From: Daniel P. Berrangé Date: Fri, 15 Mar 2024 10:47:50 +0000 Subject: remote: check for negative array lengths before allocation While the C API entry points will validate non-negative lengths for various parameters, the RPC server de-serialization code will need to allocate memory for arrays before entering the C API. These allocations will thus happen before the non-negative length check is performed. Passing a negative length to the g_new0 function will usually result in a crash due to the negative length being treated as a huge positive number. This was found and diagnosed by ALT Linux Team with AFLplusplus. Reviewed-by: Michal Privoznik Found-by: Alexandr Shashkin Co-developed-by: Alexander Kuznetsov Signed-off-by: Daniel P. Berrangé Origin: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2270115 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-2494 Bug-Debian: https://bugs.debian.org/1067461 --- src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++++++++++ src/rpc/gendispatch.pl | 5 +++ 2 files changed, 70 insertions(+) diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c index 46683aa..4def952 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -2330,6 +2330,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServerPtr server G_GNUC_UNUSED, if (!conn) goto cleanup; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -2378,6 +2382,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServerPtr server G_GNUC_UN if (!conn) goto cleanup; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -2536,6 +2544,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServerPtr server G_GNUC_UNUSED, goto cleanup; flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -2764,6 +2776,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServerPtr server G_GNUC_UNUSED, if (!(dom = get_nonnull_domain(conn, args->dom))) goto cleanup; + if (args->ncpumaps < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative")); + goto cleanup; + } + if (args->maplen < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); + goto cleanup; + } if (args->ncpumaps > REMOTE_VCPUINFO_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX")); goto cleanup; @@ -2858,6 +2878,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServerPtr server G_GNUC_UNUSED, if (!(dom = get_nonnull_domain(conn, args->dom))) goto cleanup; + if (args->maplen < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); + goto cleanup; + } + /* Allocate buffers to take the results */ if (args->maplen > 0) cpumaps = g_new0(unsigned char, args->maplen); @@ -2905,6 +2930,14 @@ remoteDispatchDomainGetVcpus(virNetServerPtr server G_GNUC_UNUSED, if (!(dom = get_nonnull_domain(conn, args->dom))) goto cleanup; + if (args->maxinfo < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); + goto cleanup; + } + if (args->maplen < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); + goto cleanup; + } if (args->maxinfo > REMOTE_VCPUINFO_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX")); goto cleanup; @@ -3145,6 +3178,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -3205,6 +3242,10 @@ remoteDispatchDomainGetNumaParameters(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -3265,6 +3306,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -3326,6 +3371,10 @@ remoteDispatchNodeGetCPUStats(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -3393,6 +3442,10 @@ remoteDispatchNodeGetMemoryStats(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -3573,6 +3626,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServerPtr server G_GNUC_UNUSED, if (!conn) goto cleanup; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -5117,6 +5174,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; @@ -5337,6 +5398,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServerPtr server G_GNUC_UNUSED, flags = args->flags; + if (args->nparams < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); + goto cleanup; + } if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index 0020273..84b239c 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -1073,6 +1073,11 @@ elsif ($mode eq "server") { print "\n"; if ($single_ret_as_list) { + print " if (args->$single_ret_list_max_var < 0) {\n"; + print " virReportError(VIR_ERR_RPC,\n"; + print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n"; + print " goto cleanup;\n"; + print " }\n"; print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n"; print " virReportError(VIR_ERR_RPC,\n"; print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";