From: <changqing.li@windriver.com>
To: <meta-virtualization@lists.yoctoproject.org>
Subject: [mickledore][PATCH] libvirt: fix CVE-2023-3750/CVE-2023-2700
Date: Mon, 7 Aug 2023 14:42:32 +0800 [thread overview]
Message-ID: <20230807064232.2816765-1-changqing.li@windriver.com> (raw)
From: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../libvirt/libvirt/CVE-2023-2700.patch | 54 +++++++++++++++++
.../libvirt/libvirt/CVE-2023-3750.patch | 59 +++++++++++++++++++
recipes-extended/libvirt/libvirt_9.2.0.bb | 2 +
3 files changed, 115 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
new file mode 100644
index 00000000..4711b1be
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
@@ -0,0 +1,54 @@
+From 1fc978bc032f53b61d00271d620d7fe1a134efe3 Mon Sep 17 00:00:00 2001
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982== by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+
+CVE: CVE-2023-2700
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585#874a1e768ade6ceb4538931cbc06248e73223306]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index 7800966..a44f70f 100644
+--- a/src/util/virpci.c
++++ b/src/util/virpci.c
+@@ -2253,6 +2253,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+ g_free(list->functions[i].ifname);
+ }
+
++ g_free(list->functions);
+ g_free(list);
+ }
+
+--
+2.25.1
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
new file mode 100644
index 00000000..13ead87b
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
@@ -0,0 +1,59 @@
+From 3fe8b15323a4666564c519f32fd4ab072c472051 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 13 Jul 2023 16:16:37 +0200
+Subject: [PATCH] storage: Fix returning of locked objects from
+ 'virStoragePoolObjListSearch'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2023-3750
+
+'virStoragePoolObjListSearch' explicitly documents that it's returning
+a pointer to a locked and ref'd pool that maches the lookup function.
+
+This was not the case as in commit 0c4b391e2a9 (released in
+libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD'
+which auto-unlocked it when leaving the scope, even when the code was
+originally "leaking" the lock.
+
+Revert the corresponding conversion and add a comment that this function
+is intentionally leaking a locked object.
+
+Fixes: 0c4b391e2a9
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+
+CVE: CVE-2023-3750
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/conf/virstorageobj.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
+index 7010e97..59fa5da 100644
+--- a/src/conf/virstorageobj.c
++++ b/src/conf/virstorageobj.c
+@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
+ virStoragePoolObj *obj = (virStoragePoolObj *) payload;
+ struct _virStoragePoolObjListSearchData *data =
+ (struct _virStoragePoolObjListSearchData *)opaque;
+- VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
+
++ virObjectLock(obj);
++
++ /* If we find the matching pool object we must return while the object is
++ * locked as the caller wants to return a locked object. */
+ if (data->searcher(obj, data->opaque))
+ return 1;
+
++ virObjectUnlock(obj);
++
+ return 0;
+ }
+
+--
+2.25.1
+
diff --git a/recipes-extended/libvirt/libvirt_9.2.0.bb b/recipes-extended/libvirt/libvirt_9.2.0.bb
index 5e704704..9f97aa11 100644
--- a/recipes-extended/libvirt/libvirt_9.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_9.2.0.bb
@@ -30,6 +30,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://gnutls-helper.py \
file://0001-prevent-gendispatch.pl-generating-build-path-in-code.patch \
file://0001-messon.build-remove-build-path-information-to-avoid-.patch \
+ file://CVE-2023-3750.patch \
+ file://CVE-2023-2700.patch \
"
SRC_URI[libvirt.sha256sum] = "a07f501e99093ac1374888312be32182e799de17407ed7547d0e469fae8188c5"
--
2.25.1
next reply other threads:[~2023-08-07 6:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 6:42 changqing.li [this message]
2023-08-12 3:28 ` [meta-virtualization] [mickledore][PATCH] libvirt: fix CVE-2023-3750/CVE-2023-2700 Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230807064232.2816765-1-changqing.li@windriver.com \
--to=changqing.li@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).