From 7f49eef97945667494ba0a8127ee2290ceb7fdb8 Mon Sep 17 00:00:00 2001

Message-Id: <7f49eef97945667494ba0a8127ee2290ceb7fdb8.1381871411.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Mon, 7 Oct 2013 16:40:51 +0100

Subject: [PATCH] Fix crash in libvirtd when events are registered & ACLs

 active (CVE-2013-4399)

For

  https://bugzilla.redhat.com/show_bug.cgi?id=1011429

When a client disconnects from libvirtd, all event callbacks

must be removed. This involves running the public API

  virConnectDomainEventDeregisterAny

This code does not run in normal API dispatch context, so no

identity was set. The result was that the access control drivers

denied the attempt to deregister callbacks. The callbacks thus

continued to trigger after the client was free'd causing fairly

predictable use of free memory & a crash.

This can be triggered by any client with readonly access when

the ACL drivers are active.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b)

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 daemon/remote.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/daemon/remote.c b/daemon/remote.c

index afd9fb5..1ba8ac2 100644

--- a/daemon/remote.c

+++ b/daemon/remote.c

@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)

     /* Deregister event delivery callback */

     if (priv->conn) {

+        virIdentityPtr sysident = virIdentityGetSystem();

         size_t i;

+        virIdentitySetCurrent(sysident);

+

         for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {

             if (priv->domainEventCallbackID[i] != -1) {

                 VIR_DEBUG("Deregistering to relay remote events %zu", i);

@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)

         }

         virConnectClose(priv->conn);

+

+        virIdentitySetCurrent(NULL);

+        virObjectUnref(sysident);

     }

     VIR_FREE(priv);

-- 

1.8.3.2