External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 13:45:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

api: disallow virDomainSaveImageGetXMLDesc on read-only connections

Browse Source 
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032ce)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Ján Tomko 2019-06-14 08:47:42 +02:00
parent cad11c98cd
commit b22baef312
3 changed files with 4 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libvirt-domain.c
View File

@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
* previously by virDomainSave() or virDomainSaveFlags(). * previously by virDomainSave() or virDomainSaveFlags().
* *
* No security-sensitive data will be included unless @flags contains * No security-sensitive data will be included unless @flags contains
* VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only * VIR_DOMAIN_XML_SECURE.
* connections. For this API, @flags should not contain either
* VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
* *
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
* error. The caller must free() the returned value. * error. The caller must free() the returned value.
@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
virCheckConnectReturn(conn, NULL); virCheckConnectReturn(conn, NULL);
virCheckNonNullArgGoto(file, error); virCheckNonNullArgGoto(file, error);
virCheckReadOnlyGoto(conn->flags, error);
if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
_("virDomainSaveImageGetXMLDesc with secure flag"));
goto error;
}
if (conn->driver->domainSaveImageGetXMLDesc) { if (conn->driver->domainSaveImageGetXMLDesc) {
char *ret; char *ret;

2
src/qemu/qemu_driver.c
View File

@ -6690,7 +6690,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
if (fd < 0) if (fd < 0)
goto cleanup; goto cleanup;
if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
goto cleanup; goto cleanup;
ret = qemuDomainDefFormatXML(driver, def, flags); ret = qemuDomainDefFormatXML(driver, def, flags);

3
src/remote/remote_protocol.x
View File

@ -4928,8 +4928,7 @@ enum remote_procedure {
/** /**
* @generate: both * @generate: both
* @priority: high * @priority: high
* @acl: domain:read * @acl: domain:write
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
*/ */
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,