fix CVE-2024-2496
interface: fix udev_device_get_sysattr_value return value check (CVE-2024-2496)
This commit is contained in:
caozhongwang
parent
696f9590b9
commit
d246bc1314
89
interface-fix-udev_device_get_sysattr_value-return-v.patch
Normal file
89
interface-fix-udev_device_get_sysattr_value-return-v.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From 0d5c04534f0e041e9923da1cb37a431ae0d463a8 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Frolov <frolov@swemel.ru>
|
||||
Date: Tue, 12 Sep 2023 15:56:47 +0300
|
||||
Subject: [PATCH 8/8] interface: fix udev_device_get_sysattr_value return value
|
||||
check
|
||||
|
||||
Reviewing the code I found that return value of function
|
||||
udev_device_get_sysattr_value() is dereferenced without a check.
|
||||
udev_device_get_sysattr_value() may return NULL by number of reasons.
|
||||
|
||||
v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
|
||||
v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
|
||||
|
||||
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
|
||||
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
|
||||
---
|
||||
src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
|
||||
1 file changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
|
||||
index dde88860d3..00eeee6cc4 100644
|
||||
--- a/src/interface/interface_backend_udev.c
|
||||
+++ b/src/interface/interface_backend_udev.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <dirent.h>
|
||||
#include <libudev.h>
|
||||
|
||||
+#include "virlog.h"
|
||||
#include "virerror.h"
|
||||
#include "virfile.h"
|
||||
#include "datatypes.h"
|
||||
@@ -41,6 +42,8 @@
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_INTERFACE
|
||||
|
||||
+VIR_LOG_INIT("interface.interface_backend_udev");
|
||||
+
|
||||
struct udev_iface_driver {
|
||||
struct udev *udev;
|
||||
/* pid file FD, ensures two copies of the driver can't use the same root */
|
||||
@@ -371,11 +374,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
|
||||
const char *macaddr;
|
||||
virInterfaceDefPtr def;
|
||||
|
||||
- path = udev_list_entry_get_name(dev_entry);
|
||||
- dev = udev_device_new_from_syspath(udev, path);
|
||||
- name = udev_device_get_sysname(dev);
|
||||
+ if (!(path = udev_list_entry_get_name(dev_entry))) {
|
||||
+ VIR_DEBUG("Skipping interface, path == NULL");
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (!(dev = udev_device_new_from_syspath(udev, path))) {
|
||||
+ VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (!(name = udev_device_get_sysname(dev))) {
|
||||
+ VIR_DEBUG("Skipping interface '%s', name == NULL", path);
|
||||
+ continue;
|
||||
+ }
|
||||
macaddr = udev_device_get_sysattr_value(dev, "address");
|
||||
- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
|
||||
+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
|
||||
|
||||
def = udevGetMinimalDefForDevice(dev);
|
||||
if (!virConnectListAllInterfacesCheckACL(conn, def)) {
|
||||
@@ -1000,9 +1012,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)
|
||||
|
||||
/* MTU */
|
||||
mtu_str = udev_device_get_sysattr_value(dev, "mtu");
|
||||
- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
|
||||
+ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
- _("Could not parse MTU value '%s'"), mtu_str);
|
||||
+ _("Could not parse MTU value '%s'"), NULLSTR(mtu_str));
|
||||
goto error;
|
||||
}
|
||||
ifacedef->mtu = mtu;
|
||||
@@ -1129,7 +1141,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
|
||||
goto cleanup;
|
||||
|
||||
/* Check if it's active or not */
|
||||
- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
|
||||
+ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
|
||||
|
||||
udev_device_unref(dev);
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -101,7 +101,7 @@
|
||||
Summary: Library providing a simple virtualization API
|
||||
Name: libvirt
|
||||
Version: 6.2.0
|
||||
Release: 23
|
||||
Release: 24
|
||||
License: LGPLv2+
|
||||
URL: https://libvirt.org/
|
||||
|
||||
@ -158,6 +158,7 @@ Patch0045: qemu-Add-missing-lock-in-qemuProcessHandleMonitorEOF.patch
|
||||
Patch0046: update-the-Chinese-translation-of-nwfilter.patch
|
||||
Patch0047: virsh-Fix-off-by-one-error-in-udevListInterfacesBySt.patch
|
||||
Patch0048: remote-check-for-negative-array-lengths-before-alloc.patch
|
||||
Patch0049: interface-fix-udev_device_get_sysattr_value-return-v.patch
|
||||
|
||||
Requires: libvirt-daemon = %{version}-%{release}
|
||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||
@ -1892,6 +1893,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Apr 10 2024 caozhongwang <caozhongwang1@huawei.com>
|
||||
- interface: fix udev_device_get_sysattr_value return value check (CVE-2024-2496)
|
||||
|
||||
* Wed Apr 10 2024 caozhongwang <caozhongwang1@huawei.com>
|
||||
- remote: check for negative array lengths before allocation (CVE-2024-2494)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user