[libvirt] Fix for CVE-2011-1146, missing checks on read-only connections
Daniel Veillard
veillard at fedoraproject.org
Mon Mar 14 13:49:28 UTC 2011
commit 47fcec5405b3d99222af90ed344031389ac7d158
Author: Daniel Veillard <veillard at redhat.com>
Date: Mon Mar 14 21:48:48 2011 +0800
Fix for CVE-2011-1146, missing checks on read-only connections
libvirt-read-only-checks.patch | 95 ++++++++++++++++++++++++++++++++++++++++
libvirt.spec | 8 +++-
2 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/libvirt-read-only-checks.patch b/libvirt-read-only-checks.patch
new file mode 100644
index 0000000..3981764
--- /dev/null
+++ b/libvirt-read-only-checks.patch
@@ -0,0 +1,95 @@
+From: Guido Günther <agx at sigxcpu.org>
+Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
+Subject: Add missing checks for read only connections
+X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
+
+Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+ - virConnectDomainXMLToNative
+ - virNodeDeviceDettach
+ - virNodeDeviceReAttach
+ - virNodeDeviceReset
+ - virDomainRevertToSnapshot
+ - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+ connections
+---
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index caa109d..713291f 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -3321,6 +3321,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
+ virDispatchError(NULL);
+ return NULL;
+ }
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (nativeFormat == NULL || domainXml == NULL) {
+ virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9748,6 +9752,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceDettach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9791,6 +9800,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReAttach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9836,6 +9850,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+ return -1;
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReset) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -13131,6 +13150,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainRevertToSnapshot) {
+ int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -13177,6 +13200,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainSnapshotDelete) {
+ int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
diff --git a/libvirt.spec b/libvirt.spec
index 070af28..6a64c75 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -204,11 +204,12 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 0.8.8
-Release: 2%{?dist}%{?extra_release}
+Release: 3%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
Patch1: %{name}-%{version}-kernel-boot-index.patch
+Patch2: %{name}-read-only-checks.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/
BuildRequires: python-devel
@@ -456,6 +457,7 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
%patch1 -p1
+%patch2 -p1
%build
%if ! %{with_xen}
@@ -975,6 +977,10 @@ fi
%endif
%changelog
+* Mon Mar 14 2011 Daniel Veillard <veillard at redhat.com> - 0.8.8-3
+- fix a lack of API check on read-only connections
+- CVE-2011-1146
+
* Mon Feb 21 2011 Daniel P. Berrange <berrange at redhat.com> - 0.8.8-2
- Fix kernel boot with latest QEMU
More information about the scm-commits
mailing list