From 99c4157556204ff11a89e7078658a851490a1f0a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 28 Jun 2022 13:54:16 +0200
Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211

Short log for the common submodule, commit range
f8de5508fe75..35467027f657:

Laszlo Ersek (2):
      mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
      options: fix buffer overflow in get_keys() [CVE-2022-2211]

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>

Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53.
RWMJ: For the cherry pick, I updated the common submodule to
the latest master commit (201632e4a7).
---
 common                    |  2 +-
 docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/common b/common
index 0a231b3e6..201632e4a 160000
--- a/common
+++ b/common
@@ -1 +1 @@
-Subproject commit 0a231b3e68bbf229cef706e86bef37b81debacb9
+Subproject commit 201632e4a78c1f591ea2d9038bd22f738642cf5c
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
index 9ceef5623..efa35b29d 100644
--- a/docs/guestfs-security.pod
+++ b/docs/guestfs-security.pod
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
 The solution is to update qemu to a version containing the fix (see
 L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
 
+=head2 CVE-2022-2211
+
+L<https://bugzilla.redhat.com/CVE-2022-2211>
+
+The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
+those I<--key> options from the command line into a new array that match
+a particular block device that's being decrypted for inspection. The
+function intends to size the result array such that potentially all
+I<--key> options, plus a terminating C<NULL> element, fit into it. The
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
+only one element is allocated before the C<NULL> terminator.
+
+Passing precisely two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> to overwrite the
+terminating C<NULL>, leading to an out-of-bounds read in
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
+
+Passing more than two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> itself to perform
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
+later on.
+
+This issue affects -- broadly speaking -- all libguestfs-based utilities
+that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
+C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
+C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
+
 =head1 SEE ALSO
 
 L<guestfs(3)>,