search for: 0x65da50

.... Program received signal SIGSEGV, Segmentation fault. 0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff69deae2 in __strlen_sse2 () from /lib64/libc.so.6 #1 0x00007ffff69de7e6 in strdup () from /lib64/libc.so.6 #2 0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96 #3 0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>, fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343 #4 guestfs___check_linux_root (g=0x65da50, fs=0x6665b0) at inspect-fs-unix.c:560 #5 0x00007ffff7b88522 in check_filesys...

There's a denial of service attack possible from guests on any program that does inspection (eg. virt-inspector, many other virt-* tools, virt-v2v, OpenStack). The attack causes the host process to crash because of a double free. It's probably not exploitable (definitely not on Fedora because of the default memory hardening settings). This patch contains the fix and a reproducer:

On Fri, May 31, 2013 at 01:03:24AM +0200, Olaf Hering wrote: > #2 0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96 > #3 0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>, fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343 This is a different problem: lines = guestfs_head_n (g, 10, filename); if (lines == NULL) return -1; /*...