From b3b3dbc67504e8cd498d6db202ddcf5a9dd26a9d Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Wed, 31 May 2023 12:29:23 +0530 Subject: libvirt: CVE-2023-2700 Memory leak in virPCIVirtualFunctionList cleanup Upstream-Status: Backport from https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 Signed-off-by: Hitendra Prajapati Signed-off-by: Bruce Ashfield --- .../libvirt/libvirt/CVE-2023-2700.patch | 54 ++++++++++++++++++++++ recipes-extended/libvirt/libvirt_8.1.0.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/CVE-2023-2700.patch (limited to 'recipes-extended/libvirt') diff --git a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch new file mode 100644 index 00000000..b6907b04 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch @@ -0,0 +1,54 @@ +From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001 +From: Tim Shearer +Date: Mon, 1 May 2023 13:15:48 +0000 +Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Repeatedly querying an SR-IOV PCI device's capabilities exposes a +memory leak caused by a failure to free the virPCIVirtualFunction +array within the parent struct's g_autoptr cleanup. + +Valgrind output after getting a single interface's XML description +1000 times: + +==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635 +==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437) +==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4) +==325982== by 0x4EE1F52: virReallocN (viralloc.c:52) +==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78) +==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183) +==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288) +==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389) +==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256) +==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969) +==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099) +==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677) +==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355) + +Signed-off-by: Tim Shearer +Reviewed-by: Ján Tomko + +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585] +CVE: CVE-2023-2700 +Signed-off-by: Hitendra Prajapati +--- + src/util/virpci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/virpci.c b/src/util/virpci.c +index d141fde..1516682 100644 +--- a/src/util/virpci.c ++++ b/src/util/virpci.c +@@ -2254,6 +2254,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list) + g_free(list->functions[i].ifname); + } + ++ g_free(list->functions); + g_free(list); + } + +-- +2.25.1 + diff --git a/recipes-extended/libvirt/libvirt_8.1.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb index 89f82bf8..63cf4914 100644 --- a/recipes-extended/libvirt/libvirt_8.1.0.bb +++ b/recipes-extended/libvirt/libvirt_8.1.0.bb @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://hook_support.py \ file://gnutls-helper.py \ file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \ + file://CVE-2023-2700.patch \ " SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934" -- cgit v1.2.3-54-g00ecf