Skip to content

Commit

Permalink
remote: check for negative array lengths before allocation
Browse files Browse the repository at this point in the history 
While the C API entry points will validate non-negative lengths
for various parameters, the RPC server de-serialization code
will need to allocate memory for arrays before entering the C
API. These allocations will thus happen before the non-negative
length check is performed.

Passing a negative length to the g_new0 function will usually
result in a crash due to the negative length being treated as
a huge positive number.

This was found and diagnosed by ALT Linux Team with AFLplusplus.

CVE-2024-2494
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
  • Loading branch information
@berrange
berrange committed Mar 21, 2024
1 parent 5fb47c5 commit 8a3f8d9
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 0 deletions.
65 changes: 65 additions & 0 deletions src/remote/remote_daemon_dispatch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2291,6 +2291,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
if (!conn)
goto cleanup;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
goto cleanup;
flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;

if (args->ncpumaps < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
goto cleanup;
}
if (args->maplen < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
goto cleanup;
}
if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
goto cleanup;
Expand Down Expand Up @@ -2811,6 +2831,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;

if (args->maplen < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
goto cleanup;
}

/* Allocate buffers to take the results */
if (args->maplen > 0)
cpumaps = g_new0(unsigned char, args->maplen);
Expand Down Expand Up @@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;

if (args->maxinfo < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
goto cleanup;
}
if (args->maplen < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
goto cleanup;
}
if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
goto cleanup;
Expand Down Expand Up @@ -3096,6 +3129,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -3216,6 +3257,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -5081,6 +5138,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down Expand Up @@ -5301,6 +5362,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,

flags = args->flags;

if (args->nparams < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
goto cleanup;
}
if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
Expand Down
5 changes: 5 additions & 0 deletions src/rpc/gendispatch.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1070,6 +1070,11 @@ sub hyper_to_long
print "\n";

if ($single_ret_as_list) {
print " if (args->$single_ret_list_max_var < 0) {\n";
print " virReportError(VIR_ERR_RPC,\n";
print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
print " goto cleanup;\n";
print " }\n";
print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
print " virReportError(VIR_ERR_RPC,\n";
print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
Expand Down

0 comments on commit 8a3f8d9

Please sign in to comment.