Your git and mail client are misconfigured: remote: ############################################## remote: Invalid author Ashish Sharma via lists.yoctoproject.org remote: ############################################## To ssh://push.yoctoproject.org/meta-virtualization ! [remote rejected] kirkstone -> kirkstone (pre-receive hook declined)
Information on how to fix it is here: https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#troubleshooting-email-issues Send a v2 with a fixed up author and I'll get it merged. Bruce On Tue, Mar 26, 2024 at 4:35 AM Ashish Sharma via lists.yoctoproject.org <asharma=mvista....@lists.yoctoproject.org> wrote: > Upstream-Status: Backport [ > https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2 > ] > Signed-off-by: Ashish Sharma <asha...@mvista.com> > --- > .../libvirt/libvirt/CVE-2024-2494.patch | 220 ++++++++++++++++++ > recipes-extended/libvirt/libvirt_8.1.0.bb | 1 + > 2 files changed, 221 insertions(+) > create mode 100644 recipes-extended/libvirt/libvirt/CVE-2024-2494.patch > > diff --git a/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch > b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch > new file mode 100644 > index 000000000..99c5eec98 > --- /dev/null > +++ b/recipes-extended/libvirt/libvirt/CVE-2024-2494.patch > @@ -0,0 +1,220 @@ > +From 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berra...@redhat.com> > +Date: Fri, 15 Mar 2024 10:47:50 +0000 > +Subject: [PATCH] remote: check for negative array lengths before > allocation > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +While the C API entry points will validate non-negative lengths > +for various parameters, the RPC server de-serialization code > +will need to allocate memory for arrays before entering the C > +API. These allocations will thus happen before the non-negative > +length check is performed. > + > +Passing a negative length to the g_new0 function will usually > +result in a crash due to the negative length being treated as > +a huge positive number. > + > +This was found and diagnosed by ALT Linux Team with AFLplusplus. > + > +CVE-2024-2494 > +Reviewed-by: Michal Privoznik <mpriv...@redhat.com> > +Found-by: Alexandr Shashkin <duty...@altlinux.org> > +Co-developed-by: Alexander Kuznetsov <kuznetso...@altlinux.org> > +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > + > +CVE: CVE-2024-2494 > +Upstream-Status: Backport [ > https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2 > ] > +Signed-off-by: Ashish Sharma <asha...@mvista.com> > + > + src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ > + src/rpc/gendispatch.pl | 5 +++ > + 2 files changed, 70 insertions(+) > + > +diff --git a/src/remote/remote_daemon_dispatch.c > b/src/remote/remote_daemon_dispatch.c > +index aaabd1e56c..01dcac4b12 100644 > +--- a/src/remote/remote_daemon_dispatch.c > ++++ b/src/remote/remote_daemon_dispatch.c > +@@ -2291,6 +2291,10 @@ > remoteDispatchDomainGetSchedulerParameters(virNetServer *server > G_GNUC_UNUSED, > + if (!conn) > + goto cleanup; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -2339,6 +2343,10 @@ > remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server > G_GNUC_UNUS > + if (!conn) > + goto cleanup; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer > *server G_GNUC_UNUSED, > + goto cleanup; > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer > *server G_GNUC_UNUSED, > + if (!(dom = get_nonnull_domain(conn, args->dom))) > + goto cleanup; > + > ++ if (args->ncpumaps < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be > non-negative")); > ++ goto cleanup; > ++ } > ++ if (args->maplen < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->ncpumaps > REMOTE_VCPUINFO_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > > REMOTE_VCPUINFO_MAX")); > + goto cleanup; > +@@ -2811,6 +2831,11 @@ > remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED, > + if (!(dom = get_nonnull_domain(conn, args->dom))) > + goto cleanup; > + > ++ if (args->maplen < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be > non-negative")); > ++ goto cleanup; > ++ } > ++ > + /* Allocate buffers to take the results */ > + if (args->maplen > 0) > + cpumaps = g_new0(unsigned char, args->maplen); > +@@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server > G_GNUC_UNUSED, > + if (!(dom = get_nonnull_domain(conn, args->dom))) > + goto cleanup; > + > ++ if (args->maxinfo < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be > non-negative")); > ++ goto cleanup; > ++ } > ++ if (args->maplen < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->maxinfo > REMOTE_VCPUINFO_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > > REMOTE_VCPUINFO_MAX")); > + goto cleanup; > +@@ -3096,6 +3129,10 @@ > remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer > *server G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -3216,6 +3257,10 @@ > remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server > G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer > *server G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer > *server G_GNUC_UNUSED, > + if (!conn) > + goto cleanup; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -5081,6 +5138,10 @@ > remoteDispatchDomainGetInterfaceParameters(virNetServer *server > G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +@@ -5301,6 +5362,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer > *server G_GNUC_UNUSED, > + > + flags = args->flags; > + > ++ if (args->nparams < 0) { > ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be > non-negative")); > ++ goto cleanup; > ++ } > + if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too > large")); > + goto cleanup; > +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl > +index 5ce988c5ae..c5842dc796 100755 > +--- a/src/rpc/gendispatch.pl > ++++ b/src/rpc/gendispatch.pl > +@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") { > + print "\n"; > + > + if ($single_ret_as_list) { > ++ print " if (args->$single_ret_list_max_var < 0) {\n"; > ++ print " virReportError(VIR_ERR_RPC,\n"; > ++ print " \"%s\", > _(\"max$single_ret_list_name must be non-negative\"));\n"; > ++ print " goto cleanup;\n"; > ++ print " }\n"; > + print " if (args->$single_ret_list_max_var > > $single_ret_list_max_define) {\n"; > + print " virReportError(VIR_ERR_RPC,\n"; > + print " \"%s\", > _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n"; > +-- > +GitLab > + > diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb > b/recipes-extended/libvirt/libvirt_8.1.0.bb > index 63cf49146..a88e0ee31 100644 > --- a/recipes-extended/libvirt/libvirt_8.1.0.bb > +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb > @@ -30,6 +30,7 @@ SRC_URI = " > http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ > file://gnutls-helper.py \ > > file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \ > file://CVE-2023-2700.patch \ > + file://CVE-2024-2494.patch \ > " > > SRC_URI[libvirt.sha256sum] = > "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934" > -- > 2.35.7 > > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8666): https://lists.yoctoproject.org/g/meta-virtualization/message/8666 Mute This Topic: https://lists.yoctoproject.org/mt/105154754/21656 Group Owner: meta-virtualization+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-