提交 71753cb7 编写于 作者: G Guido Günther 提交者: Daniel Veillard

Add missing checks for read only connections

As pointed on CVE-2011-1146, some API forgot to check the read-only
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
  - virConnectDomainXMLToNative
  - virNodeDeviceDettach
  - virNodeDeviceReAttach
  - virNodeDeviceReset
  - virDomainRevertToSnapshot
  - virDomainSnapshotDelete

* src/libvirt.c: fix the above set of entry points to error on read-only
                 connections
上级 13c00dde
...@@ -3321,6 +3321,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn, ...@@ -3321,6 +3321,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
virDispatchError(NULL); virDispatchError(NULL);
return NULL; return NULL;
} }
if (conn->flags & VIR_CONNECT_RO) {
virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (nativeFormat == NULL || domainXml == NULL) { if (nativeFormat == NULL || domainXml == NULL) {
virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__); virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
...@@ -9748,6 +9752,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev) ...@@ -9748,6 +9752,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
return -1; return -1;
} }
if (dev->conn->flags & VIR_CONNECT_RO) {
virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (dev->conn->driver->nodeDeviceDettach) { if (dev->conn->driver->nodeDeviceDettach) {
int ret; int ret;
ret = dev->conn->driver->nodeDeviceDettach (dev); ret = dev->conn->driver->nodeDeviceDettach (dev);
...@@ -9791,6 +9800,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev) ...@@ -9791,6 +9800,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
return -1; return -1;
} }
if (dev->conn->flags & VIR_CONNECT_RO) {
virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (dev->conn->driver->nodeDeviceReAttach) { if (dev->conn->driver->nodeDeviceReAttach) {
int ret; int ret;
ret = dev->conn->driver->nodeDeviceReAttach (dev); ret = dev->conn->driver->nodeDeviceReAttach (dev);
...@@ -9836,6 +9850,11 @@ virNodeDeviceReset(virNodeDevicePtr dev) ...@@ -9836,6 +9850,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
return -1; return -1;
} }
if (dev->conn->flags & VIR_CONNECT_RO) {
virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (dev->conn->driver->nodeDeviceReset) { if (dev->conn->driver->nodeDeviceReset) {
int ret; int ret;
ret = dev->conn->driver->nodeDeviceReset (dev); ret = dev->conn->driver->nodeDeviceReset (dev);
...@@ -13131,6 +13150,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot, ...@@ -13131,6 +13150,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
} }
conn = snapshot->domain->conn; conn = snapshot->domain->conn;
if (conn->flags & VIR_CONNECT_RO) {
virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (conn->driver->domainRevertToSnapshot) { if (conn->driver->domainRevertToSnapshot) {
int ret = conn->driver->domainRevertToSnapshot(snapshot, flags); int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
...@@ -13177,6 +13200,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot, ...@@ -13177,6 +13200,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
} }
conn = snapshot->domain->conn; conn = snapshot->domain->conn;
if (conn->flags & VIR_CONNECT_RO) {
virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
if (conn->driver->domainSnapshotDelete) { if (conn->driver->domainSnapshotDelete) {
int ret = conn->driver->domainSnapshotDelete(snapshot, flags); int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册