From nobody Sat Apr 27 14:36:23 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1567433644; cv=none;
	d=zoho.com; s=zohoarc;
	b=WSdmfljRRA8JnTMWFhbpbNolgWB6bkl9AKDNQYGufIQG+DY0QTdUGYsUP/Abv9eHphrcLW1s9V5d7aciOUHj/o2UGhtfZFsbEjPLsFql8cFy1Z6Rk3cClEc+RYuT1KmkcSVXaKwO3zMAkv9qGoZiQgp6J9a62Z6Swn7X2LlZEIE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1567433644;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=xFrP2utUogFMric8iXcUpywf5PC18EkIbxDZR8hxuyc=;
	b=BG4uylMmvvEMZtl3+QY7OyjpQeNyew4/zgd/ZkPkcZVxKmjwbVHSAo9ajDTbbsTnXYUrwkxqnm3ej/7IvQSE/oAvpaii+X7Nc4C5Oo+AF3v9FHycySMCFrQhbiHESs5WePZ9G2kPCVAP2tMCVwbNqe4zdKnuPYT4KEx7GQbDNzo=
ARC-Authentication-Results: i=1; mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
 header.from=<pkrempa@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1567433644944959.5627543989381;
 Mon, 2 Sep 2019 07:14:04 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 8BA933082126;
	Mon,  2 Sep 2019 14:14:02 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 35D7260C05;
	Mon,  2 Sep 2019 14:14:02 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id D45191806B00;
	Mon,  2 Sep 2019 14:14:01 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x82EE0ds000783 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 2 Sep 2019 10:14:00 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 6916A5D9DC; Mon,  2 Sep 2019 14:14:00 +0000 (UTC)
Received: from angien.brq.redhat.com (unknown [10.43.2.229])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 968F35D9CC;
	Mon,  2 Sep 2019 14:13:57 +0000 (UTC)
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Date: Mon,  2 Sep 2019 16:13:55 +0200
Message-Id: 
 <b272d31eac3c3584d80559ef9dc5f1d4628f5aaf.1567433635.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-loop: libvir-list@redhat.com
Cc: Peter Krempa <pkrempa@redhat.com>
Subject: [libvirt] [PATCH] qemu: domain: Fix potential NULL deref when
	parsing job private data
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]);
 Mon, 02 Sep 2019 14:14:03 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

A specially crafted XML which would reference a non-existing disk but
request the mirror to be registered with the blockjob could potentially
make the parser dereference NULL. Fix it by moving the code slightly and
just treat it as a wrong job XML. Found by Coverity.

Reported-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_domain.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 657f3ecfe4..c7eb0b5e9a 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -3012,15 +3012,19 @@ qemuDomainObjPrivateXMLParseBlockjobData(virDomainO=
bjPtr vm,
             invalidData =3D true;
     }

+    if (mirror) {
+        if (disk)
+            job->mirrorChain =3D virObjectRef(disk->mirror);
+        else
+            invalidData =3D true;
+    }
+
     job->state =3D state;
     job->newstate =3D newstate;
     job->errmsg =3D virXPathString("string(./errmsg)", ctxt);
     job->invalidData =3D invalidData;
     job->disk =3D disk;

-    if (mirror)
-        job->mirrorChain =3D virObjectRef(job->disk->mirror);
-
     qemuDomainObjPrivateXMLParseBlockjobDataSpecific(job, ctxt, xmlopt);

     if (qemuBlockJobRegister(job, vm, disk, false) < 0)
--=20
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list