libvirt: CVE-2023-2700 Memory leak in virPCIVirtualFunctionList cleanup

Upstream-Status: Backport from 6425a311b8 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
2025-07-19 20:59:41 +02:00 · 2023-05-31 12:29:23 +05:30 · 2023-05-31 12:29:23 +05:30 · b3b3dbc675
commit b3b3dbc675
parent 9d056f957b
2 changed files with 55 additions and 0 deletions
--- a/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
+++ b/recipes-extended/libvirt/libvirt/CVE-2023-2700.patch
@ -0,0 +1,54 @@
+From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585]
+CVE: CVE-2023-2700
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index d141fde..1516682 100644
+--- a/src/util/virpci.c
+++ b/src/util/virpci.c
+@@ -2254,6 +2254,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
+    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.25.1
+
--- a/recipes-extended/libvirt/libvirt_8.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://hook_support.py \
           file://gnutls-helper.py \
           file://0001-qemu-segmentation-fault-in-virtqemud-executing-qemuD.patch \
+           file://CVE-2023-2700.patch \
          "

 SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"