qemu: Avoid using stale data in virDomainGetBlockInfo

CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message. Conflicts: src/qemu/qemu_driver.c (cherry picked from commit b799259583)
2025-01-08 22:15:21 +00:00 · 2013-12-20 14:50:02 +01:00 · 2013-12-20 14:50:02 +01:00 · 4dd29d3bdf
commit 4dd29d3bdf
parent c430c002dd
1 changed files with 13 additions and 5 deletions
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -92,6 +92,7 @@
 #include "virnodesuspend.h"
 #include "virtime.h"
 #include "virtypedparam.h"
+#include "virstring.h"

 #define VIR_FROM_THIS VIR_FROM_QEMU

@ -8409,10 +8410,12 @@ cleanup:
 }


-static int qemuDomainGetBlockInfo(virDomainPtr dom,
-                                  const char *path,
-                                  virDomainBlockInfoPtr info,
-                                  unsigned int flags) {
+static int
+qemuDomainGetBlockInfo(virDomainPtr dom,
+                       const char *path,
+                       virDomainBlockInfoPtr info,
+                       unsigned int flags)
+{
    struct qemud_driver *driver = dom->conn->privateData;
    virDomainObjPtr vm;
    int ret = -1;
@ -8423,6 +8426,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    struct stat sb;
    int i;
    int format;
+    char *alias = NULL;

    virCheckFlags(0, -1);

@ -8545,13 +8549,16 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
        virDomainObjIsActive(vm)) {
        qemuDomainObjPrivatePtr priv = vm->privateData;

+        if (VIR_STRDUP(alias, disk->info.alias) < 0)
+            goto cleanup;
+
        if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
            goto cleanup;

        if (virDomainObjIsActive(vm)) {
            qemuDomainObjEnterMonitor(driver, vm);
            ret = qemuMonitorGetBlockExtent(priv->mon,
-                                            disk->info.alias,
+                                            alias,
                                            &info->allocation);
            qemuDomainObjExitMonitor(driver, vm);
        } else {
@ -8565,6 +8572,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    }

 cleanup:
+    VIR_FREE(alias);
    virStorageFileFreeMetadata(meta);
    VIR_FORCE_CLOSE(fd);
    if (vm)