Skip to content

libvirt: Address Medium CVE-2024-2496 #8567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aditjha-msft merged 3 commits into from
Mar 28, 2024
Merged

libvirt: Address Medium CVE-2024-2496 #8567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
96e2d48
Adding upstream patch file for CVE-2024-2496
aditjha-msft Mar 27, 2024
5cab39e
Adding patch file
aditjha-msft Mar 27, 2024
c20794a
fixing patch issue
aditjha-msft Mar 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions SPECS/libvirt/CVE-2024-2496.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
From 2ca94317ac642a70921947150ced8acc674ccdc8 Mon Sep 17 00:00:00 2001
From: Dmitry Frolov <frolov@swemel.ru>
Date: Tue, 12 Sep 2023 15:56:47 +0300
Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
check

Reviewing the code I found that return value of function
udev_device_get_sysattr_value() is dereferenced without a check.
udev_device_get_sysattr_value() may return NULL by number of reasons.

v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
v3: More checks added, to skip earlier. More verbose VIR_DEBUG.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
---
src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
index a0485ddd21..fb6799ed94 100644
--- a/src/interface/interface_backend_udev.c
+++ b/src/interface/interface_backend_udev.c
@@ -23,6 +23,7 @@
#include <dirent.h>
#include <libudev.h>

+#include "virlog.h"
#include "virerror.h"
#include "virfile.h"
#include "datatypes.h"
@@ -40,6 +41,8 @@

#define VIR_FROM_THIS VIR_FROM_INTERFACE

+VIR_LOG_INIT("interface.interface_backend_udev");
+
struct udev_iface_driver {
struct udev *udev;
/* pid file FD, ensures two copies of the driver can't use the same root */
@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
const char *macaddr;
g_autoptr(virInterfaceDef) def = NULL;

- path = udev_list_entry_get_name(dev_entry);
- dev = udev_device_new_from_syspath(udev, path);
- name = udev_device_get_sysname(dev);
+ if (!(path = udev_list_entry_get_name(dev_entry))) {
+ VIR_DEBUG("Skipping interface, path == NULL");
+ continue;
+ }
+ if (!(dev = udev_device_new_from_syspath(udev, path))) {
+ VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
+ continue;
+ }
+ if (!(name = udev_device_get_sysname(dev))) {
+ VIR_DEBUG("Skipping interface '%s', name == NULL", path);
+ continue;
+ }
macaddr = udev_device_get_sysattr_value(dev, "address");
- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");

def = udevGetMinimalDefForDevice(dev);
if (!virConnectListAllInterfacesCheckACL(conn, def)) {
@@ -964,9 +976,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)

/* MTU */
mtu_str = udev_device_get_sysattr_value(dev, "mtu");
- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Could not parse MTU value '%s'"), mtu_str);
+ _("Could not parse MTU value '%s'"), NULLSTR(mtu_str));
goto error;
}
ifacedef->mtu = mtu;
@@ -1089,7 +1101,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
goto cleanup;

/* Check if it's active or not */
- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");

udev_device_unref(dev);

--
GitLab
6 changes: 5 additions & 1 deletion SPECS/libvirt/libvirt.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc
Name: libvirt
Version: 7.10.0
Release: 7%{?dist}
Release: 8%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -19,6 +19,7 @@ Source0: https://libvirt.org/sources/%{name}-%{version}.tar.xz
# CVE-2023-2700 is fixed by https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585
Patch1: CVE-2023-2700.patch
Patch2: CVE-2024-1441.patch
Patch3: CVE-2024-2496.patch

BuildRequires: audit-libs-devel
BuildRequires: augeas
Expand Down Expand Up @@ -1056,6 +1057,9 @@ exit 0
%{_libdir}/libnss_libvirt_guest.so.2

%changelog
* Tue Mar 26 2024 Adit Jha <aditjha@microsoft.com> - 7.10.0-8
- Introduce patch to address CVE-2024-2496

* Tue Mar 19 2024 Muhammad Falak <mwani@microsoft.com> - 7.10.0-7
- Introduce patch to address CVE-2024-1441

Expand Down