Libguestfs - May 2013 - CVE-2013-2124 (was: Re: ATTN: Denial of service attack possible on libguestfs)

There's a denial of service attack possible from guests on any program
that does inspection (eg. virt-inspector, many other virt-* tools,
virt-v2v, OpenStack).

The attack causes the host process to crash because of a double free.
It's probably not exploitable (definitely not on Fedora because of the
default memory hardening settings).

This patch contains the fix and a reproducer:

https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd

This affects libguestfs >= 1.21.6 and libguestfs 1.22.0 and 1.23.0.

I will include the fix in libguestfs >= 1.22.1 and >= 1.23.1.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

On Tue, May 28, 2013 at 05:06:45PM +0100, Richard W.M. Jones
wrote:
> 
> There's a denial of service attack possible from guests on any program
> that does inspection (eg. virt-inspector, many other virt-* tools,
> virt-v2v, OpenStack).
> 
> The attack causes the host process to crash because of a double free.
> It's probably not exploitable (definitely not on Fedora because of the
> default memory hardening settings).
> 
> This patch contains the fix and a reproducer:
> 
>
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd
> 
> This affects libguestfs >= 1.21.6 and libguestfs 1.22.0 and 1.23.0.
> 
> I will include the fix in libguestfs >= 1.22.1 and >= 1.23.1.
Actually this also affects the libguestfs 1.20 branch because
I managed to backport the original bug there.  Go me.

I will fix this in libguestfs >= 1.20.7.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

This issue has been assigned CVE-2013-2124.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)

On Tue, May 28, Richard W.M. Jones wrote:
> 
> There's a denial of service attack possible from guests on any program
> that does inspection (eg. virt-inspector, many other virt-* tools,
> virt-v2v, OpenStack).
> 
> The attack causes the host process to crash because of a double free.
> It's probably not exploitable (definitely not on Fedora because of the
> default memory hardening settings).
> 
> This patch contains the fix and a reproducer:
> 
>
https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd
This is appearently incomplete, bt from a 1.20.4:


head -n 10
libguestfs: recv_from_daemon: 44 bytes: 20 00 f5 f5 | 00 00 00 04 | 00 00 00 7a
| 00 00 00 01 | 00 12 34 24 | ...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6
#1  0x00007ffff69de7e6 in strdup () from /lib64/libc.so.6
#2  0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at
alloc.c:96
#3  0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>,
fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343
#4  guestfs___check_linux_root (g=0x65da50, fs=0x6665b0) at
inspect-fs-unix.c:560
#5  0x00007ffff7b88522 in check_filesystem (is_partnum=<optimized out>,
is_block=<optimized out>, device=<optimized out>, g=<optimized
out>) at inspect-fs.c:238
#6  guestfs___check_for_filesystem_on (g=0x65da50, device=0x617930
"/dev/sda2", is_block=0, is_partnum=2) at inspect-fs.c:152
#7  0x00007ffff7b86980 in guestfs__inspect_os (g=0x65da50) at inspect.c:86
#8  0x00007ffff7b1c91b in guestfs_inspect_os (g=0x65da50) at actions-1.c:397
#9  0x0000000000406ba9 in main (argc=3, argv=<optimized out>) at
virt-inspector.c:273

Looks like parse_lsb_release and parse_suse_release needs a similar
change. I will test a patch.

Olaf

On Fri, May 31, 2013 at 01:03:24AM +0200, Olaf Hering
wrote:
> #2  0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at
alloc.c:96
> #3  0x00007ffff7b8b65e in parse_suse_release (filename=<optimized
out>, fs=<optimized out>, g=<optimized out>) at
inspect-fs-unix.c:343
This is a different problem:

  lines = guestfs_head_n (g, 10, filename);
  if (lines == NULL)
    return -1;

  /* First line is dist release name */
  fs->product_name = safe_strdup (g, lines[0]);   <<<---
  if (fs->product_name == NULL)
    goto out;

The code doesn't check that lines[0] != NULL.

I don't see a problem in parse_lsb_release however.  Do you have a
stack trace from that?

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

This should fix it I think.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

The complete fix for CVE-2013-2124 requires:

https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd
https://github.com/libguestfs/libguestfs/commit/ae8bb84ecd46d7b6ef557a87725923ac8d09dce0
https://github.com/libguestfs/libguestfs/commit/1c9dfd079aa6d7893f72c5fd17656c847f72c8d6

It will be fixed upstream in:
  >= 1.20.8
  >= 1.22.2
  >= 1.23.2

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW