Libvirt Security Notice: LSN-2012-0002

Fix crash in libvirt clearing API parameters

Lifecycle

Reported on: 20120730
Published on: 20120730
Fixed on: 20120730

Credits

Reported by: Jiri Denemark
Patched by: Jiri Denemark

See also

Description

The libvirtd daemon code which dispatches APIs with variable parameters, may end up walking off the end of an array which is only one element long when a client passes an nparams value of 0. If there is a byte with value 7 in an unfortunate place in the heap, this may cause an attempt to free non-allocated memory resulting in a crash

Impact

A malicious client can cause access beyond the end of an array and potentially trigger heap corruption by free'ing non-allocated memory.

Workaround

None possible

Affected product: libvirt

Branch master
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Fixed in: v0.10.0
Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931
Fixed by: 6039a2cb49c8af4c68460d2faf365a7e1c686c7b
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Fixed in: v0.9.11.5
Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931
Fixed by: 45d6729f98e9842b139b809078d43f1f7a8c779b
Branch v0.9.12-maint
Fixed in: v0.9.12.1
Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931
Fixed by: 11568ec854413629ca28c4d64dbcda29337ae3e9

Alternative formats: [xml] [text]