[Pkg-libvirt-commits] [libvirt] 01/10: CVE-2014-8131: Fix possible deadlock and segfault in qemuConnectGetAllDomainStats()

Wed Dec 24 10:14:42 UTC 2014

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/1.2.9-7
in repository libvirt.

commit d7df883dd36520d706367f400fd0b6cb007f32c7
Author: Guido Günther <agx at sigxcpu.org>
Date:   Wed Dec 24 09:21:34 2014 +0100

    CVE-2014-8131: Fix possible deadlock and segfault in qemuConnectGetAllDomainStats()
    
    Closes: #773858
---
 ...31-Fix-possible-deadlock-and-segfault-in-.patch | 73 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 74 insertions(+)

diff --git a/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch b/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
new file mode 100644
index 0000000..9ff9874
--- /dev/null
+++ b/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
@@ -0,0 +1,73 @@
+From: Martin Kletzander <mkletzan at redhat.com>
+Date: Thu, 27 Nov 2014 15:47:52 +0100
+Subject: CVE-2014-8131: Fix possible deadlock and segfault in
+ qemuConnectGetAllDomainStats()
+
+When user doesn't have read access on one of the domains he requested,
+the for loop could exit abruptly or continue and override pointer which
+pointed to locked object.
+
+This patch fixed two issues at once.  One is that domflags might have
+had QEMU_DOMAIN_STATS_HAVE_JOB even when there was no job started (this
+is fixed by doing domflags |= QEMU_DOMAIN_STATS_HAVE_JOB only when the
+job was acquired and cleaning domflags on every start of the loop.
+Second one is that the domain is kept locked when
+virConnectGetAllDomainStatsCheckACL() fails and continues the loop when
+it didn't end.  Adding a simple virObjectUnlock() and clearing the
+pointer ought to do.
+
+Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
+(cherry picked from commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b)
+Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
+---
+ src/qemu/qemu_driver.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index e873d45..14a1ae9 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -18139,20 +18139,23 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
+         privflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
+ 
+     for (i = 0; i < ndoms; i++) {
+-        domflags = privflags;
+         virDomainStatsRecordPtr tmp = NULL;
++        domflags = 0;
+ 
+         if (!(dom = qemuDomObjFromDomain(doms[i])))
+             continue;
+ 
+         if (doms != domlist &&
+-            !virConnectGetAllDomainStatsCheckACL(conn, dom->def))
++            !virConnectGetAllDomainStatsCheckACL(conn, dom->def)) {
++            virObjectUnlock(dom);
++            dom = NULL;
+             continue;
++        }
+ 
+-        if (HAVE_JOB(domflags) &&
++        if (HAVE_JOB(privflags) &&
+             qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) < 0)
+             /* As it was never requested. Gather as much as possible anyway. */
+-            domflags &= ~QEMU_DOMAIN_STATS_HAVE_JOB;
++            domflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
+ 
+         if (qemuDomainGetStats(conn, dom, stats, &tmp, domflags) < 0)
+             goto endjob;
+@@ -18160,9 +18163,12 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
+         if (tmp)
+             tmpstats[nstats++] = tmp;
+ 
+-        if (HAVE_JOB(domflags) && !qemuDomainObjEndJob(driver, dom)) {
+-            dom = NULL;
+-            continue;
++        if (HAVE_JOB(domflags)) {
++            domflags = 0;
++            if (!qemuDomainObjEndJob(driver, dom)) {
++                dom = NULL;
++                continue;
++            }
+         }
+ 
+         virObjectUnlock(dom);
diff --git a/debian/patches/series b/debian/patches/series
index cfa566c..fb49ac7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ debian/Debianize-virtlockd.patch
 qemu-use-systemd-s-TerminateMachine-to-kill-all-proc.patch
 security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
 util-Prepare-URI-formatting-for-libxml2-2.9.2.patch
+security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git

