qemu: Avoid using stale data in virDomainGetBlockInfo

CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message.
2013-12-20 14:50:02 +01:00 · 2013-12-20 14:50:02 +01:00 · b799259583
parent db86da5ca2
commit b799259583
1 changed files with 12 additions and 5 deletions
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -9788,10 +9788,12 @@ cleanup:
 }


-static int qemuDomainGetBlockInfo(virDomainPtr dom,
-                                  const char *path,
-                                  virDomainBlockInfoPtr info,
-                                  unsigned int flags) {
+static int
+qemuDomainGetBlockInfo(virDomainPtr dom,
+                       const char *path,
+                       virDomainBlockInfoPtr info,
+                       unsigned int flags)
+{
    virQEMUDriverPtr driver = dom->conn->privateData;
    virDomainObjPtr vm;
    int ret = -1;
@ -9803,6 +9805,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    int idx;
    int format;
    virQEMUDriverConfigPtr cfg = NULL;
+    char *alias = NULL;

    virCheckFlags(0, -1);

@ -9909,13 +9912,16 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
        virDomainObjIsActive(vm)) {
        qemuDomainObjPrivatePtr priv = vm->privateData;

+        if (VIR_STRDUP(alias, disk->info.alias) < 0)
+            goto cleanup;
+
        if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
            goto cleanup;

        if (virDomainObjIsActive(vm)) {
            qemuDomainObjEnterMonitor(driver, vm);
            ret = qemuMonitorGetBlockExtent(priv->mon,
-                                            disk->info.alias,
+                                            alias,
                                            &info->allocation);
            qemuDomainObjExitMonitor(driver, vm);
        } else {
@ -9929,6 +9935,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    }

 cleanup:
+    VIR_FREE(alias);
    virStorageFileFreeMetadata(meta);
    VIR_FORCE_CLOSE(fd);
    if (vm)