[CVE-2011-1146] Add missing checks for read only connections
Some API forgot to check the read-only status of the connection for
entry point which modify the state of the system or may lead to a remote
execution using user data.
The entry points concerned are:
- virConnectDomainXMLToNative
- virNodeDeviceDettach
- virNodeDeviceReAttach
- virNodeDeviceReset
- virDomainRevertToSnapshot
- virDomainSnapshotDelete
src/libvirt.c: fix the above set of entry points to error on read-only
Closes: #617773
Guido Günther
13 years ago
0 | From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> | |
1 | Date: Mon, 14 Mar 2011 08:55:02 +0100 | |
2 | Subject: Add missing checks for read only connections | |
3 | ||
4 | As pointed on CVE-2011-1146, some API forgot to check the read-only | |
5 | status of the connection for entry point which modify the state | |
6 | of the system or may lead to a remote execution using user data. | |
7 | The entry points concerned are: | |
8 | - virConnectDomainXMLToNative | |
9 | - virNodeDeviceDettach | |
10 | - virNodeDeviceReAttach | |
11 | - virNodeDeviceReset | |
12 | - virDomainRevertToSnapshot | |
13 | - virDomainSnapshotDelete | |
14 | ||
15 | * src/libvirt.c: fix the above set of entry points to error on read-only | |
16 | connections | |
17 | ||
18 | --- | |
19 | src/libvirt.c | 27 +++++++++++++++++++++++++++ | |
20 | 1 files changed, 27 insertions(+), 0 deletions(-) | |
21 | ||
22 | diff --git a/src/libvirt.c b/src/libvirt.c | |
23 | index 3ec5724..5e5a758 100644 | |
24 | --- a/src/libvirt.c | |
25 | +++ b/src/libvirt.c | |
26 | @@ -3177,6 +3177,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn, | |
27 | virDispatchError(NULL); | |
28 | return (NULL); | |
29 | } | |
30 | + if (conn->flags & VIR_CONNECT_RO) { | |
31 | + virLibDomainError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
32 | + goto error; | |
33 | + } | |
34 | ||
35 | if (nativeFormat == NULL || domainXml == NULL) { | |
36 | virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); | |
37 | @@ -9418,6 +9422,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev) | |
38 | return (-1); | |
39 | } | |
40 | ||
41 | + if (dev->conn->flags & VIR_CONNECT_RO) { | |
42 | + virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
43 | + goto error; | |
44 | + } | |
45 | + | |
46 | if (dev->conn->driver->nodeDeviceDettach) { | |
47 | int ret; | |
48 | ret = dev->conn->driver->nodeDeviceDettach (dev); | |
49 | @@ -9461,6 +9470,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev) | |
50 | return (-1); | |
51 | } | |
52 | ||
53 | + if (dev->conn->flags & VIR_CONNECT_RO) { | |
54 | + virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
55 | + goto error; | |
56 | + } | |
57 | + | |
58 | if (dev->conn->driver->nodeDeviceReAttach) { | |
59 | int ret; | |
60 | ret = dev->conn->driver->nodeDeviceReAttach (dev); | |
61 | @@ -9506,6 +9520,11 @@ virNodeDeviceReset(virNodeDevicePtr dev) | |
62 | return (-1); | |
63 | } | |
64 | ||
65 | + if (dev->conn->flags & VIR_CONNECT_RO) { | |
66 | + virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
67 | + goto error; | |
68 | + } | |
69 | + | |
70 | if (dev->conn->driver->nodeDeviceReset) { | |
71 | int ret; | |
72 | ret = dev->conn->driver->nodeDeviceReset (dev); | |
73 | @@ -12761,6 +12780,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot, | |
74 | } | |
75 | ||
76 | conn = snapshot->domain->conn; | |
77 | + if (conn->flags & VIR_CONNECT_RO) { | |
78 | + virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
79 | + goto error; | |
80 | + } | |
81 | ||
82 | if (conn->driver->domainRevertToSnapshot) { | |
83 | int ret = conn->driver->domainRevertToSnapshot(snapshot, flags); | |
84 | @@ -12807,6 +12830,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot, | |
85 | } | |
86 | ||
87 | conn = snapshot->domain->conn; | |
88 | + if (conn->flags & VIR_CONNECT_RO) { | |
89 | + virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); | |
90 | + goto error; | |
91 | + } | |
92 | ||
93 | if (conn->driver->domainSnapshotDelete) { | |
94 | int ret = conn->driver->domainSnapshotDelete(snapshot, flags); | |
95 | -- |