94 lines
3.0 KiB
Diff
94 lines
3.0 KiB
Diff
commit 71753cb7f7a16ff800381c0b5ee4e99eea92fed3
|
|
Author: Guido Günther <agx@sigxcpu.org>
|
|
Date: Mon Mar 14 10:56:28 2011 +0800
|
|
|
|
Add missing checks for read only connections
|
|
|
|
As pointed on CVE-2011-1146, some API forgot to check the read-only
|
|
status of the connection for entry point which modify the state
|
|
of the system or may lead to a remote execution using user data.
|
|
The entry points concerned are:
|
|
- virConnectDomainXMLToNative
|
|
- virNodeDeviceDettach
|
|
- virNodeDeviceReAttach
|
|
- virNodeDeviceReset
|
|
- virDomainRevertToSnapshot
|
|
- virDomainSnapshotDelete
|
|
|
|
* src/libvirt.c: fix the above set of entry points to error on read-only
|
|
connections
|
|
|
|
Index: libvirt-0.8.8/src/libvirt.c
|
|
===================================================================
|
|
--- libvirt-0.8.8.orig/src/libvirt.c
|
|
+++ libvirt-0.8.8/src/libvirt.c
|
|
@@ -3152,6 +3152,10 @@ char *virConnectDomainXMLToNative(virCon
|
|
virDispatchError(NULL);
|
|
return NULL;
|
|
}
|
|
+ if (conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
|
|
if (nativeFormat == NULL || domainXml == NULL) {
|
|
virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
|
|
@@ -9579,6 +9583,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
|
|
return -1;
|
|
}
|
|
|
|
+ if (dev->conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if (dev->conn->driver->nodeDeviceDettach) {
|
|
int ret;
|
|
ret = dev->conn->driver->nodeDeviceDettach (dev);
|
|
@@ -9622,6 +9631,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
|
|
return -1;
|
|
}
|
|
|
|
+ if (dev->conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if (dev->conn->driver->nodeDeviceReAttach) {
|
|
int ret;
|
|
ret = dev->conn->driver->nodeDeviceReAttach (dev);
|
|
@@ -9667,6 +9681,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
|
|
return -1;
|
|
}
|
|
|
|
+ if (dev->conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if (dev->conn->driver->nodeDeviceReset) {
|
|
int ret;
|
|
ret = dev->conn->driver->nodeDeviceReset (dev);
|
|
@@ -12962,6 +12981,10 @@ virDomainRevertToSnapshot(virDomainSnaps
|
|
}
|
|
|
|
conn = snapshot->domain->conn;
|
|
+ if (conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
|
|
if (conn->driver->domainRevertToSnapshot) {
|
|
int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
|
|
@@ -13008,6 +13031,10 @@ virDomainSnapshotDelete(virDomainSnapsho
|
|
}
|
|
|
|
conn = snapshot->domain->conn;
|
|
+ if (conn->flags & VIR_CONNECT_RO) {
|
|
+ virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
|
|
+ goto error;
|
|
+ }
|
|
|
|
if (conn->driver->domainSnapshotDelete) {
|
|
int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
|