39
+a particular block device that's being decrypted for inspection. The
196f39
+function intends to size the result array such that potentially all
196f39
+I<--key> options, plus a terminating C<NULL> element, fit into it. The
196f39
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
196f39
+only one element is allocated before the C<NULL> terminator.
196f39
+
196f39
+Passing precisely two I<--key ID:...> options on the command line for
196f39
+the encrypted block device C<ID> causes C<get_keys> to overwrite the
196f39
+terminating C<NULL>, leading to an out-of-bounds read in
196f39
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
196f39
+
196f39
+Passing more than two I<--key ID:...> options on the command line for
196f39
+the encrypted block device C<ID> causes C<get_keys> itself to perform
196f39
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
196f39
+later on.
196f39
+
196f39
+This issue affects -- broadly speaking -- all libguestfs-based utilities
196f39
+that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
196f39
+C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
196f39
+C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
196f39
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
196f39
+
196f39
 =head1 SEE ALSO
196f39
 
196f39
 L<guestfs(3)>,
196f39
-- 
196f39
2.31.1
196f39