qemu: Avoid using stale data in virDomainGetBlockInfo

CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message. (cherry picked from commit b7992595) Conflicts: src/qemu/qemu_driver.c - VIR_STRDUP not backported, context

qemu: Avoid using stale data in virDomainGetBlockInfo
CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message. (cherry picked from commit b7992595) Conflicts: src/qemu/qemu_driver.c - VIR_STRDUP not backported, context
7a9bcfa1 · Jiri Denemark · Eric Blake · 5f5e9eb2 · 7a9bcfa1
隐藏空白更改
内联并排

Showing with 8 addition and 1 deletion

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +8 -1

未找到文件。
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -9159,6 +9159,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    struct stat sb;
    int i;
    int format;
+    char *alias = NULL;

    virCheckFlags(0, -1);

@@ -9281,13 +9282,18 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
        virDomainObjIsActive(vm)) {
        qemuDomainObjPrivatePtr priv = vm->privateData;

+        if (!(alias = strdup(disk->info.alias))) {
+            virReportOOMError();
+            goto cleanup;
+        }
+
        if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
            goto cleanup;

        if (virDomainObjIsActive(vm)) {
            qemuDomainObjEnterMonitor(driver, vm);
            ret = qemuMonitorGetBlockExtent(priv->mon,
-                                            disk->info.alias,
+                                            alias,
                                            &info->allocation);
            qemuDomainObjExitMonitor(driver, vm);
        } else {
@@ -9301,6 +9307,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    }

 cleanup:
+    VIR_FREE(alias);
    virStorageFileFreeMetadata(meta);
    VIR_FORCE_CLOSE(fd);
    if (vm)