[libvirt] [PATCH] qemu: domain: Fix potential NULL deref when parsing job private data

Peter Krempa posted 1 patch 4 years, 6 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/b272d31eac3c3584d80559ef9dc5f1d4628f5aaf.1567433635.git.pkrempa@redhat.com
src/qemu/qemu_domain.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
[libvirt] [PATCH] qemu: domain: Fix potential NULL deref when parsing job private data
Posted by Peter Krempa 4 years, 6 months ago
A specially crafted XML which would reference a non-existing disk but
request the mirror to be registered with the blockjob could potentially
make the parser dereference NULL. Fix it by moving the code slightly and
just treat it as a wrong job XML. Found by Coverity.

Reported-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_domain.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 657f3ecfe4..c7eb0b5e9a 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -3012,15 +3012,19 @@ qemuDomainObjPrivateXMLParseBlockjobData(virDomainObjPtr vm,
             invalidData = true;
     }

+    if (mirror) {
+        if (disk)
+            job->mirrorChain = virObjectRef(disk->mirror);
+        else
+            invalidData = true;
+    }
+
     job->state = state;
     job->newstate = newstate;
     job->errmsg = virXPathString("string(./errmsg)", ctxt);
     job->invalidData = invalidData;
     job->disk = disk;

-    if (mirror)
-        job->mirrorChain = virObjectRef(job->disk->mirror);
-
     qemuDomainObjPrivateXMLParseBlockjobDataSpecific(job, ctxt, xmlopt);

     if (qemuBlockJobRegister(job, vm, disk, false) < 0)
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu: domain: Fix potential NULL deref when parsing job private data
Posted by John Ferlan 4 years, 6 months ago

On 9/2/19 10:13 AM, Peter Krempa wrote:
> A specially crafted XML which would reference a non-existing disk but
> request the mirror to be registered with the blockjob could potentially
> make the parser dereference NULL. Fix it by moving the code slightly and
> just treat it as a wrong job XML. Found by Coverity.
> 
> Reported-by: John Ferlan <jferlan@redhat.com>
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/qemu/qemu_domain.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 

Reviewed-by: John Ferlan <jferlan@redhat.com>

SFF

John

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu: domain: Fix potential NULL deref when parsing job private data
Posted by Erik Skultety 4 years, 6 months ago
On Mon, Sep 02, 2019 at 04:13:55PM +0200, Peter Krempa wrote:
> A specially crafted XML which would reference a non-existing disk but
> request the mirror to be registered with the blockjob could potentially
> make the parser dereference NULL. Fix it by moving the code slightly and
> just treat it as a wrong job XML. Found by Coverity.
>
> Reported-by: John Ferlan <jferlan@redhat.com>
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
Reviewed-by: Erik Skultety <eskultet@redhat.com>

safe for freeze

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list