Hello community,
here is the log from the commit of package libvirt for openSUSE:11.4
checked in at Wed Jul 6 18:33:02 CEST 2011.
--------
--- old-versions/11.4/UPDATES/all/libvirt/libvirt.changes 2011-06-06 19:28:47.000000000 +0200
+++ 11.4/libvirt/libvirt.changes 2011-07-01 20:32:18.000000000 +0200
@@ -1,0 +2,8 @@
+Thu Jun 30 14:48:51 MDT 2011 - jfehlig@suse.de
+
+- VUL-0: libvirt: integer overflow in VirDomainGetVcpus
+ add-intprops-supp.patch
+ 774b21c1-CVE-2011-2511.patch
+ bnc#703084
+
+-------------------------------------------------------------------
calling whatdependson for 11.4-i586
New:
----
774b21c1-CVE-2011-2511.patch
add-intprops-supp.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvirt.spec ++++++
--- /var/tmp/diff_new_pack.JQWdKY/_old 2011-07-06 18:32:46.000000000 +0200
+++ /var/tmp/diff_new_pack.JQWdKY/_new 2011-07-06 18:32:46.000000000 +0200
@@ -145,7 +145,7 @@
Group: Development/Libraries/C and C++
AutoReqProv: yes
Version: 0.8.8
-Release: 0.<RELEASE10>
+Release: 0.<RELEASE12>
Summary: A C toolkit to interract with the virtualization capabilities of Linux
# The client side, i.e. shared libs and virsh are in a subpackage
Requires: %{name}-client = %{version}-%{release}
@@ -173,6 +173,8 @@
Patch1: 71753cb7-CVE-2011-1146.patch
Patch2: f44bfb7f-CVE-2011-1486.patch
Patch3: b598ac55-CVE-2011-2178.patch
+Patch4: add-intprops-supp.patch
+Patch5: 774b21c1-CVE-2011-2511.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch102: clone.patch
@@ -291,6 +293,8 @@
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
%patch100 -p1
%patch102
%patch103 -p1
@@ -381,7 +385,6 @@
%{?_without_yajl} \
%{?_without_macvtap} \
%{?_without_virtualport} \
- --without-xen-proxy \
--libexecdir=%{_libdir}/%{name} \
--with-init-script=none \
--with-remote-pid-file=%{_localstatedir}/run/libvirtd.pid \
++++++ 774b21c1-CVE-2011-2511.patch ++++++
commit 774b21c163845170c9ffa873f5720d318812eaf6
Author: Eric Blake
Date: Fri Jun 24 12:16:05 2011 -0600
remote: protect against integer overflow
Integer overflow and remote code are never a nice mix.
This has existed since commit 56cd414.
* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
on sending rpc.
* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
receiving rpc.
Index: libvirt-0.8.8/daemon/remote.c
===================================================================
--- libvirt-0.8.8.orig/daemon/remote.c
+++ libvirt-0.8.8/daemon/remote.c
@@ -60,6 +60,7 @@
#include "uuid.h"
#include "network.h"
#include "libvirt/libvirt-qemu.h"
+#include "intprops-supp.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE
#define REMOTE_DEBUG(fmt, ...) DEBUG(fmt, __VA_ARGS__)
@@ -1722,7 +1723,8 @@ remoteDispatchDomainGetVcpus (struct qem
return -1;
}
- if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+ if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
+ args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
virDomainFree(dom);
remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
return -1;
Index: libvirt-0.8.8/src/libvirt.c
===================================================================
--- libvirt-0.8.8.orig/src/libvirt.c
+++ libvirt-0.8.8/src/libvirt.c
@@ -40,6 +40,7 @@
#include "util.h"
#include "memory.h"
#include "configmake.h"
+#include "intprops-supp.h"
#ifndef WITH_DRIVER_MODULES
# ifdef WITH_TEST
@@ -5363,8 +5364,8 @@ virDomainGetVcpus(virDomainPtr domain, v
/* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
try to memcpy anything into a NULL pointer. */
- if ((cpumaps == NULL && maplen != 0)
- || (cpumaps && maplen <= 0)) {
+ if (!cpumaps ? maplen != 0
+ : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
goto error;
}
Index: libvirt-0.8.8/src/remote/remote_driver.c
===================================================================
--- libvirt-0.8.8.orig/src/remote/remote_driver.c
+++ libvirt-0.8.8/src/remote/remote_driver.c
@@ -83,6 +83,7 @@
#include "event.h"
#include "ignore-value.h"
#include "files.h"
+#include "intprops-supp.h"
#define VIR_FROM_THIS VIR_FROM_REMOTE
@@ -2850,7 +2851,8 @@ remoteDomainGetVcpus (virDomainPtr domai
maxinfo, REMOTE_VCPUINFO_MAX);
goto done;
}
- if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+ if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
+ maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
remoteError(VIR_ERR_RPC,
_("vCPU map buffer length exceeds maximum: %d > %d"),
maxinfo * maplen, REMOTE_CPUMAPS_MAX);
++++++ add-intprops-supp.patch ++++++
Index: libvirt-0.8.8/src/intprops-supp.h
===================================================================
--- /dev/null
+++ libvirt-0.8.8/src/intprops-supp.h
@@ -0,0 +1,92 @@
+/* -*- buffer-read-only: t -*- vi: set ro: */
+/* DO NOT EDIT! GENERATED AUTOMATICALLY! */
+/* intprops.h -- properties of integer types
+
+ Copyright (C) 2001-2005, 2009-2011 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see http://www.gnu.org/licenses/. */
+
+/* Written by Paul Eggert. */
+
+/* NB: Adds some macros from newer gnulib intprops.h */
+
+#ifndef _GL_INTPROPS_SUPP_H
+#define _GL_INTPROPS_SUPP_H
+
+#include
+
+/* Return a integer value, converted to the same type as the integer
+ expression E after integer type promotion. V is the unconverted value.
+ E should not have side effects. */
+#define _GL_INT_CONVERT(e, v) (0 * (e) + (v))
+
+/* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see
+ http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00406.html. */
+#define _GL_INT_NEGATE_CONVERT(e, v) (0 * (e) - (v))
+
+/* Return 1 if the integer expression E, after integer promotion, has
+ a signed type. E should not have side effects. */
+#define _GL_INT_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
+
+/* True if the signed integer expression E uses two's complement. */
+#define _GL_INT_TWOS_COMPLEMENT(e) (~ _GL_INT_CONVERT (e, 0) == -1)
+
+/* The maximum and minimum values for the type of the expression E,
+ after integer promotion. E should not have side effects. */
+#define _GL_INT_MINIMUM(e) \
+ (_GL_INT_SIGNED (e) \
+ ? - _GL_INT_TWOS_COMPLEMENT (e) - _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_CONVERT (e, 0))
+#define _GL_INT_MAXIMUM(e) \
+ (_GL_INT_SIGNED (e) \
+ ? _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_NEGATE_CONVERT (e, 1))
+#define _GL_SIGNED_INT_MAXIMUM(e) \
+ (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1)
+
+/* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Avoid && and || as they tickle
+ bugs in Sun C 5.11 2010/08/13 and other compilers; see
+ http://lists.gnu.org/archive/html/bug-gnulib/2011-05/msg00401.html. */
+#define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? ((a) < 0 \
+ ? (a) < (max) / (b) \
+ : (b) == -1 \
+ ? 0 \
+ : (min) / (b) < (a)) \
+ : (b) == 0 \
+ ? 0 \
+ : ((a) < 0 \
+ ? (a) < (min) / (b) \
+ : (max) / (b) < (a)))
+
+#define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \
+ (((min) == 0 && (((a) < 0 && 0 < (b)) || ((b) < 0 && 0 < (a)))) \
+ || INT_MULTIPLY_RANGE_OVERFLOW (a, b, min, max))
+
+
+#define INT_MULTIPLY_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_MULTIPLY_OVERFLOW)
+
+/* Return 1 if the expression A <op> B would overflow,
+ where OP_RESULT_OVERFLOW (A, B, MIN, MAX) does the actual test,
+ assuming MIN and MAX are the minimum and maximum for the result type.
+ Arguments should be free of side effects. */
+#define _GL_BINARY_OP_OVERFLOW(a, b, op_result_overflow) \
+ op_result_overflow (a, b, \
+ _GL_INT_MINIMUM (0 * (b) + (a)), \
+ _GL_INT_MAXIMUM (0 * (b) + (a)))
+
+#endif /* _GL_INTPROPS_SUPP_H */
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org