[Pkg-libvirt-commits] [libvirt] 03/10: CVE-2014-8135: storage: fix crash caused by no check return before set close

[Guido Guenther]

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/1.2.9-7
in repository libvirt.

commit b5e081c89180a42285dbefb9f9709d44997e6d53
Author: Guido Günther <agx at sigxcpu.org>
Date:   Wed Dec 24 09:30:10 2014 +0100

    CVE-2014-8135: storage: fix crash caused by no check return before set close
    
    Closes: #773855
---
 ...35-storage-fix-crash-caused-by-no-check-r.patch | 44 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 45 insertions(+)

diff --git a/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch b/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch
new file mode 100644
index 0000000..70cf119
--- /dev/null
+++ b/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch
@@ -0,0 +1,44 @@
+From: Luyao Huang <lhuang at redhat.com>
+Date: Wed, 3 Dec 2014 23:01:32 +0800
+Subject: CVE-2014-8135: storage: fix crash caused by no check return before
+ set close
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1087104#c5
+
+When trying to use an invalid offset to virStorageVolUpload(), libvirt
+fails in virFDStreamOpenFileInternal(), although it seems libvirt does
+not check the return in storageVolUpload(), and calls
+virFDStreamSetInternalCloseCb() right after.  But stream doesn't have a
+privateData (is NULL) yet, and the daemon crashes then.
+
+0  0x00007f09429a9c10 in pthread_mutex_lock () from /lib64/libpthread.so.0
+1  0x00007f094514dbf5 in virMutexLock (m=<optimized out>) at util/virthread.c:88
+2  0x00007f09451cb211 in virFDStreamSetInternalCloseCb at fdstream.c:795
+3  0x00007f092ff2c9eb in storageVolUpload at storage/storage_driver.c:2098
+4  0x00007f09451f46e0 in virStorageVolUpload at libvirt.c:14000
+5  0x00007f0945c78fa1 in remoteDispatchStorageVolUpload at remote_dispatch.h:14339
+6  remoteDispatchStorageVolUploadHelper at remote_dispatch.h:14309
+7  0x00007f094524a192 in virNetServerProgramDispatchCall at rpc/virnetserverprogram.c:437
+
+Signed-off-by: Luyao Huang <lhuang at redhat.com>
+(cherry picked from commit 87b9437f8951f9d24f9a85c6bbfff0e54df8c984)
+---
+ src/storage/storage_driver.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 7c518bf..7d4ae50 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -2088,8 +2088,9 @@ storageVolUpload(virStorageVolPtr obj,
+             goto cleanup;
+     }
+ 
+-    ret = backend->uploadVol(obj->conn, pool, vol, stream,
+-                             offset, length, flags);
++    if ((ret = backend->uploadVol(obj->conn, pool, vol, stream,
++                                  offset, length, flags)) < 0)
++        goto cleanup;
+ 
+     /* Add cleanup callback - call after uploadVol since the stream
+      * is then fully set up
diff --git a/debian/patches/series b/debian/patches/series
index 0b915d0..683c80c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@ security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
 util-Prepare-URI-formatting-for-libxml2-2.9.2.patch
 security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
 qemu-bulk-stats-Fix-logic-in-monitor-handling.patch
+security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git