Re: [meta-virtualization] [mickledore][PATCH] libvirt: fix CVE-2023-3750/CVE-2023-2700

[Bruce Ashfield <bruce.ashfield@gmail.com>]

merged.

Bruce

In message: [meta-virtualization] [mickledore][PATCH] libvirt: fix CVE-2023-3750/CVE-2023-2700
on 07/08/2023 Changqing Li wrote:

> From: Changqing Li <changqing.li@windriver.com>
> 
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  .../libvirt/libvirt/CVE-2023-2700.patch       | 54 +++++++++++++++++
>  .../libvirt/libvirt/CVE-2023-3750.patch       | 59 +++++++++++++++++++
>  recipes-extended/libvirt/libvirt_9.2.0.bb     |  2 +
>  3 files changed, 115 insertions(+)
>  create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
>  create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
> 
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
> new file mode 100644
> index 00000000..4711b1be
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
> @@ -0,0 +1,54 @@
> +From 1fc978bc032f53b61d00271d620d7fe1a134efe3 Mon Sep 17 00:00:00 2001
> +From: Tim Shearer <TShearer@adva.com>
> +Date: Mon, 1 May 2023 13:15:48 +0000
> +Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Repeatedly querying an SR-IOV PCI device's capabilities exposes a
> +memory leak caused by a failure to free the virPCIVirtualFunction
> +array within the parent struct's g_autoptr cleanup.
> +
> +Valgrind output after getting a single interface's XML description
> +1000 times:
> +
> +==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
> +==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
> +==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
> +==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
> +==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
> +==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
> +==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
> +==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
> +==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
> +==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
> +==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
> +==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
> +==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
> +
> +Signed-off-by: Tim Shearer <tshearer@adva.com>
> +Reviewed-by: J�n Tomko <jtomko@redhat.com>
> +
> +CVE: CVE-2023-2700
> +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585#874a1e768ade6ceb4538931cbc06248e73223306]
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + src/util/virpci.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/src/util/virpci.c b/src/util/virpci.c
> +index 7800966..a44f70f 100644
> +--- a/src/util/virpci.c
> ++++ b/src/util/virpci.c
> +@@ -2253,6 +2253,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
> +         g_free(list->functions[i].ifname);
> +     }
> + 
> ++    g_free(list->functions);
> +     g_free(list);
> + }
> + 
> +-- 
> +2.25.1
> +
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
> new file mode 100644
> index 00000000..13ead87b
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2023-3750.patch
> @@ -0,0 +1,59 @@
> +From 3fe8b15323a4666564c519f32fd4ab072c472051 Mon Sep 17 00:00:00 2001
> +From: Peter Krempa <pkrempa@redhat.com>
> +Date: Thu, 13 Jul 2023 16:16:37 +0200
> +Subject: [PATCH] storage: Fix returning of locked objects from
> + 'virStoragePoolObjListSearch'
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +CVE-2023-3750
> +
> +'virStoragePoolObjListSearch' explicitly documents that it's returning
> +a pointer to a locked and ref'd pool that maches the lookup function.
> +
> +This was not the case as in commit 0c4b391e2a9 (released in
> +libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD'
> +which auto-unlocked it when leaving the scope, even when the code was
> +originally "leaking" the lock.
> +
> +Revert the corresponding conversion and add a comment that this function
> +is intentionally leaking a locked object.
> +
> +Fixes: 0c4b391e2a9
> +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851
> +Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> +Reviewed-by: J�n Tomko <jtomko@redhat.com>
> +
> +CVE: CVE-2023-3750
> +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098]
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + src/conf/virstorageobj.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
> +index 7010e97..59fa5da 100644
> +--- a/src/conf/virstorageobj.c
> ++++ b/src/conf/virstorageobj.c
> +@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
> +     virStoragePoolObj *obj = (virStoragePoolObj *) payload;
> +     struct _virStoragePoolObjListSearchData *data =
> +         (struct _virStoragePoolObjListSearchData *)opaque;
> +-    VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
> + 
> ++    virObjectLock(obj);
> ++
> ++    /* If we find the matching pool object we must return while the object is
> ++     * locked as the caller wants to return a locked object. */
> +     if (data->searcher(obj, data->opaque))
> +         return 1;
> + 
> ++    virObjectUnlock(obj);
> ++
> +     return 0;
> + }
> + 
> +-- 
> +2.25.1
> +
> diff --git a/recipes-extended/libvirt/libvirt_9.2.0.bb b/recipes-extended/libvirt/libvirt_9.2.0.bb
> index 5e704704..9f97aa11 100644
> --- a/recipes-extended/libvirt/libvirt_9.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_9.2.0.bb
> @@ -30,6 +30,8 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
>             file://gnutls-helper.py \
>             file://0001-prevent-gendispatch.pl-generating-build-path-in-code.patch \
>             file://0001-messon.build-remove-build-path-information-to-avoid-.patch \
> +           file://CVE-2023-3750.patch \
> +           file://CVE-2023-2700.patch \
>            "
>  
>  SRC_URI[libvirt.sha256sum] = "a07f501e99093ac1374888312be32182e799de17407ed7547d0e469fae8188c5"
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8166): https://lists.yoctoproject.org/g/meta-virtualization/message/8166
> Mute This Topic: https://lists.yoctoproject.org/mt/100595000/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>