thr3ads.net - Libguestfs - [Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211 [Jun 2022]

If this information is useful, please help other people find it:
Share via:

Laszlo Ersek

2022-Jun-28 11:54 UTC

[Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

Short log for the common submodule, commit range
f8de5508fe75..35b49ce142fb:

Laszlo Ersek (2):
      mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
      options: fix buffer overflow in get_keys() [CVE-2022-2211]

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
Signed-off-by: Laszlo Ersek <lersek at redhat.com>
---

Notes:
    "Commit 35b49ce142fb" needs to updated here, in both the submodule
    checkout and the commit message, once the libguestfs-common series is
    merged.

 common                    |  2 +-
 docs/guestfs-security.pod | 28 ++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/common b/common
index f8de5508fe75..35b49ce142fb 160000
--- a/common
+++ b/common
@@ -1 +1 @@
-Subproject commit f8de5508fe755acca99c9ab40c501d6c3e2bcb1e
+Subproject commit 35b49ce142fb906bcf91edc6a6718d28c8fca9e3
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
index 9ceef5623370..efa35b29d301 100644
--- a/docs/guestfs-security.pod
+++ b/docs/guestfs-security.pod
@@ -404,10 +404,38 @@ S<C<guestfs_set_network (g, 1)>> (which is not
the default).
 The libvirt backend is not affected.
 
 The solution is to update qemu to a version containing the fix (see
 L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
 
+=head2 CVE-2022-2211
+
+L<https://bugzilla.redhat.com/CVE-2022-2211>
+
+The C<get_keys> function in F<libguestfs-common/options/keys.c>
collects
+those I<--key> options from the command line into a new array that match
+a particular block device that's being decrypted for inspection. The
+function intends to size the result array such that potentially all
+I<--key> options, plus a terminating C<NULL> element, fit into it.
The
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and
therefore
+only one element is allocated before the C<NULL> terminator.
+
+Passing precisely two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> to overwrite
the
+terminating C<NULL>, leading to an out-of-bounds read in
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
+
+Passing more than two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> itself to
perform
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
+later on.
+
+This issue affects -- broadly speaking -- all libguestfs-based utilities
+that accept I<--key>, namely: C<guestfish>, C<guestmount>,
C<virt-cat>,
+C<virt-customize>, C<virt-diff>, C<virt-edit>,
C<virt-get-kernel>,
+C<virt-inspector>, C<virt-log>, C<virt-ls>,
C<virt-sparsify>,
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
+
 =head1 SEE ALSO
 
 L<guestfs(3)>,
 L<guestfs-internals(1)>,
 L<guestfs-release-notes(1)>,
-- 
2.19.1.3.g30247aa5d201

Richard W.M. Jones

2022-Jun-28 14:51 UTC

head link

[Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

On Tue, Jun 28, 2022 at 01:54:16PM +0200, Laszlo Ersek
wrote:> Short log for the common submodule, commit range
> f8de5508fe75..35b49ce142fb:
> 
> Laszlo Ersek (2):
>       mlcustomize: factor out pkg install/update/uninstall from
guestfs-tools
>       options: fix buffer overflow in get_keys() [CVE-2022-2211]
> 
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> ---
> 
> Notes:
>     "Commit 35b49ce142fb" needs to updated here, in both the
submodule
>     checkout and the commit message, once the libguestfs-common series is
>     merged.
> 
>  common                    |  2 +-
>  docs/guestfs-security.pod | 28 ++++++++++++++++++++
>  2 files changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/common b/common
> index f8de5508fe75..35b49ce142fb 160000
> --- a/common
> +++ b/common
> @@ -1 +1 @@
> -Subproject commit f8de5508fe755acca99c9ab40c501d6c3e2bcb1e
> +Subproject commit 35b49ce142fb906bcf91edc6a6718d28c8fca9e3
> diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
> index 9ceef5623370..efa35b29d301 100644
> --- a/docs/guestfs-security.pod
> +++ b/docs/guestfs-security.pod
> @@ -404,10 +404,38 @@ S<C<guestfs_set_network (g, 1)>> (which
is not the default).
>  The libvirt backend is not affected.
>  
>  The solution is to update qemu to a version containing the fix (see
> 
L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
>  
> +=head2 CVE-2022-2211
> +
> +L<https://bugzilla.redhat.com/CVE-2022-2211>
> +
> +The C<get_keys> function in
F<libguestfs-common/options/keys.c> collects
> +those I<--key> options from the command line into a new array that
match
> +a particular block device that's being decrypted for inspection. The
> +function intends to size the result array such that potentially all
> +I<--key> options, plus a terminating C<NULL> element, fit into
it. The
> +code mistakenly uses the C<MIN> macro instead of C<MAX>, and
therefore
> +only one element is allocated before the C<NULL> terminator.
> +
> +Passing precisely two I<--key ID:...> options on the command line
for
> +the encrypted block device C<ID> causes C<get_keys> to
overwrite the
> +terminating C<NULL>, leading to an out-of-bounds read in
> +C<decrypt_mountables>, file
F<libguestfs-common/options/decrypt.c>.
> +
> +Passing more than two I<--key ID:...> options on the command line
for
> +the encrypted block device C<ID> causes C<get_keys> itself to
perform
> +out-of-bounds writes. The most common symptom is a crash with
C<SIGSEGV>
> +later on.
> +
> +This issue affects -- broadly speaking -- all libguestfs-based utilities
> +that accept I<--key>, namely: C<guestfish>,
C<guestmount>, C<virt-cat>,
> +C<virt-customize>, C<virt-diff>, C<virt-edit>,
C<virt-get-kernel>,
> +C<virt-inspector>, C<virt-log>, C<virt-ls>,
C<virt-sparsify>,
> +C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
> +
>  =head1 SEE ALSO
Reviewed-by: Richard W.M. Jones <rjones at redhat.com>

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit

Libguestfs - Jun 2022 - [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

[Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

[Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211