From 196f53da0aa4d777764c906da76bef9c2abb86e7 Mon Sep 17 00:00:00 2001 From: zhangxingrong Date: Thu, 28 Mar 2024 17:21:02 +0800 Subject: [PATCH 1/2] Fix-CVE-2024-2494 --- 0001-Fix-CVE-2024-2494.patch | 208 +++++++++++++++++++++++++++++++++++ libvirt.spec | 9 +- 2 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 0001-Fix-CVE-2024-2494.patch diff --git a/0001-Fix-CVE-2024-2494.patch b/0001-Fix-CVE-2024-2494.patch new file mode 100644 index 0000000..e6e5b52 --- /dev/null +++ b/0001-Fix-CVE-2024-2494.patch @@ -0,0 +1,208 @@ +From ce5c9eaeaeacf9a10f598abd9001b683f5b6f496 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 28 Mar 2024 17:02:41 +0800 +Subject: [PATCH] Fix-CVE-2024-2494 + +--- + src/remote/remote_daemon_dispatch.c | 77 ++++++++++++++++++++++++++++- + src/rpc/gendispatch.pl | 5 ++ + 2 files changed, 81 insertions(+), 1 deletion(-) + +diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c +index 7daf503..52de2fb 100644 +--- a/src/remote/remote_daemon_dispatch.c ++++ b/src/remote/remote_daemon_dispatch.c +@@ -2287,7 +2287,11 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED, + int nparams = 0; + int rv = -1; + virConnectPtr conn = remoteGetHypervisorConn(client); +- ++ ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (!conn) + goto cleanup; + +@@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2497,6 +2505,11 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED, + goto cleanup; + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2717,6 +2730,16 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->ncpumaps < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be ++non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->ncpumaps > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -2811,6 +2834,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } ++ + /* Allocate buffers to take the results */ + if (args->maplen > 0) + cpumaps = g_new0(unsigned char, args->maplen); +@@ -2858,6 +2886,15 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maxinfo < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->maxinfo > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -3096,6 +3133,11 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3156,6 +3198,11 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3216,6 +3263,11 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3277,6 +3329,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3339,6 +3395,11 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3514,6 +3575,11 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED, + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5079,6 +5145,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5299,6 +5369,11 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } ++ + if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 5ce988c..db3274c 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") { + print "\n"; + + if ($single_ret_as_list) { ++ print " if (args->$single_ret_list_max_var < 0) {\n"; ++ print " virReportError(VIR_ERR_RPC,\n"; ++ print " \"%s\",_(\"max$single_ret_list_name must be non-negative\"));\n"; ++ print " goto cleanup;\n"; ++ print " }\n"; + print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n"; + print " virReportError(VIR_ERR_RPC,\n"; + print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n"; +-- +2.43.0 + diff --git a/libvirt.spec b/libvirt.spec index 6c20c87..2971575 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -270,7 +270,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 9.10.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 URL: https://libvirt.org/ @@ -279,6 +279,8 @@ URL: https://libvirt.org/ %endif Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz +Patch0001: 0001-Fix-CVE-2024-2494.patch + Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} @@ -1117,7 +1119,7 @@ MinGW Windows libvirt virtualization library. %endif %prep -%autosetup -S git_am +%autosetup -S git_am -p1 -n %{name}-%{version} %build %if 0%{?fedora} >= %{min_fedora} || 0%{?rhel} >= %{min_rhel} @@ -2559,5 +2561,8 @@ exit 0 %endif %changelog +* Thu Mar 28 2024 zhangxingrong - 9.10.0-2 +- Fix CVE-2024-2494 + * Thu Feb 29 2024 mayunlong - 9.10.0-1 - Update to 9.10.0 release, Initial package for openEuler. -- Gitee From aeba84ea6d52f2c164f8c6e5310b8baa8b80214c Mon Sep 17 00:00:00 2001 From: zhangxingrong Date: Thu, 28 Mar 2024 09:54:12 +0000 Subject: [PATCH 2/2] =?UTF-8?q?update=200001-Fix-CVE-2024-2494.patch.=20?= =?UTF-8?q?=E4=BF=AE=E6=94=B9PR=E4=B8=AD=E7=9A=84=E9=94=99=E8=AF=AF?= =?UTF-8?q?=E5=86=85=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhangxingrong --- 0001-Fix-CVE-2024-2494.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/0001-Fix-CVE-2024-2494.patch b/0001-Fix-CVE-2024-2494.patch index e6e5b52..0278ef3 100644 --- a/0001-Fix-CVE-2024-2494.patch +++ b/0001-Fix-CVE-2024-2494.patch @@ -53,8 +53,8 @@ index 7daf503..52de2fb 100644 goto cleanup; + if (args->ncpumaps < 0) { -+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be -+non-negative")); ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative")); ++ + goto cleanup; + } + if (args->maplen < 0) { -- Gitee