1
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
2
Date: Mon, 14 Mar 2011 10:56:28 +0800
3
Subject: Add missing checks for read only connections
5
As pointed on CVE-2011-1146, some API forgot to check the read-only
6
status of the connection for entry point which modify the state
7
of the system or may lead to a remote execution using user data.
8
The entry points concerned are:
9
- virConnectDomainXMLToNative
10
- virNodeDeviceDettach
11
- virNodeDeviceReAttach
13
- virDomainRevertToSnapshot
14
- virDomainSnapshotDelete
16
* src/libvirt.c: fix the above set of entry points to error on read-only
19
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=683650
20
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617773
22
Index: libvirt-0.8.8/src/libvirt.c
23
===================================================================
24
--- libvirt-0.8.8.orig/src/libvirt.c 2011-03-15 12:45:25.000000000 -0500
25
+++ libvirt-0.8.8/src/libvirt.c 2011-03-15 12:45:29.000000000 -0500
26
@@ -3152,6 +3152,10 @@
27
virDispatchError(NULL);
30
+ if (conn->flags & VIR_CONNECT_RO) {
31
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
35
if (nativeFormat == NULL || domainXml == NULL) {
36
virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
37
@@ -9579,6 +9583,11 @@
41
+ if (dev->conn->flags & VIR_CONNECT_RO) {
42
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
46
if (dev->conn->driver->nodeDeviceDettach) {
48
ret = dev->conn->driver->nodeDeviceDettach (dev);
49
@@ -9622,6 +9631,11 @@
53
+ if (dev->conn->flags & VIR_CONNECT_RO) {
54
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
58
if (dev->conn->driver->nodeDeviceReAttach) {
60
ret = dev->conn->driver->nodeDeviceReAttach (dev);
61
@@ -9667,6 +9681,11 @@
65
+ if (dev->conn->flags & VIR_CONNECT_RO) {
66
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
70
if (dev->conn->driver->nodeDeviceReset) {
72
ret = dev->conn->driver->nodeDeviceReset (dev);
73
@@ -12962,6 +12981,10 @@
76
conn = snapshot->domain->conn;
77
+ if (conn->flags & VIR_CONNECT_RO) {
78
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
82
if (conn->driver->domainRevertToSnapshot) {
83
int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
84
@@ -13008,6 +13031,10 @@
87
conn = snapshot->domain->conn;
88
+ if (conn->flags & VIR_CONNECT_RO) {
89
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
93
if (conn->driver->domainSnapshotDelete) {
94
int ret = conn->driver->domainSnapshotDelete(snapshot, flags);