提交 54cb7f05 编写于 作者: J Jiri Denemark 提交者: Eric Blake

qemu: Avoid using stale data in virDomainGetBlockInfo

CVE-2013-6458

Generally, every API that is going to begin a job should do that before
fetching data from vm->def. However, qemuDomainGetBlockInfo does not
know whether it will have to start a job or not before checking vm->def.
To avoid using disk alias that might have been freed while we were
waiting for a job, we use its copy. In case the disk was removed in the
meantime, we will fail with "cannot find statistics for device '...'"
error message.

(cherry picked from commit b7992595)
上级 17db7e28
......@@ -9706,10 +9706,12 @@ cleanup:
}
static int qemuDomainGetBlockInfo(virDomainPtr dom,
static int
qemuDomainGetBlockInfo(virDomainPtr dom,
const char *path,
virDomainBlockInfoPtr info,
unsigned int flags) {
unsigned int flags)
{
virQEMUDriverPtr driver = dom->conn->privateData;
virDomainObjPtr vm;
int ret = -1;
......@@ -9721,6 +9723,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
int idx;
int format;
virQEMUDriverConfigPtr cfg = NULL;
char *alias = NULL;
virCheckFlags(0, -1);
......@@ -9827,13 +9830,16 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
virDomainObjIsActive(vm)) {
qemuDomainObjPrivatePtr priv = vm->privateData;
if (VIR_STRDUP(alias, disk->info.alias) < 0)
goto cleanup;
if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
goto cleanup;
if (virDomainObjIsActive(vm)) {
qemuDomainObjEnterMonitor(driver, vm);
ret = qemuMonitorGetBlockExtent(priv->mon,
disk->info.alias,
alias,
&info->allocation);
qemuDomainObjExitMonitor(driver, vm);
} else {
......@@ -9847,6 +9853,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
}
cleanup:
VIR_FREE(alias);
virStorageFileFreeMetadata(meta);
VIR_FORCE_CLOSE(fd);
if (vm)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册