libvirt: CVE-2023-2700 Memory leak in virPCIVirtualFunctionList cleanup

Upstream-Status: Backport from https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-05-31 12:29:23 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2023-06-07 16:41:39 -0400
commit: b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d (patch)
tree: ed59c465b0e6d8c9476b158aa119777b0be79802 /recipes-extended/libvirt
parent: 9d056f957b42e31f1c2c5bad0af1ab6c84b53ee6 (diff)
download: meta-virtualization-b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
new file mode 100644
index 00000000..b6907b04
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
@@ -0,0 +1,54 @@
+From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+Valgrind output after getting a single interface's XML description
+1000 times:
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585]
+CVE: CVE-2023-2700
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index d141fde..1516682 100644
+--- a/src/util/virpci.c
+++ b/src/util/virpci.c
+@@ -2254,6 +2254,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
+    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.25.1
diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb
index 89f82bf8..63cf4914 100644
--- a/recipes-extended/libvirt/libvirt_8.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://hook_support.py \
           file://gnutls-helper.py \
           file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
+           file://CVE-2023-2700.patch \
          "
 SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-05-31 12:29:23 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2023-06-07 16:41:39 -0400
commit	b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d (patch)
tree	ed59c465b0e6d8c9476b158aa119777b0be79802 /recipes-extended/libvirt
parent	9d056f957b42e31f1c2c5bad0af1ab6c84b53ee6 (diff)
download	meta-virtualization-b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch new file mode 100644 index 00000000..b6907b04 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
@@ -0,0 +1,54 @@
		1	From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001
		2	From: Tim Shearer <TShearer@adva.com>
		3	Date: Mon, 1 May 2023 13:15:48 +0000
		4	Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Repeatedly querying an SR-IOV PCI device's capabilities exposes a
		10	memory leak caused by a failure to free the virPCIVirtualFunction
		11	array within the parent struct's g_autoptr cleanup.
		12
		13	Valgrind output after getting a single interface's XML description
		14	1000 times:
		15
		16	==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
		17	==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
		18	==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
		19	==325982== by 0x4EE1F52: virReallocN (viralloc.c:52)
		20	==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78)
		21	==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
		22	==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288)
		23	==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
		24	==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
		25	==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
		26	==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
		27	==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
		28	==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
		29
		30	Signed-off-by: Tim Shearer <tshearer@adva.com>
		31	Reviewed-by: Ján Tomko <jtomko@redhat.com>
		32
		33	Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585]
		34	CVE: CVE-2023-2700
		35	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		36	---
		37	src/util/virpci.c \| 1 +
		38	1 file changed, 1 insertion(+)
		39
		40	diff --git a/src/util/virpci.c b/src/util/virpci.c
		41	index d141fde..1516682 100644
		42	--- a/src/util/virpci.c
		43	+++ b/src/util/virpci.c
		44	@@ -2254,6 +2254,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
		45	g_free(list->functions[i].ifname);
		46	}
		47
		48	+ g_free(list->functions);
		49	g_free(list);
		50	}
		51
		52	--
		53	2.25.1
		54


diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb index 89f82bf8..63cf4914 100644 --- a/recipes-extended/libvirt/libvirt_8.1.0.bb +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
29	file://hook_support.py \	29	file://hook_support.py \
30	file://gnutls-helper.py \	30	file://gnutls-helper.py \
31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \	31	file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
		32	file://CVE-2023-2700.patch \
32	"	33	"
33		34
34	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"	35	SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"