From nobody Sat May  4 20:48:36 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1583501331; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NqbqhZeWDJL9/FOzUo4UX9I9+MnnYOWrysEhXDGrUcYc/w8mzEl/NyvT07sQJ3j/zkjl+9IjWzKjjN6mFDUbzRZxbMarJzij4iXxW50UzGHbiCNYMF88nc2v1xvgskLKtUhsjoXuyyK4PV9ltGnfgk0oa04CMOpdO2iIzQK0UJI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1583501331;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=M2MLrSONjlmdeZeweR3I7VEC0XJyff6wA+DpbNFeqtw=;
	b=oHOu/pyRmeca8nSf0/Qa+KkvIB8wVgQEyNhtk6W7IK+BU9HmOmv4YQwnBWuMNS6fliHYi7JF5P6AFEo2Dk1g5+JPnsiIwVsiAzbFy/7a1f2OYePwUNRInM1Vt3IFhJ/NbocMdt+JzPqK2J3l0/p0ymSKMGXA8ij30gSoFS6XBSs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
 header.from=<berrange@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 158350133115477.74932802375997;
 Fri, 6 Mar 2020 05:28:51 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-116-m1ts0-qlMnCxuJa_RlYKtA-1; Fri, 06 Mar 2020 08:28:47 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A37768017DF;
	Fri,  6 Mar 2020 13:28:41 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0F0AD19C69;
	Fri,  6 Mar 2020 13:28:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4E46886A05;
	Fri,  6 Mar 2020 13:28:39 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 026DSbxs018854 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 6 Mar 2020 08:28:37 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id A5DB773893; Fri,  6 Mar 2020 13:28:37 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-66.ams2.redhat.com
	[10.36.112.66])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 858BA7389A;
	Fri,  6 Mar 2020 13:28:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1583501329;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=M2MLrSONjlmdeZeweR3I7VEC0XJyff6wA+DpbNFeqtw=;
	b=Z3Tj8tJ7k8ABwaYEBzaObbouifrXDlRymVA+xCFSp/pUYhiFhZjY4zT5k8E5N/nbKmea5z
	h4RKDaxjZYbSdDo8aN/iGYMPj/vn24KXA+9jV9yQTQONZDM1aoPkFosW9eIGDcIoXX9B5x
	/iaFmemUcLd1RuGPyuPNAg3CqztYafA=
X-MC-Unique: m1ts0-qlMnCxuJa_RlYKtA-1
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH v2] src: fix mixup of stack and heap allocated data in
	auth callback
Date: Fri,  6 Mar 2020 13:28:30 +0000
Message-Id: <20200306132830.2851631-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

In the following recent change:

  commit db72866310d1e520efa8ed2d4589bdb5e76a1c95
  Author: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
  Date:   Tue Jan 14 10:40:52 2020 +0000

    util: add API for reading password from the console

the fact that "bufptr" pointer may point to either heap or stack
allocated data was overlooked. As a result, when the strdup was
removed, we ended up returning a pointer to the local stack to
the caller. When the caller referenced this stack pointer they
got out garbage which fairly quickly resulted in a crash.

We need to copy the stack buffer into heap memory in the username
case.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

Changed in v2:

 - Keep use of fgets for mingw portability, but strdup the
   static buffer

 src/libvirt.c        |  5 ++--
 tests/Makefile.am    |  2 ++
 tests/virsh-auth     | 57 ++++++++++++++++++++++++++++++++++++++++++++
 tests/virsh-auth.xml |  5 ++++
 4 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100755 tests/virsh-auth
 create mode 100644 tests/virsh-auth.xml

diff --git a/src/libvirt.c b/src/libvirt.c
index a30eaa7590..76bf1fa677 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -111,7 +111,7 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr c=
red,
=20
     for (i =3D 0; i < ncred; i++) {
         char buf[1024];
-        char *bufptr =3D buf;
+        char *bufptr =3D NULL;
         size_t len;
=20
         switch (cred[i].type) {
@@ -138,14 +138,15 @@ virConnectAuthCallbackDefault(virConnectCredentialPtr=
 cred,
=20
             if (!fgets(buf, sizeof(buf), stdin)) {
                 if (feof(stdin)) { /* Treat EOF as "" */
-                    buf[0] =3D '\0';
                     break;
                 }
                 return -1;
             }
+
             len =3D strlen(buf);
             if (len !=3D 0 && buf[len-1] =3D=3D '\n')
                 buf[len-1] =3D '\0';
+            bufptr =3D g_strdup(buf);
             break;
=20
         case VIR_CRED_PASSPHRASE:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 83326dbaa9..3b5abcc12b 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -164,6 +164,7 @@ EXTRA_DIST =3D \
 	xlconfigdata \
 	xmconfigdata \
 	xml2vmxdata \
+	virsh-auth.xml \
 	virstorageutildata \
 	virfilecachedata \
 	virresctrldata \
@@ -406,6 +407,7 @@ test_scripts =3D
 libvirtd_test_scripts =3D \
 	libvirtd-fail \
 	libvirtd-pool \
+	virsh-auth \
 	virsh-cpuset \
 	virsh-define-dev-segfault \
 	virsh-int-overflow \
diff --git a/tests/virsh-auth b/tests/virsh-auth
new file mode 100755
index 0000000000..d548694190
--- /dev/null
+++ b/tests/virsh-auth
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# run virsh to validate interactive auth
+
+# Copyright (C) 2020 Red Hat, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see
+# <http://www.gnu.org/licenses/>.
+
+import os
+import os.path
+import sys
+import subprocess
+
+builddir =3D os.getenv("abs_top_builddir")
+if builddir is None:
+   builddir =3D os.path.join(os.getcwd(), "..")
+
+srcdir =3D os.getenv("abs_top_srcdir")
+if srcdir is None:
+   srcdir =3D os.path.abspath(os.path.join(os.path.dirname(__file__), ".."=
))
+
+uri =3D "test://" + os.path.join(srcdir, "tests", "virsh-auth.xml")
+
+virsh =3D os.path.join(builddir, "tools", "virsh")
+
+proc =3D subprocess.Popen([virsh, "-c", uri, "uri"],
+                        universal_newlines=3DTrue,
+                        start_new_session=3DTrue,
+                        stdin=3Dsubprocess.PIPE,
+                        stdout=3Dsubprocess.PIPE,
+                        stderr=3Dsubprocess.PIPE)
+out, err =3D proc.communicate("astrochicken")
+
+if proc.returncode !=3D 0:
+   print("virsh failed with code %d" % proc.returncode, file=3Dsys.stderr)
+   if out !=3D "":
+      print("stdout=3D%s" % out)
+   if err !=3D "":
+      print("stderr=3D%s" % err)
+   sys.exit(1)
+
+if uri not in out:
+   print("Expected '%s' in '%s'" % (uri, out), file=3Dsys.stderr)
+   sys.exit(1)
+
+sys.exit(0)
diff --git a/tests/virsh-auth.xml b/tests/virsh-auth.xml
new file mode 100644
index 0000000000..a045a0746e
--- /dev/null
+++ b/tests/virsh-auth.xml
@@ -0,0 +1,5 @@
+<node>
+  <auth>
+    <user>astrochicken</user>
+  </auth>
+</node>
--=20
2.24.1