ACL checks were performed after parsing a user provided XML in its entirety which could be written in a way that would make libvirt allocate too much memory and crash.
Instead parse just the identifiers out of which only name and UUID are needed for ACL checks, perform those and then parse the whole definition. In order not to pass bogus UUID to the ACL functions, rewrite any generated UUID in the first step with a nil UUID since the ACLs cannot be written to expect a particular generated UUID as that would not make sense. If squashing the patches is preferred, let me know. Fixes: CVE-2025-12748 Reported-by: Святослав Терешин <[email protected]> Martin Kletzander (7): conf: Add virDomainDefIDsParseString bhyve: Check ACLs before parsing the whole domain XML libxl: Check ACLs before parsing the whole domain XML lxc: Check ACLs before parsing the whole domain XML vz: Check ACLs before parsing the whole domain XML ch: Check ACLs before parsing the whole domain XML qemu: Check ACLs before parsing the whole domain XML src/bhyve/bhyve_driver.c | 24 ++++++++--- src/ch/ch_driver.c | 76 +++++++++++++++++++++++---------- src/conf/domain_conf.c | 29 +++++++++++++ src/conf/domain_conf.h | 3 ++ src/libvirt_private.syms | 1 + src/libxl/libxl_driver.c | 20 ++++++--- src/lxc/lxc_driver.c | 22 +++++++--- src/qemu/qemu_driver.c | 90 ++++++++++++++++++++------------------- src/qemu/qemu_migration.c | 21 ++++++++- src/qemu/qemu_migration.h | 4 +- src/qemu/qemu_saveimage.c | 25 +++++++++-- src/qemu/qemu_saveimage.h | 4 +- src/qemu/qemu_snapshot.c | 4 +- src/vz/vz_driver.c | 18 +++++--- 14 files changed, 243 insertions(+), 98 deletions(-) -- 2.51.2
