Package: libvirt / 0.8.3-5+squeeze5

security/0013-Add-missing-checks-for-read-only-connections.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Mon, 14 Mar 2011 08:55:02 +0100
Subject: Add missing checks for read only connections

As pointed on CVE-2011-1146, some API forgot to check the read-only
status of the connection for entry point which modify the state
of the system or may lead to a remote execution using user data.
The entry points concerned are:
  - virConnectDomainXMLToNative
  - virNodeDeviceDettach
  - virNodeDeviceReAttach
  - virNodeDeviceReset
  - virDomainRevertToSnapshot
  - virDomainSnapshotDelete

* src/libvirt.c: fix the above set of entry points to error on read-only
                 connections

---
 src/libvirt.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index 3ec5724..5e5a758 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -3177,6 +3177,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
         virDispatchError(NULL);
         return (NULL);
     }
+    if (conn->flags & VIR_CONNECT_RO) {
+        virLibDomainError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
 
     if (nativeFormat == NULL || domainXml == NULL) {
         virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
@@ -9418,6 +9422,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
         return (-1);
     }
 
+    if (dev->conn->flags & VIR_CONNECT_RO) {
+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
+
     if (dev->conn->driver->nodeDeviceDettach) {
         int ret;
         ret = dev->conn->driver->nodeDeviceDettach (dev);
@@ -9461,6 +9470,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
         return (-1);
     }
 
+    if (dev->conn->flags & VIR_CONNECT_RO) {
+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
+
     if (dev->conn->driver->nodeDeviceReAttach) {
         int ret;
         ret = dev->conn->driver->nodeDeviceReAttach (dev);
@@ -9506,6 +9520,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
         return (-1);
     }
 
+    if (dev->conn->flags & VIR_CONNECT_RO) {
+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
+
     if (dev->conn->driver->nodeDeviceReset) {
         int ret;
         ret = dev->conn->driver->nodeDeviceReset (dev);
@@ -12761,6 +12780,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
     }
 
     conn = snapshot->domain->conn;
+    if (conn->flags & VIR_CONNECT_RO) {
+        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
 
     if (conn->driver->domainRevertToSnapshot) {
         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
@@ -12807,6 +12830,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
     }
 
     conn = snapshot->domain->conn;
+    if (conn->flags & VIR_CONNECT_RO) {
+        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
 
     if (conn->driver->domainSnapshotDelete) {
         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
--