| author | Guido Günther <agx@sigxcpu.org> | |
| Mon, 14 Mar 2011 19:05:16 +0000 (20:05 +0100) | ||
| committer | Guido Günther <agx@sigxcpu.org> | |
| Mon, 14 Mar 2011 19:06:11 +0000 (20:06 +0100) |
As pointed on CVE-2011-1146, some API forgot to check the read-only
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
- virConnectDomainXMLToNative
- virNodeDeviceDettach
- virNodeDeviceReAttach
- virNodeDeviceReset
- virDomainRevertToSnapshot
- virDomainSnapshotDelete
* src/libvirt.c: fix the above set of entry points to error on read-only
connections
Closes: #617773
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
- virConnectDomainXMLToNative
- virNodeDeviceDettach
- virNodeDeviceReAttach
- virNodeDeviceReset
- virDomainRevertToSnapshot
- virDomainSnapshotDelete
* src/libvirt.c: fix the above set of entry points to error on read-only
connections
Closes: #617773
| debian/patches/series | patch | blob | history | |
| debian/patches/upstream/Add-missing-checks-for-read-only-connections.patch | [new file with mode: 0644] | patch | blob |
diff --git a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series
+++ b/debian/patches/series
Don-t-pass-empty-arguments-to-dnsmasq.patch
Do-not-add-drive-boot-on-param-when-a-kernel-is-spec.patch
Make-sure-the-rundir-is-accessible-by-the-user.patch
+upstream/Add-missing-checks-for-read-only-connections.patch
diff --git a/debian/patches/upstream/Add-missing-checks-for-read-only-connections.patch b/debian/patches/upstream/Add-missing-checks-for-read-only-connections.patch
--- /dev/null
@@ -0,0 +1,97 @@
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Mon, 14 Mar 2011 10:56:28 +0800
+Subject: Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+ - virConnectDomainXMLToNative
+ - virNodeDeviceDettach
+ - virNodeDeviceReAttach
+ - virNodeDeviceReset
+ - virDomainRevertToSnapshot
+ - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+ connections
+
+Closes: #617773
+---
+ src/libvirt.c | 27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index f65cc24..8c70a1f 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -3152,6 +3152,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
+ virDispatchError(NULL);
+ return NULL;
+ }
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (nativeFormat == NULL || domainXml == NULL) {
+ virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9579,6 +9583,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceDettach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9622,6 +9631,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReAttach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9667,6 +9681,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReset) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12962,6 +12981,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainRevertToSnapshot) {
+ int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -13008,6 +13031,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainSnapshotDelete) {
+ int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
+--