CVE-2014-3633: qemu: blkiotune: Use correct definition when looking u…

…p disk Live definition was used to look up the disk index while persistent one was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the correct def and report a nice error. Unfortunately it's accessible via read-only connection, though it can only crash libvirtd in the cases where the guest is hot-plugging disks without reflecting those changes to the persistent definition. So avoiding hotplug, or doing hotplug where persistent is always modified alongside live definition, will avoid the out-of-bounds access. Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724 Reported-by: Luyao Huang <lhuang@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
libvirt · Sep 17, 2014 · 3e745e8 · 3e745e8
1 parent 281f700
commit 3e745e8
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
@@ -16317,9 +16317,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
     }
 
     if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
-        int idx = virDomainDiskIndexByName(vm->def, disk, true);
-        if (idx < 0)
+        int idx = virDomainDiskIndexByName(persistentDef, disk, true);
+        if (idx < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("disk '%s' was not found in the domain config"),
+                           disk);
             goto endjob;
+        }
         reply = persistentDef->disks[idx]->blkdeviotune;
     }