Blame SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch

6bf708
From a102eb9c707bb28506f2ff68716122e306c5be55 Mon Sep 17 00:00:00 2001
6bf708
Message-Id: <a102eb9c707bb28506f2ff68716122e306c5be55@dist-git>
6bf708
From: Peter Krempa <pkrempa@redhat.com>
6bf708
Date: Wed, 17 Sep 2014 23:17:23 +0200
6bf708
Subject: [PATCH] CVE-2014-3633: qemu: blkiotune: Use correct definition when
6bf708
 looking up disk
6bf708
6bf708
Live definition was used to look up the disk index while persistent one
6bf708
was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the
6bf708
correct def and report a nice error.
6bf708
6bf708
Unfortunately it's accessible via read-only connection, though it can
6bf708
only crash libvirtd in the cases where the guest is hot-plugging disks
6bf708
without reflecting those changes to the persistent definition.  So
6bf708
avoiding hotplug, or doing hotplug where persistent is always modified
6bf708
alongside live definition, will avoid the out-of-bounds access.
6bf708
6bf708
Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8)
6bf708
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724
6bf708
Reported-by: Luyao Huang <lhuang@redhat.com>
6bf708
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
6bf708
6bf708
(cherry picked from commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b)
6bf708
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
6bf708
---
6bf708
 src/qemu/qemu_driver.c | 8 ++++++--
6bf708
 1 file changed, 6 insertions(+), 2 deletions(-)
6bf708
6bf708
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
6bf708
index 475b752..ebdbfd7 100644
6bf708
--- a/src/qemu/qemu_driver.c
6bf708
+++ b/src/qemu/qemu_driver.c
6bf708
@@ -15688,9 +15688,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
6bf708
     }
6bf708
 
6bf708
     if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
6bf708
-        int idx = virDomainDiskIndexByName(vm->def, disk, true);
6bf708
-        if (idx < 0)
6bf708
+        int idx = virDomainDiskIndexByName(persistentDef, disk, true);
6bf708
+        if (idx < 0) {
6bf708
+            virReportError(VIR_ERR_INVALID_ARG,
6bf708
+                           _("disk '%s' was not found in the domain config"),
6bf708
+                           disk);
6bf708
             goto endjob;
6bf708
+        }
6bf708
         reply = persistentDef->disks[idx]->blkdeviotune;
6bf708
     }
6bf708
 
6bf708
-- 
6bf708
2.1.0
6bf708