[Pkg-libvirt-commits] [libvirt] 16/18: CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk

[Guido Guenther]

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/0.9.12.3-1+deb7u1
in repository libvirt.

commit 72a9d06428d32564b18a351259621aaeb440c5a8
Author: Guido Günther <agx at sigxcpu.org>
Date:   Fri Sep 26 10:30:41 2014 +0200

    CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk
    
    Closes: #762203
---
 ...33-qemu-blkiotune-Use-correct-definition-.patch | 50 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 51 insertions(+)

diff --git a/debian/patches/security/CVE-2014-3633-qemu-blkiotune-Use-correct-definition-.patch b/debian/patches/security/CVE-2014-3633-qemu-blkiotune-Use-correct-definition-.patch
new file mode 100644
index 0000000..832183e
--- /dev/null
+++ b/debian/patches/security/CVE-2014-3633-qemu-blkiotune-Use-correct-definition-.patch
@@ -0,0 +1,50 @@
+From: Peter Krempa <pkrempa at redhat.com>
+Date: Thu, 11 Sep 2014 16:35:53 +0200
+Subject: CVE-2014-3633: qemu: blkiotune: Use correct definition when looking
+ up disk
+
+Live definition was used to look up the disk index while persistent one
+was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the
+correct def and report a nice error.
+
+Unfortunately it's accessible via read-only connection, though it can
+only crash libvirtd in the cases where the guest is hot-plugging disks
+without reflecting those changes to the persistent definition.  So
+avoiding hotplug, or doing hotplug where persistent is always modified
+alongside live definition, will avoid the out-of-bounds access.
+
+Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8)
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724
+Reported-by: Luyao Huang <lhuang at redhat.com>
+Signed-off-by: Peter Krempa <pkrempa at redhat.com>
+
+(cherry picked from commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b)
+
+Conflicts:
+	src/qemu/qemu_driver.c - context due to fewer functions
+
+Closes: #762203
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 30b703a..327638e 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -12179,9 +12179,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
+     }
+ 
+     if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+-        int idx = virDomainDiskIndexByName(vm->def, disk, true);
+-        if (idx < 0)
++        int idx = virDomainDiskIndexByName(persistentDef, disk, true);
++        if (idx < 0) {
++            virReportError(VIR_ERR_INVALID_ARG,
++                           _("disk '%s' was not found in the domain config"),
++                           disk);
+             goto endjob;
++        }
+         reply = persistentDef->disks[idx]->blkdeviotune;
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index fc6e78f..c09c395 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ Don-t-fail-if-we-can-t-setup-avahi.patch
 Only-check-for-cluster-fs-if-we-re-using-a-filesyste.patch
 Reduce-udevadm-settle-timeout-to-10-seconds.patch
 debian/Allow-xen-toolstack-to-find-it-s-binaries.patch
+security/CVE-2014-3633-qemu-blkiotune-Use-correct-definition-.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git