0a7476
From 7d621673b5e33c2dcd7e247f37b3d1bd298b66d8 Mon Sep 17 00:00:00 2001
0a7476
Message-Id: <7d621673b5e33c2dcd7e247f37b3d1bd298b66d8@dist-git>
0a7476
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
0a7476
Date: Thu, 10 Jan 2019 12:49:11 +0100
0a7476
Subject: [PATCH] qemu: require reply from guest agent in
0a7476
 qemuAgentGetInterfaces
0a7476
MIME-Version: 1.0
0a7476
Content-Type: text/plain; charset=UTF-8
0a7476
Content-Transfer-Encoding: 8bit
0a7476
0a7476
Since its introduction in commit 0977b8aa071 (released in v1.2.14)
0a7476
qemuAgentGetInterfaces calls qemuAgentCommand with needReply=false,
0a7476
which allows qemuAgentCommand to return 0 even when it did not get
0a7476
any reply from the agent.
0a7476
0a7476
Set needReply to true, since we dereference it right after.
0a7476
0a7476
This can be hit if libvirt is waiting for an event from the agent
0a7476
(e.g. shutdown) and the agent cannot reply in time (e.g. due to
0a7476
the guest being shut down), as reported in:
0a7476
https://bugzilla.redhat.com/show_bug.cgi?id=1663051
0a7476
0a7476
Signed-off-by: Ján Tomko <jtomko@redhat.com>
0a7476
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
0a7476
(cherry picked from commit 7cfd1fbb1332ae5df678b9f41a62156cb2e88c73)
0a7476
Signed-off-by: Ján Tomko <jtomko@redhat.com>
0a7476
0a7476
8.0: https://bugzilla.redhat.com/show_bug.cgi?id=1665000
0a7476
CVE-2019-3840
0a7476
Message-Id: <714971c077bf26ec0d1a2b7283cafb7ab253ccd5.1547120910.git.jtomko@redhat.com>
0a7476
0a7476
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
0a7476
---
0a7476
 src/qemu/qemu_agent.c | 2 +-
0a7476
 1 file changed, 1 insertion(+), 1 deletion(-)
0a7476
0a7476
diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
0a7476
index 986e37b07d..d6fd02a4b6 100644
0a7476
--- a/src/qemu/qemu_agent.c
0a7476
+++ b/src/qemu/qemu_agent.c
0a7476
@@ -1987,7 +1987,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
0a7476
     if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))
0a7476
         goto cleanup;
0a7476
 
0a7476
-    if (qemuAgentCommand(mon, cmd, &reply, false,
0a7476
+    if (qemuAgentCommand(mon, cmd, &reply, true,
0a7476
                          VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)
0a7476
         goto cleanup;
0a7476
 
0a7476
-- 
0a7476
2.21.0
0a7476