On 11/7/25 12:26, Martin Kletzander via Devel wrote: > ACL checks were performed after parsing a user provided XML in its entirety > which could be written in a way that would make libvirt allocate too much > memory > and crash. > > Instead parse just the identifiers out of which only name and UUID are needed > for ACL checks, perform those and then parse the whole definition. In order > not > to pass bogus UUID to the ACL functions, rewrite any generated UUID in the > first > step with a nil UUID since the ACLs cannot be written to expect a particular > generated UUID as that would not make sense. > > If squashing the patches is preferred, let me know. > > Fixes: CVE-2025-12748 > Reported-by: Святослав Терешин <[email protected]> > > Martin Kletzander (7): > conf: Add virDomainDefIDsParseString > bhyve: Check ACLs before parsing the whole domain XML > libxl: Check ACLs before parsing the whole domain XML > lxc: Check ACLs before parsing the whole domain XML > vz: Check ACLs before parsing the whole domain XML > ch: Check ACLs before parsing the whole domain XML > qemu: Check ACLs before parsing the whole domain XML > > src/bhyve/bhyve_driver.c | 24 ++++++++--- > src/ch/ch_driver.c | 76 +++++++++++++++++++++++---------- > src/conf/domain_conf.c | 29 +++++++++++++ > src/conf/domain_conf.h | 3 ++ > src/libvirt_private.syms | 1 + > src/libxl/libxl_driver.c | 20 ++++++--- > src/lxc/lxc_driver.c | 22 +++++++--- > src/qemu/qemu_driver.c | 90 ++++++++++++++++++++------------------- > src/qemu/qemu_migration.c | 21 ++++++++- > src/qemu/qemu_migration.h | 4 +- > src/qemu/qemu_saveimage.c | 25 +++++++++-- > src/qemu/qemu_saveimage.h | 4 +- > src/qemu/qemu_snapshot.c | 4 +- > src/vz/vz_driver.c | 18 +++++--- > 14 files changed, 243 insertions(+), 98 deletions(-) >
You get bonus points for fixing save image code in CH driver, but that's sooo broken anyways that basically we're unable to restore from a saved image anyway. But hey, at least we don't deplete memory :-D Reviewed-by: Michal Privoznik <[email protected]> Michal
