Skip to content

Commit

Permalink
docs/guestfs-security: document CVE-2022-2211
Browse files Browse the repository at this point in the history 
Short log for the common submodule, commit range
f8de5508fe75..35467027f657:

Laszlo Ersek (2):
      mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
      options: fix buffer overflow in get_keys() [CVE-2022-2211]

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
  • Loading branch information
@lersek
lersek committed Jun 29, 2022
1 parent 4159f72 commit 9984466
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 1 deletion.
2 changes: 1 addition & 1 deletion common
Submodule common updated 4 files
+2 −0 mlcustomize/Makefile.am
+132 −0 mlcustomize/guest_packages.ml
+44 −0 mlcustomize/guest_packages.mli
+11 −5 options/keys.c
28 changes: 28 additions & 0 deletions docs/guestfs-security.pod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,34 @@ The libvirt backend is not affected.
The solution is to update qemu to a version containing the fix (see
L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).

=head2 CVE-2022-2211

L<https://bugzilla.redhat.com/CVE-2022-2211>

The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
those I<--key> options from the command line into a new array that match
a particular block device that's being decrypted for inspection. The
function intends to size the result array such that potentially all
I<--key> options, plus a terminating C<NULL> element, fit into it. The
code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
only one element is allocated before the C<NULL> terminator.

Passing precisely two I<--key ID:...> options on the command line for
the encrypted block device C<ID> causes C<get_keys> to overwrite the
terminating C<NULL>, leading to an out-of-bounds read in
C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.

Passing more than two I<--key ID:...> options on the command line for
the encrypted block device C<ID> causes C<get_keys> itself to perform
out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
later on.

This issue affects -- broadly speaking -- all libguestfs-based utilities
that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.

=head1 SEE ALSO

L<guestfs(3)>,
Expand Down

0 comments on commit 9984466

Please sign in to comment.