From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515371; cv=none; d=zohomail.com; s=zohoarc; b=DDqKS7fsKPtFkJcceLwU3xqCRJV018aLCkCHRZ22JBBy8YX4eVL5mlEpVgZpbOTPSgq025O8YsGFM3bex9i6xgwUp0OLEYB51Fb7XlWZ800W12nmeMwqVPfaZu2BsygNh1yaKhkHMqUpQsxs6ct67wtiCpgy2+jrrKjQbU1kAFs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515371; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=XcSOzhuszLHo5zjD4c/ZTtUIyJuTpYMkBl2QYVs27DA=; b=JNFF9Kwt7fjbdK1ZvPR5fzWOR5mzSWqlw5GQwbR+J9fhJVis6V3/r8JzxLvlI0uihRKeBDdD5VN9KZ2U8g+IldPt7RaFLHx4pqAFVLr2y3rfXDp6qSmx1WiEn6kT4Ph+KHCB1eG8eo4ZdepDwDi7pn6n+zVtUxP2XkH3Ogvf5v0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515371471191.2523351371707; Fri, 7 Nov 2025 03:36:11 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 8B2313FBC4; Fri, 7 Nov 2025 06:36:10 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 5F15E448FE; Fri, 7 Nov 2025 06:29:49 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 5520243DE7; Fri, 7 Nov 2025 06:29:40 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E038E44654 for ; Fri, 7 Nov 2025 06:26:46 -0500 (EST) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-516-yIhCuM_lNo2QzqYBOgPXCA-1; Fri, 07 Nov 2025 06:26:44 -0500 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-426ce339084so444837f8f.0 for ; Fri, 07 Nov 2025 03:26:44 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42ac67921c3sm4763401f8f.40.2025.11.07.03.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:42 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id ED7A8E161B56; Fri, 07 Nov 2025 12:26:41 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XcSOzhuszLHo5zjD4c/ZTtUIyJuTpYMkBl2QYVs27DA=; b=So6j8xUtw+oRC61FShIG8p6vhV8TludqCRHj1GCa1o1lvkx14IV+aJ5plL9cpu+9JyCnNE migB5lq7mVsCgRu2W52S5G/pRlE+SpLu3LIcZkcuFOP3wbAUKDSocaDdnwvhETckytqoCr CW4GLsAaUZ0v+GUQ+z998tt1zODGhHQ= X-MC-Unique: yIhCuM_lNo2QzqYBOgPXCA-1 X-Mimecast-MFC-AGG-ID: yIhCuM_lNo2QzqYBOgPXCA_1762514803 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514803; x=1763119603; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XcSOzhuszLHo5zjD4c/ZTtUIyJuTpYMkBl2QYVs27DA=; b=BWsxzIOLsg7f20uyIUOGhO5bEC1aGh89tAozwpFagZW1IVDKJQNE5F+5ltKObdJRAk 901xH0tzmdbI20fSuXPmMKFI0RzaCoWzaNTvARw8uyrtmKMGS3tns7rpHxI+0YhXJ2dK 46WjHLAkTy8jKRC4nENWd/RxSrjCxAqAXEAzLLECx/bN2e3rrIusgGJnNDyqLM66FNn5 OEumWPSrHHemQCgKMFQUT/65ToR4JyP0or2ZAQcMJ0l4iFXMCOeb5rCmhDWzDljgc0mD OxNcDHEUPf+p9ORGzYCd8+e3x1d2aHEGd4Kkg9zqtzbSS0WzJ7rGtyA3kAXcbVezlgPc wHSg== X-Gm-Message-State: AOJu0YxQ8TXXHDmSdaZoeK/H+YMLq7eijyBMHVSpBUQhjqphQq2FVSsu VWuA4DlJATVoI/OewyKFn/ZEquN5lqxokKqespiBJx/mwfntinmyRe5Yaq+n9vSFAvISE0XFw94 JpKjSY+cQtkDPMbllIJPI2celICAFCX8v2aaq+HVusmvUHN8ZkshrgW7iHko4JmsM6B8= X-Gm-Gg: ASbGncv0cm9lIDXPpa1YOQGqP/n+Cr2bhAom89P9GcHnH2RCqSnJKRXdNz/4zTDe2Qb 5w/gwcl/y00NL8m2kJkzn25nfR9Mll5ma2pmV+LO4/2m6oBVyjNWpcuL1Iftd+Zpn9KGS9ACnkg akrt+0wPkIFc2ej+1msK/JJcb3xbvFJAo/6yfSC1hUtGUV4kQJeWDWXn4wHJwn1cctHVJmjJ2Hp ow/EyM+RdR0qCLrDDYaup46KzLrNjfsUp2DR50A3LyP9GMGHjZfNqPdKs5mbhqwJ0ukjLxL8thY d2SUGFPFR0tqLBPOFQKfdmNRSf7pbKvFusQIeKtEbMpk1lgLfAPrRS1aFf9YkXCCogGfrCF3rf6 pJ5I/1uH7 X-Received: by 2002:a05:6000:40db:b0:429:ce0c:e67e with SMTP id ffacd0b85a97d-42ae588179emr2432295f8f.19.1762514803335; Fri, 07 Nov 2025 03:26:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IFwsStw/mOJx0o8SAMcAxQEE6UQVonhEhwrhp9Ex5wAl8NrDA+NGeAWC0I8+FLevJ1vyf+W1A== X-Received: by 2002:a05:6000:40db:b0:429:ce0c:e67e with SMTP id ffacd0b85a97d-42ae588179emr2432271f8f.19.1762514802932; Fri, 07 Nov 2025 03:26:42 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 1/7] conf: Add virDomainDefIDsParseString Date: Fri, 7 Nov 2025 12:26:29 +0100 Message-ID: <51e00d1ab20fcfd49d8e8701b218fa0d98360199.1762514681.git.mkletzan@redhat.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: rmZdnTDHs2-9tw4dwb5rHQqtt3VT85LPp3AyknqwVB8_1762514803 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: KFQQNR7SCDSONVPZVUXTTHMQSQMMLPEL X-Message-ID-Hash: KFQQNR7SCDSONVPZVUXTTHMQSQMMLPEL X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515373912158500 Content-Type: text/plain; charset="utf-8"; x-default="true" From: Martin Kletzander This function performs only parsing with the underlying virDomainDefParseIDs() function to get needed metadata for any ACL checks, but nothing else to avoid extraneous allocations and any parser-induced DoS over ACL-forbidden connections. Signed-off-by: Martin Kletzander Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Reviewed-by: Michal Privoznik --- src/conf/domain_conf.c | 29 +++++++++++++++++++++++++++++ src/conf/domain_conf.h | 3 +++ src/libvirt_private.syms | 1 + 3 files changed, 33 insertions(+) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 396cd1c0dbc2..d2dea6952efc 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -20446,6 +20446,35 @@ virDomainDefParse(const char *xmlStr, return virDomainDefParseNode(ctxt, xmlopt, parseOpaque, flags); } =20 +virDomainDef * +virDomainDefIDsParseString(const char *xmlStr, + virDomainXMLOption *xmlopt, + unsigned int flags) +{ + g_autoptr(virDomainDef) def =3D NULL; + g_autoptr(xmlDoc) xml =3D NULL; + g_autoptr(xmlXPathContext) ctxt =3D NULL; + bool uuid_generated =3D false; + + xml =3D virXMLParseWithIndent(NULL, xmlStr, _("(domain_definition)"), + "domain", &ctxt, "domain.rng", false); + + if (!xml) + return NULL; + + def =3D virDomainDefNew(xmlopt); + if (!def) + return NULL; + + if (virDomainDefParseIDs(def, ctxt, flags, &uuid_generated) < 0) + return NULL; + + if (uuid_generated) + memset(def->uuid, 0, VIR_UUID_BUFLEN); + + return g_steal_pointer(&def); +} + virDomainDef * virDomainDefParseString(const char *xmlStr, virDomainXMLOption *xmlopt, diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 81e735993d47..11eb46ae5385 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -3948,6 +3948,9 @@ virDomainDiskDef *virDomainDiskDefParse(const char *x= mlStr, virStorageSource *virDomainDiskDefParseSource(const char *xmlStr, virDomainXMLOption *xmlopt, unsigned int flags); +virDomainDef * virDomainDefIDsParseString(const char *xmlStr, + virDomainXMLOption *xmlopt, + unsigned int flags); virDomainDef *virDomainDefParseString(const char *xmlStr, virDomainXMLOption *xmlopt, void *parseOpaque, diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7269dd37862d..fb482fff40a5 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -352,6 +352,7 @@ virDomainDefHasTimer; virDomainDefHasUSB; virDomainDefHasVcpusOffline; virDomainDefHasVDPANet; +virDomainDefIDsParseString; virDomainDefLifecycleActionAllowed; virDomainDefMaybeAddController; virDomainDefMaybeAddInput; --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515516; cv=none; d=zohomail.com; s=zohoarc; b=Wz11vC3SA2xhaaG7FZsIiQXZ1pRunQ0bEPl62rZ3DSzaXvGy64/YwPfGfC7AOhivke1ttbL2R+Ekko3n/TrG5c1sahlWWXiHn+IY7pdHFMliOPf67uhciG5e9LR+E7FXxcFET+2bpdYnIWsST/MAqffG1+GzkAX8LeDBxz/X7t8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515516; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=X1Oe66LmbJg8zvOlxLrhmAccdl7zaa4twgQ2fdYWNmk=; b=TiYESD0rJ8QGW6us/T47rIKANHOy+2bbwbbwAyhLcrpy18+Tw9y6pSH/8zcgy+U4+stmIxijKqAALxob36mgh777ri9roxklP1xQxadCDQoKTEp9Xogcq1C/rv0qgKEqW5+u3/EkgSoev9x+Tnpppilapz04V0zYIl3HKAKN9Vo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515516227820.4947450518347; Fri, 7 Nov 2025 03:38:36 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 88BC74441E; Fri, 7 Nov 2025 06:38:35 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 746AA449EF; Fri, 7 Nov 2025 06:29:58 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 7B205443F0; Fri, 7 Nov 2025 06:29:41 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 043C541885 for ; Fri, 7 Nov 2025 06:26:46 -0500 (EST) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-38-LQ13GDu1M2yi0PWxw07Jfg-1; Fri, 07 Nov 2025 06:26:45 -0500 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-4298da9fc21so283257f8f.1 for ; Fri, 07 Nov 2025 03:26:44 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42ac6794f63sm4845109f8f.42.2025.11.07.03.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:42 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 05477E161B57; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X1Oe66LmbJg8zvOlxLrhmAccdl7zaa4twgQ2fdYWNmk=; b=J4SXsS9DGlY43uSVSYcTmQNAw+vUgRtT1rEN+N3QfERb1Qg+b0bR6NjKAMOdu87Rmg29hg 4NbZ4DtXnDmgI9ZwBH2Y5dvSw//D68qAfA2Xpm8bfCgT5XPrW3Ffah8+F+m5qpAu5WYp7t ztHRjpoT9wV0AF3MnoXTlYioJ3nfOPw= X-MC-Unique: LQ13GDu1M2yi0PWxw07Jfg-1 X-Mimecast-MFC-AGG-ID: LQ13GDu1M2yi0PWxw07Jfg_1762514804 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514804; x=1763119604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=X1Oe66LmbJg8zvOlxLrhmAccdl7zaa4twgQ2fdYWNmk=; b=D8Sw9f232AXSIno7T9AL8MQQaqVAVYZF/+CONzIkISFcMd2la60ZP0W/WM5PE7piH3 n0nRTb/wkliPFQYSirjhgupPBTVuR/WE9Uj0P2A2URvAuxntaRuZQhJd0W/s864lqYi2 YnLoUSAqj7YLiqFHc2yMUg5GQ8ogRu5ml0q0Maos1flaEmSAkZRQ1jZcaM0Z/NN53pg5 T21Dm2GE19zEz4mnp7bBm0tnrJ+aTXqX7V+MekKl2w8LGrMN7WHAXVkmaLzCFesVwdrS TDBYRVKmqiqT02o6PhBfNpGQf6bF7zylcOkE0uF0wuoqqMafEog7beAgksG0GYwYUKh9 pkkA== X-Gm-Message-State: AOJu0YzqV1AY4XTjk6gHpm+Sl7Dwa/wk4U0o8sn1EIto5QsH0I5HA15w RZJIyKyqMngDEXG1pleyOW6gnwT43GvHeQjqhHGHgBS+Zyt0YuB5D/mSkbk54/kFXvx7rFFBCLE /VB4bFsi+G0gcniTCgNWAHhrEZTg+/xdr6dGOd1cOWWhk6CLwdDcGyde63xs6APK84oM= X-Gm-Gg: ASbGncv3M54EohxG7v730JGIsbSpW0QzIcm/uzv/cY6qKWNMtztQD7IxJXa2GbeCnVK HHlqVpqi3Q8/5p311Fdtn55Kh6diD6sxIWpvZQ1bAwsKeeagqWWPp1gBQYYgL2ZDIGKwf9jnIU1 KjB7uRe7W5dzPqlJzxBJFDVGfh5PmYAPUnNRViPoKFpasIfyvB9nyz8Z8+knhUu43HiS1Th2AyC BmAkr8UWC0Zm3KAu4F0zgWlnPWvSRWDDg7Kbq3tdmmC+4M9UkTPgDwMHZyg6iTpb9wIr9CwDcbn MAPIx1ptPB0h1tNS9cbLsg2NCqUnKygiveuQspHwy9rYJp4qZWFE2QvcQ+SFmrJQlAShQAiuY3e IQauew4fv X-Received: by 2002:a05:6000:186d:b0:427:665:e373 with SMTP id ffacd0b85a97d-42ae5af418amr2474087f8f.63.1762514803958; Fri, 07 Nov 2025 03:26:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IHTRTq4Jl0xHudQ0aA/Q8E2l3zkas0bXKZifM7eFda5aIiPYa6Nz35vwgtijbdC0YrHiJLPYw== X-Received: by 2002:a05:6000:186d:b0:427:665:e373 with SMTP id ffacd0b85a97d-42ae5af418amr2474066f8f.63.1762514803580; Fri, 07 Nov 2025 03:26:43 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 2/7] bhyve: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:30 +0100 Message-ID: <51ab6413009bd3def7dd06252c7fc9fd78a5930d.1762514681.git.mkletzan@redhat.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: gCqcwkYtF0jxvJmglfQ9fpO1RRTJ0Iyr3pzruiX-uv0_1762514804 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: WLTA6XS6JBGYBWR6PBOC4PJMQMA3K3NQ X-Message-ID-Hash: WLTA6XS6JBGYBWR6PBOC4PJMQMA3K3NQ X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515517626154100 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/bhyve/bhyve_driver.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c index 00a484ae219c..72f1d7ace8e6 100644 --- a/src/bhyve/bhyve_driver.c +++ b/src/bhyve/bhyve_driver.c @@ -486,6 +486,15 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const ch= ar *xml, unsigned int flag if (!caps) return NULL; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, provconn->xmlopt, parse_= flags))) + return NULL; + + if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) + return NULL; + + g_clear_pointer(&def, g_object_unref); + if ((def =3D virDomainDefParseString(xml, privconn->xmlopt, NULL, parse_flags)) =3D=3D NULL) goto cleanup; @@ -493,9 +502,6 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const cha= r *xml, unsigned int flag if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) - goto cleanup; - if (bhyveDomainAssignAddresses(def, NULL) < 0) goto cleanup; =20 @@ -889,11 +895,17 @@ bhyveDomainCreateXML(virConnectPtr conn, if (flags & VIR_DOMAIN_START_AUTODESTROY) start_flags |=3D VIR_BHYVE_PROCESS_START_AUTODESTROY; =20 - if ((def =3D virDomainDefParseString(xml, privconn->xmlopt, - NULL, parse_flags)) =3D=3D NULL) - goto cleanup; + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, provconn->xmlopt, parse_= flags))) + return NULL; =20 if (virDomainCreateXMLEnsureACL(conn, def) < 0) + return NULL; + + g_clear_pointer(&def, g_object_unref); + + if ((def =3D virDomainDefParseString(xml, privconn->xmlopt, + NULL, parse_flags)) =3D=3D NULL) goto cleanup; =20 if (bhyveDomainAssignAddresses(def, NULL) < 0) --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515308; cv=none; d=zohomail.com; s=zohoarc; b=GKHKlxSm34LmLiF2O+5Jk/8Lztc/mTUFc63vdS7COkfHJLyR0fY8eNTFrSHNeCNh6xGoxVYGBFivG8D4vBqG8jJW4FqiEhMlY606XnmMqX4iYtyFwa/rHX8nKz51e0SGka3SnjbJScpCYZsBWYZ1SvakfAiPvaiegE+a04YD+Rg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515308; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=t4FlW1KJuxUpXCJUOmcexjwA2Z5DarW3z0716MkS7NY=; b=FxKFCyifhdkHhTgmDwaD3AhxoS8NRjUl5iHHW2JioigUAF+t7oJGN0XYwowNG3o56CO4aGKrFHRDb3it27ikYwLMwtvVQGaGVmltUkrC4PPSmSXe9MMYrdQNPPT6bRGCFXhcxp4x06mt/85xuKHY22egqC7LTxhr3zPyWEq397A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515308548761.5569557637306; Fri, 7 Nov 2025 03:35:08 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 9E30B41B11; Fri, 7 Nov 2025 06:35:07 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 0C2F64444E; Fri, 7 Nov 2025 06:29:32 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id E1B0A443EC; Fri, 7 Nov 2025 06:29:23 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 4C2E84462C for ; Fri, 7 Nov 2025 06:26:46 -0500 (EST) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-33-rlJcoTdDMDuu7cgUa8TEVg-1; Fri, 07 Nov 2025 06:26:44 -0500 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-47740c1442dso4709845e9.1 for ; Fri, 07 Nov 2025 03:26:44 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47763e4f13dsm38244145e9.5.2025.11.07.03.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:42 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 11B40E161B58; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t4FlW1KJuxUpXCJUOmcexjwA2Z5DarW3z0716MkS7NY=; b=duzZQM+wTsU0aDGf+qGEka0dXW9uWN0sm9kdU2K8N/rP0Eo35nUE/dfYHTsm2IwwsB+BVE 76u+422URzIUj+fk3Lb1rnZ4QczzFgtbbAKpFALzMQ71097ND/p2SNL++cICupylK421dU ftrAiE8rjr4VaqkkUOXlpgwRtRcSfs4= X-MC-Unique: rlJcoTdDMDuu7cgUa8TEVg-1 X-Mimecast-MFC-AGG-ID: rlJcoTdDMDuu7cgUa8TEVg_1762514804 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514804; x=1763119604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=t4FlW1KJuxUpXCJUOmcexjwA2Z5DarW3z0716MkS7NY=; b=g2roZBgtZex6EG8R0C4sOpLBYZmLGxgYkvmVEymUcY8Q55/IMSq+0lsrTgML+idD54 q941JuFpROT7X8Ijn8uvAW+IvU1xzq/OHDRdbgHobr0aiUYF1FRL/2gRhdaa9HLOH560 NaJ7ixYyUgnMpGdZlMbcdKrLPK3qVcBlnITn7S1LbmjyrLbr4xqIEfjVOKcOvYqosuth Lt+AZJY1/1XMe5o1czjLJAtP/b7Xe9PFyEdWsB1Ix3isjYcE45HwoInKWSG3uC9QVFIP w3dX4yrdy/e/XXg33zsYhYqf/iYKrswYFa1tQXMZ4sNDel867G9nus+grKFmE5a1/5Ks yaUg== X-Gm-Message-State: AOJu0Yw28RbV7QXHyA4T+zWDpYYQ+2g3oGrJ60DV+P9d9kiBqJ0jXkrw Wb5Ww3plNYwl1DoFLZWPcZG5KcZVfoTJjKxFaW69ohj5XXpbM5z1/Pp49S2eWHdTgEp2Jp1aXEZ TTWnjpB3KTLPaCRw1D9l8h+GhQbRn7QHFSpOsd6RVC26/VJfX3lxX2Esz7UA0yEDBP98= X-Gm-Gg: ASbGncvy8CSSfHOidAxdu58z0UKZT/mJ1dYU9S8SoWYUt+pwohR+WTxKp8av+AMTKYF wDXe3cEZ4ECB4hIzKpfAu/oOECqAgbpn1DCTXHss9f4H5zGi46EkUcXD/mwP9ps1Hjq6wXSZv3q tUns6DDXpQOck4kTkVc6KYIC3GvSO1v8sLD7p2Y/1I6URpJxSiTJd5sL+FX54AxgnNFw5h7kmE0 IY4R8LIwAbvl+lYU4J0oLnsml88yEu4Sl/PcnedAkRsFfCrXjJYXSNy8cz5Au9V4VzvJ9x89rCc RlaK1kCWLMUx+rVdtZ2R+yU0r9FOUhd3t2xF7DdKlz9p66g+IbVIHb9z1UK0XGwe0s9fjrFugOp SNkvslVhs X-Received: by 2002:a05:600c:3146:b0:477:6ae9:87d with SMTP id 5b1f17b1804b1-4776bc9f90dmr26992995e9.4.1762514803666; Fri, 07 Nov 2025 03:26:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IG2Ze2/I7oJxmiyDbvzVNfcvqQXr2yN8d25SNc0RBeiCIPzp1gXGMPXOqAF45X7h6nhyLQIAQ== X-Received: by 2002:a05:600c:3146:b0:477:6ae9:87d with SMTP id 5b1f17b1804b1-4776bc9f90dmr26992585e9.4.1762514803270; Fri, 07 Nov 2025 03:26:43 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 3/7] libxl: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:31 +0100 Message-ID: <46d09e1bdf5891beadbe30b7cc6763cbef4e2c6d.1762514681.git.mkletzan@redhat.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: CJvyypRVIF1sRlGlYbM8SceFrzK8djZ1PwsJ1MP5T5w_1762514804 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: NG3V6NOGH47HP2RY7KF2P4M3QDGVVWZV X-Message-ID-Hash: NG3V6NOGH47HP2RY7KF2P4M3QDGVVWZV X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515309176158500 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/libxl/libxl_driver.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c index 107477250ab8..0cdeec08bedc 100644 --- a/src/libxl/libxl_driver.c +++ b/src/libxl/libxl_driver.c @@ -1027,13 +1027,18 @@ libxlDomainCreateXML(virConnectPtr conn, const char= *xml, if (flags & VIR_DOMAIN_START_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 - if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, - NULL, parse_flags))) + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) goto cleanup; =20 if (virDomainCreateXMLEnsureACL(conn, def) < 0) goto cleanup; =20 + g_clear_pointer(&def, virObjectUnref); + + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) + goto cleanup; + if (!(vm =3D virDomainObjListAdd(driver->domains, &def, driver->xmlopt, VIR_DOMAIN_OBJ_LIST_ADD_LIVE | @@ -2813,6 +2818,14 @@ libxlDomainDefineXMLFlags(virConnectPtr conn, const = char *xml, unsigned int flag if (flags & VIR_DOMAIN_DEFINE_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) + goto cleanup; + + if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) + goto cleanup; + + g_clear_pointer(&def, virObjectUnref); + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags))) goto cleanup; @@ -2820,9 +2833,6 @@ libxlDomainDefineXMLFlags(virConnectPtr conn, const c= har *xml, unsigned int flag if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) - goto cleanup; - if (!(vm =3D virDomainObjListAdd(driver->domains, &def, driver->xmlopt, 0, --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515431; cv=none; d=zohomail.com; s=zohoarc; b=L0KzdpQJKBRMhvFKlMCZI+7GaYxC09D8c9WRzUhpKDU9EgBg0I7VLiKbYyUPxK+0E7KyOG/+KGOCVxBYSw0wWw3nKesSFCTufuZTMN7WEn/+axZVKGfRHcPR45rWjjkhLHlnYjWUxIR44xvRUn6TGdaAh25ReZy9TROYKDqZgAQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515431; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=okRpREWgahxedqZr7wQo8tngEXNYqzaLkHiwIC8qg9w=; b=E4Ce//SMRODCfvIlKf9WXGpeptd07CRE6rAeC3E/UWZUBTITpP1Chzm/v6IqD/aakTwNm6TDmjaWQAcwTPcCRvf8SKmT9Bfpbb/t1Yuxd5BVjQ1K3gC4EitGPHTeLHvZhaJgJfajj3WnEMv3N0XKMLMiwlJJl5n5jesBb1iRlEw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515431168139.64085880093762; Fri, 7 Nov 2025 03:37:11 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 46FEA3FB95; Fri, 7 Nov 2025 06:37:10 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id C52BB44988; Fri, 7 Nov 2025 06:29:53 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id F335544476; Fri, 7 Nov 2025 06:29:40 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id EA5FB44658 for ; Fri, 7 Nov 2025 06:26:46 -0500 (EST) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-518-ZUjEOlaxP8eUwlr7q9CMAg-1; Fri, 07 Nov 2025 06:26:45 -0500 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-477563e531cso6343605e9.1 for ; Fri, 07 Nov 2025 03:26:45 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4776bd08834sm42637565e9.15.2025.11.07.03.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:42 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 1DAE3E161B59; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=okRpREWgahxedqZr7wQo8tngEXNYqzaLkHiwIC8qg9w=; b=Pclr3SZ+9xi3AfwlM47VjxNwsn765HIIO+BVm4Hwx0R2u7brnktY3Vc82PzHJ1q5moaDj1 rlKqTsmw29ZUgK5o64tH7an58mydqNAmX3Fr55J8xXaps+Y8022EWLr1bp0ifVSJUy9xgn 3C15IOpSWaFFjIWcF7vK/IhkLS8I9tg= X-MC-Unique: ZUjEOlaxP8eUwlr7q9CMAg-1 X-Mimecast-MFC-AGG-ID: ZUjEOlaxP8eUwlr7q9CMAg_1762514804 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514804; x=1763119604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=okRpREWgahxedqZr7wQo8tngEXNYqzaLkHiwIC8qg9w=; b=KoMohbm+vk3fO7+AYk+DAccJF4b7J4eczXD8wsCh6IuIHwCeXBcjR+YoMNrEoY4WBK +Q5FgHjnwIq3sW7m0euJfMlXUrfYej6f2A85slAzgqBtWWLVCnUStNwjjE38AGgBcs0k QRDwGl1t6n1PFdHHctb/XPxb1z068PItzRMDtU3qJuYV1JjM9ML+OuKtMfVnBiLrr13u LnNW0rYdqBjQAg0iQh9TD36Z79Ehyt717r47wkg4wdpgn0msU0wlKwmlUiEwyu56y6dR uamYi2tCdDWH3xbq6g1znnXlwGpB0MGlAhQcTIqE96i95ZBBdkOrzxW4VoTw5Okndhuf hi4A== X-Gm-Message-State: AOJu0Yzu/8eHsxUS6pHOMVAsUMsIMkNAojH+JxnxvxY+IPiJs9gS7OK/ RneOa7YA2IEpzvGQnPMvdJI1v7st69aSvasLkovN0dhHheQy8byvaNkwl2UuXrHNMII9G+1V1GI XZEUP4NMb0ELLFUpXJcJ1P9R0uCDX0swz2mscJVXdo+VsOvmenGyXKqF34Emb8pLkXs4= X-Gm-Gg: ASbGncvduEP29oB/+7B1/E7vfMZXw/APXWbeG5No1Hnx9JMkL+9aaRRPh90Dm52RoDz bVcYcvrhMXx6EoYTjfIE4z5Q1GXNrmz9Ogp82OhHEK8iXf0b8xDGZ2c2XIdWuHCCBPPKn8T9gJm t+BiRZmlmUvU+XKiPw9Xps2XlFbYm+t2vqfVlz7fY7W7Oye30Ny/ZvGMP9qi0uF6c+HjfKcXlxS bfhjjcOePuD3J4B+9BYpu/99rGOoELhgjyGrzyNQDCpEqTYeHSYxYRD1QToRFrzloYIGFEV/RQT 1P2me4XvWh0kLOLBnaxkTm3mBo+JODjLIhLq2sKumaV+LrA3B7x66lHvdzQF0SL7bUPofWD/Ag3 aaFU83y4e X-Received: by 2002:a05:600c:c4a2:b0:46e:37a7:48d1 with SMTP id 5b1f17b1804b1-4776bcc342fmr28594025e9.34.1762514804284; Fri, 07 Nov 2025 03:26:44 -0800 (PST) X-Google-Smtp-Source: AGHT+IGV0WfPq0HrDCHX+EeidfqhivFyFtYofJyVjtn4/9upFnA9yHnTLIoBLev2VKEtDvzxdpFyJg== X-Received: by 2002:a05:600c:c4a2:b0:46e:37a7:48d1 with SMTP id 5b1f17b1804b1-4776bcc342fmr28593765e9.34.1762514803893; Fri, 07 Nov 2025 03:26:43 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 4/7] lxc: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:32 +0100 Message-ID: <82ad9ab5942b4cc3ea252750063169a3159ada6b.1762514681.git.mkletzan@redhat.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: iPfgNqeY-vz1H_e5-LaoZcggtPfx5xjbC5ffzD2DbUA_1762514804 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: Y26RSECHT3KABYIQZ5A7V3KE6O2SXW5J X-Message-ID-Hash: Y26RSECHT3KABYIQZ5A7V3KE6O2SXW5J X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515432124158500 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/lxc/lxc_driver.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 80cf07d2e5ff..0564f3e5332e 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -409,6 +409,15 @@ lxcDomainDefineXMLFlags(virConnectPtr conn, const char= *xml, unsigned int flags) if (!(caps =3D virLXCDriverGetCapabilities(driver, false))) goto cleanup; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) + goto cleanup; + + if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) + goto cleanup; + + g_clear_pointer(&def, virObjectUnref); + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags))) goto cleanup; @@ -416,9 +425,6 @@ lxcDomainDefineXMLFlags(virConnectPtr conn, const char = *xml, unsigned int flags) if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) - goto cleanup; - if (virSecurityManagerVerify(driver->securityManager, def) < 0) goto cleanup; =20 @@ -1066,13 +1072,19 @@ lxcDomainCreateXMLWithFiles(virConnectPtr conn, if (!(caps =3D virLXCDriverGetCapabilities(driver, false))) goto cleanup; =20 - if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, - NULL, parse_flags))) + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) goto cleanup; =20 if (virDomainCreateXMLWithFilesEnsureACL(conn, def) < 0) goto cleanup; =20 + g_clear_pointer(&def, virObjectUnref); + + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) + goto cleanup; + if (virSecurityManagerVerify(driver->securityManager, def) < 0) goto cleanup; =20 --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515623; cv=none; d=zohomail.com; s=zohoarc; b=m5fUAse2zc+lkhNqVMMQfKSIFF+edAFrKrwj1jFED4DA3M9bmtgnhm/ZBwu1pAhGhEAYusvmE1cFT5JvBc6CmOd1GiPKgPimegwvnUsPwfElZUbHWI1aKPLnIw1EYp3m+yUuYFBpkv4eN8ffmBB8whDixEyTgtbWyyyD3uD2fSE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515623; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=Cc3+ya/FwiqumrxrTnfZDJwGk1H+U2JWjjRsB1+91rI=; b=OtAt0JcTtdkT2KHL/RnvKc53qxXCO+5r25anpVvgg3kkPMtmjInfgW9Ut34q7eWKW3p0YMHRunqWGcdLKkQo0cDoB+MglZF+Rbz4wiskBlTIgchXS3hgEb0OZQ6foeksz0uEhO5iwuOWIzMZrcS4OybHDNCUkH+nMHdyKcfaJzs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515623184718.2440214141978; Fri, 7 Nov 2025 03:40:23 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 60A454406E; Fri, 7 Nov 2025 06:40:22 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id DE3FA449AC; Fri, 7 Nov 2025 06:30:12 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 6D93643DE7; Fri, 7 Nov 2025 06:30:01 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9793C44624 for ; Fri, 7 Nov 2025 06:26:48 -0500 (EST) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-519-66Z6vCBlMkKWiY9cSyj8Ig-1; Fri, 07 Nov 2025 06:26:46 -0500 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-429c9024a1dso306295f8f.2 for ; Fri, 07 Nov 2025 03:26:46 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42ac675cd25sm4674577f8f.22.2025.11.07.03.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:43 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 29DE0E161B5A; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cc3+ya/FwiqumrxrTnfZDJwGk1H+U2JWjjRsB1+91rI=; b=Nu1cNS3mSPOmeIJIKDFwP201rQk/2h/T9wlhYXHK/xCD6FjC8HrNXedj7UHCWsqut9C6ac CUfeOUvRNXK65xZ2J8FnxHCGJngGp4lBE6DZuhqHPAhA0ExOAZ2VDZ3L93TjENsVjT9mb9 WhzG0uy61CjA/+PNCIN1vcfFVkjlEuU= X-MC-Unique: 66Z6vCBlMkKWiY9cSyj8Ig-1 X-Mimecast-MFC-AGG-ID: 66Z6vCBlMkKWiY9cSyj8Ig_1762514806 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514805; x=1763119605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Cc3+ya/FwiqumrxrTnfZDJwGk1H+U2JWjjRsB1+91rI=; b=h2763cg4hmiBkGYPhqyQ24QrfhMCSHj7qUbU/g5X1mZKSqJo3tUANpogS5hp0glrG3 hIljRCo2rz1CCvLuiAl5jThHqqfs7qJJPQxlDeD0bIAGHRgIEPTM3Klpt0G1ArFJ6qyD /adMYCPNUcv++Ic1ThzkYRi7bEgCa2MYUlvJ44B+x8EhEC842DXOKwJ0q+sQ2+H22fB8 qPq0OtdVwwMw6A+IsQxgykrEO0qAM2EU8dHBjTP/jI5VAo40UKoBRqh78Twjjz7TzZIq 5sY1QT4QXpgFupI0Dy0mIG+kl5B0dCW/xmlW1lyQQ7r+k2d+8ejtL/H4TmnFwCq4lDk8 /t+g== X-Gm-Message-State: AOJu0Yz9DEA8FUNbZ/YnT+3eXc/LV0JCqDq3uB/cn4biC9Av7xLuE+sW neKFqfc8Ik0UpSAy7bD0/LonswAJ6fIugxCEMMo5ElRzWciV6nwco8AVbTMrfOweJDXt7O1kksx 9To8ePFRfxRzLspuCmmGtuKqjnB2l3rixt3b2feLMUqQtHVB3HvB2xP5G5MOktVfuaE4= X-Gm-Gg: ASbGncvrSKnHT0gQjQlJwXUVAdEWRyhwrV50vwGhdGDI64hWwbDRhFa0yIciLR/QY5c 57+Bbsp8ZgN2L5hcPv4pFv+wCxIk2oQLqs+r3hqbAkVgL8nronTlqYx7WO2r+rJdPwsB/i9XRm1 pkihYLBtLoQiMiMe0TmJHS7cC0u7vzQwLSTIKgwzp1nmilBXdH37QOdRiKSS5Ge5eGJyOJGtsUJ NgN5lQWhhYJdNFZqsrNrhx3MGwvtjCTlMjUZ/eXIqzQVgBWELpcAmEveEeDF+cwoY/6holgSy0r /q9HNu2zrDTlfy9fYYULAC0UZ9Xmoqbb85lto9i54qOyia6ih3idGR+vfC1414sitkCwwIZt6Aa bcLW+vO9j X-Received: by 2002:a05:6000:400d:b0:429:957b:ee72 with SMTP id ffacd0b85a97d-42ae5adfdf1mr2604479f8f.53.1762514805615; Fri, 07 Nov 2025 03:26:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IEZ2d5xgaHFA8X4l8dZkbcKtql4Y38Zz0LJsm8deLA/SYi56AQKbNtKBh3kxkCwCWimAPb+Ew== X-Received: by 2002:a05:6000:400d:b0:429:957b:ee72 with SMTP id ffacd0b85a97d-42ae5adfdf1mr2604436f8f.53.1762514805134; Fri, 07 Nov 2025 03:26:45 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 5/7] vz: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:33 +0100 Message-ID: X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 7eqB2N7sBfyiBhudDwgdsN-j3iaod2gDHmJznF0xbq0_1762514806 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: YV6BVTCNHMUIOKXNG7IMLLPFWM7ZPPDZ X-Message-ID-Hash: YV6BVTCNHMUIOKXNG7IMLLPFWM7ZPPDZ X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515623449158500 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/vz/vz_driver.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/vz/vz_driver.c b/src/vz/vz_driver.c index 571735f94054..9fd9b199cd01 100644 --- a/src/vz/vz_driver.c +++ b/src/vz/vz_driver.c @@ -789,6 +789,15 @@ vzDomainDefineXMLFlags(virConnectPtr conn, const char = *xml, unsigned int flags) if (flags & VIR_DOMAIN_DEFINE_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) + return NULL; + + if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) + return NULL; + + g_clear_pointer(&def, virObjectUnref); + if ((def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags)) =3D=3D NULL) goto cleanup; @@ -796,9 +805,6 @@ vzDomainDefineXMLFlags(virConnectPtr conn, const char *= xml, unsigned int flags) if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) - goto cleanup; - dom =3D virDomainObjListFindByUUID(driver->domains, def->uuid); if (dom =3D=3D NULL) { virResetLastError(); @@ -2966,9 +2972,9 @@ vzDomainMigratePrepare3Params(virConnectPtr conn, | VZ_MIGRATION_COOKIE_DOMAIN_NAME) < 0) return -1; =20 - if (!(def =3D virDomainDefParseString(dom_xml, driver->xmlopt, - NULL, - VIR_DOMAIN_DEF_PARSE_INACTIVE))) + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(dom_xml, driver->xmlopt, + VIR_DOMAIN_DEF_PARSE_INACTIVE))) return -1; =20 if (dname) { --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515591; cv=none; d=zohomail.com; s=zohoarc; b=VMuGkcL3PczT5p/pvpEq2EWt2HoEnZQGto7IIRvWcqC3XyZO/bzDE+EM3uSeN+7ZVG43bpPtENTofQ2jQsnBMYzQ9IbJuB05wXHKQO06N9mK8ypYPhup2GgpxDJUp599EVJ9ijOJu+fCKnijb/HXrcW77HjY4LKPMPBCWo167OQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515591; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=bn6EVZ3lIo6bccowcI1ikXcKOK37Jse1uEUf8Jdwmxk=; b=WF9m+fDQbHLtZ8U+Bu9BYNenKcBGLRVpm76J09EritbyzXjiZzepfYVxD2h21rAC6/eIu26JLWqdcvGeS1XJc4sVTBhj9ayZph4BoY29CKABEksqq8tEYxzQ/ufekL5QVxO6x1Cmknw+5hiG4nOAGnOYyM6oYJn8ySHVf2iVgZk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515591348425.78734774201826; Fri, 7 Nov 2025 03:39:51 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 414BE44561; Fri, 7 Nov 2025 06:39:33 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 2D7BC44B0B; Fri, 7 Nov 2025 06:30:03 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 01B4C44884; Fri, 7 Nov 2025 06:29:52 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9451241AAA for ; Fri, 7 Nov 2025 06:26:47 -0500 (EST) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-163-0LVioufnNs-tiVn2cArbMA-1; Fri, 07 Nov 2025 06:26:46 -0500 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-477171bbf51so4379935e9.3 for ; Fri, 07 Nov 2025 03:26:45 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47763dc2b8asm43154045e9.2.2025.11.07.03.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:43 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 367B3E161B5B; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bn6EVZ3lIo6bccowcI1ikXcKOK37Jse1uEUf8Jdwmxk=; b=VJ1wbPbv5d+SlstjCAzYlz/S7kwln0q9swke1d+uyQpv2KQ20RNKWyQ4brSIVym2WaLb/c ItlaD+DarUgGEIv2xDm3EHewYx1/BwnexqZQOabrHOSCUQiRZ5OdAGtI0SBHmWjf0ZbPzH nDi5EOgIp7SJVmga1nWsNvQxFbM/EeA= X-MC-Unique: 0LVioufnNs-tiVn2cArbMA-1 X-Mimecast-MFC-AGG-ID: 0LVioufnNs-tiVn2cArbMA_1762514805 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514805; x=1763119605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bn6EVZ3lIo6bccowcI1ikXcKOK37Jse1uEUf8Jdwmxk=; b=C4ebiFqIpSd/20dfp08IledRysRddE8s/Hi8gcFupHR3vkbQdtBFbFHjADP37+IpFT cn+zcA71qpM5qY/TgmzTuABURyhoxeChWlLJqiJi1ztDeoaK7ogbVzYiyE6O/z7AmyNs JHdkhZHUs0HEk5YAbE+p0sn6n9zGf+UxFKJ68rxRre9gQqwjVo70XKP6RmMJKVTIsc7h EqAvJwbDX5VpvBI3cMWEiCIMUOCJFoCFRSR7Iub//CDGbo0P3xUQTNXWmP5zAcDpGVRp 9QueeCqZ9xuf5H4g1BZL3PZD/79LThefFwWPcmMqjTbgzsSqsxtcIxysocwPmSRZLWVl cWgg== X-Gm-Message-State: AOJu0YyOSvHa/+2g212GJf+m4NYW+MOpnKM/JFXvtBF2abp+zGe/v/3h NfeLVwQ051WyrHt4RM2qwXD+NZCzekiljt50uOYIguC6gzp3eE5mrbaBUjVD7FgATU9KyAP4Jhj 4RgmZkH8N2WGp+6s+bBoQSuQrETMwVmcPVWxjTUZ9JnC+h1u7nRIc381vx8s= X-Gm-Gg: ASbGncuP5HvdXYJe3HXMVoKp8uiAwzJ9pRDTNRIBqakqy0pUGi78i+skfhaPlhI55FX Bl2DLT0KY8960qDL8i6Jd1tkW/GM/iRmEL19+jsDe5we50OLZ4zQDlbhsucgWtkG6pU37heIb40 RuiGr0ubKmZkEpagmbaCvGZqbbyxAYZMCChY6laqBZPD0GKsjQlT5CmvLhEV9r/0Vqq5oj2sSOr Hr1GfLgLxQAwrYupadGpOnw47lRRPH3h7VX9O471/vQaBxF1R7oQG3Z1cf9FLLLGpNmTlxzjFnh NXSDztJl40I55vUVvPjnpkCjRt7FSBQUbQm9rQhMDlzYB2DPVgEG94/sFrGP5M1RIa/bram495A 0t5d0o6CX X-Received: by 2002:a05:600c:8b5b:b0:477:10c4:b4e with SMTP id 5b1f17b1804b1-4776bcdb6eemr21914425e9.41.1762514804909; Fri, 07 Nov 2025 03:26:44 -0800 (PST) X-Google-Smtp-Source: AGHT+IGBkO5mVLNjCUPXUhXEzUxef7Rehh6IoVVw4rbhFsvI0qdFxvB6b6t5DHIsZ2hJ5U9DG+raxQ== X-Received: by 2002:a05:600c:8b5b:b0:477:10c4:b4e with SMTP id 5b1f17b1804b1-4776bcdb6eemr21914215e9.41.1762514804488; Fri, 07 Nov 2025 03:26:44 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 6/7] ch: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:34 +0100 Message-ID: X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: G9rE5deTqQZVAi117GM8h1Tm6IV5tYWUmus7Id248pc_1762514805 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 3ZE3RXFIIKMSTEFCYIE6JVDUH6OY5SSP X-Message-ID-Hash: 3ZE3RXFIIKMSTEFCYIE6JVDUH6OY5SSP X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515593350158500 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. This is one of the more complex ones since there is also a function that reads relevant metadata from a save image XML. In order not to extract the parsing out of the function (and make the function basically trivial and all callers more complex) add a callback to the function which will be used to check the ACLs. And since this function is called in APIs that perform ACL checks both with and without flags, add two of them for good measure. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/ch/ch_driver.c | 76 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 53 insertions(+), 23 deletions(-) diff --git a/src/ch/ch_driver.c b/src/ch/ch_driver.c index ad13306c4cfd..70653aeea7d3 100644 --- a/src/ch/ch_driver.c +++ b/src/ch/ch_driver.c @@ -216,14 +216,19 @@ chDomainCreateXML(virConnectPtr conn, if (flags & VIR_DOMAIN_START_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(vmdef =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_= flags))) + return NULL; + + if (virDomainCreateXMLEnsureACL(conn, vmdef) < 0) + return NULL; + + g_clear_pointer(&vmdef, virObjectUnref); =20 if ((vmdef =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags)) =3D=3D NULL) goto cleanup; =20 - if (virDomainCreateXMLEnsureACL(conn, vmdef) < 0) - goto cleanup; - if (!(vm =3D virDomainObjListAdd(driver->domains, &vmdef, driver->xmlopt, @@ -347,6 +352,15 @@ chDomainDefineXMLFlags(virConnectPtr conn, const char = *xml, unsigned int flags) if (flags & VIR_DOMAIN_START_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(vmdef =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_= flags))) + return NULL; + + if (virDomainDefineXMLFlagsEnsureACL(conn, vmdef) < 0) + return NULL; + + g_clear_pointer(&vmdef, virObjectUnref); + if ((vmdef =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags)) =3D=3D NULL) goto cleanup; @@ -354,9 +368,6 @@ chDomainDefineXMLFlags(virConnectPtr conn, const char *= xml, unsigned int flags) if (virXMLCheckIllegalChars("name", vmdef->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, vmdef) < 0) - goto cleanup; - if (!(vm =3D virDomainObjListAdd(driver->domains, &vmdef, driver->xmlopt, 0, &oldDef))) @@ -920,16 +931,24 @@ chDomainSaveXMLRead(int fd) return g_steal_pointer(&xml); } =20 -static int chDomainSaveImageRead(virCHDriver *driver, +static int chDomainSaveImageRead(virConnectPtr conn, const char *path, - virDomainDef **ret_def) + virDomainDef **ret_def, + unsigned int flags, + int (*ensureACL)(virConnectPtr, virDomain= Def *), + int (*ensureACLWithFlags)(virConnectPtr, + virDomainDef *, + unsigned int)) { + virCHDriver *driver =3D conn->privateData; g_autoptr(virCHDriverConfig) cfg =3D virCHDriverGetConfig(driver); g_autoptr(virDomainDef) def =3D NULL; g_autofree char *from =3D NULL; g_autofree char *xml =3D NULL; VIR_AUTOCLOSE fd =3D -1; int ret =3D -1; + unsigned int parse_flags =3D VIR_DOMAIN_DEF_PARSE_INACTIVE | + VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE; =20 from =3D g_strdup_printf("%s/%s", path, CH_SAVE_XML); if ((fd =3D virFileOpenAs(from, O_RDONLY, 0, cfg->user, cfg->group, 0)= ) < 0) { @@ -942,9 +961,23 @@ static int chDomainSaveImageRead(virCHDriver *driver, if (!(xml =3D chDomainSaveXMLRead(fd))) goto end; =20 - if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, - VIR_DOMAIN_DEF_PARSE_INACTIVE | - VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE= ))) + if (ensureACL || ensureACLWithFlags) { + /* Parse only the IDs for ACL checks */ + g_autoptr(virDomainDef) aclDef =3D virDomainDefIDsParseString(xml, + driver= ->xmlopt, + parse_= flags); + + if (!aclDef) + goto end; + + if (ensureACL && ensureACL(conn, aclDef) < 0) + goto end; + + if (ensureACLWithFlags && ensureACLWithFlags(conn, aclDef, flags) = < 0) + goto end; + } + + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse= _flags))) goto end; =20 *ret_def =3D g_steal_pointer(&def); @@ -965,10 +998,9 @@ chDomainSaveImageGetXMLDesc(virConnectPtr conn, =20 virCheckFlags(VIR_DOMAIN_SAVE_IMAGE_XML_SECURE, NULL); =20 - if (chDomainSaveImageRead(driver, path, &def) < 0) - goto cleanup; - - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + if (chDomainSaveImageRead(conn, path, &def, flags, + virDomainSaveImageGetXMLDescEnsureACL, + NULL) < 0) goto cleanup; =20 ret =3D virDomainDefFormat(def, driver->xmlopt, @@ -1068,10 +1100,9 @@ chDomainManagedSaveGetXMLDesc(virDomainPtr dom, unsi= gned int flags) goto cleanup; =20 path =3D chDomainManagedSavePath(driver, vm); - if (chDomainSaveImageRead(driver, path, &def) < 0) - goto cleanup; - - if (virDomainManagedSaveGetXMLDescEnsureACL(dom->conn, def, flags) < 0) + if (chDomainSaveImageRead(dom->conn, path, &def, flags, + NULL, + virDomainManagedSaveGetXMLDescEnsureACL) < 0) goto cleanup; =20 ret =3D virDomainDefFormat(def, driver->xmlopt, @@ -1123,10 +1154,9 @@ chDomainRestoreFlags(virConnectPtr conn, return -1; } =20 - if (chDomainSaveImageRead(driver, from, &def) < 0) - goto cleanup; - - if (virDomainRestoreFlagsEnsureACL(conn, def) < 0) + if (chDomainSaveImageRead(conn, from, &def, flags, + virDomainRestoreFlagsEnsureACL, + NULL) < 0) goto cleanup; =20 if (chDomainSaveRestoreAdditionalValidation(driver, def) < 0) --=20 2.51.2 From nobody Fri Nov 21 10:00:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762515701; cv=none; d=zohomail.com; s=zohoarc; b=T96/yCYZzLw47JBff/iOLLo6gx222voPESV93WG4ueqR/VQIR2A+PWQlHo33ZhsivijNhfQ+tdG9Fp72NfBUAYJHtQ4eDm3rbd/B+WuNx4JzND0WS3AB7qr/IAhrvmwQE3Cg6cM36A0QI8J6NqaER97tfvDA2vgRsA013okOpKM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762515701; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=ljv77ArYkHP+nyXzGcXnoZRV32lj3ykU7WcevCkmNKQ=; b=oKbWNMrM+4lSanOOpw78VtM3bagVLqWm3fiLTmnc1w3+eH3ZQqXJMZ1lRG6O4rjdl1SEULYP6GJj5GTtQqFsA1gYWGK5D9/mlkVq5K8H9o+xP8PG7SKNS2mqfI2UuiYVmz8ckLzLSofNpuy5qESaXKSQ22FYBgbagR7HEaeVzJE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762515701093343.35202550858867; Fri, 7 Nov 2025 03:41:41 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 7C4544184E; Fri, 7 Nov 2025 06:41:40 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id F258F44B7D; Fri, 7 Nov 2025 06:30:18 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id EB1F144B0B; Fri, 7 Nov 2025 06:30:02 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id BE23E446A4 for ; Fri, 7 Nov 2025 06:26:48 -0500 (EST) Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-523-HjamKWcHNvuMNJ4lp6thQQ-1; Fri, 07 Nov 2025 06:26:47 -0500 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-427015f63faso250559f8f.0 for ; Fri, 07 Nov 2025 03:26:46 -0800 (PST) Received: from wheatley.localdomain ([85.93.96.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42ac67920fcsm4775664f8f.39.2025.11.07.03.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Nov 2025 03:26:44 -0800 (PST) Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1]) by wheatley.localdomain (Postfix) with ESMTP id 42557E161B5C; Fri, 07 Nov 2025 12:26:42 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762514808; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ljv77ArYkHP+nyXzGcXnoZRV32lj3ykU7WcevCkmNKQ=; b=iK/PX+yaT+zIZ/uej5dl8JONRr6U62Z6K3+WHnyjtBay7+/iOWtN/3rCKcRNMqspd/eoFN dF2nUmFC2C1JsWE7S22thsQPF1QCwYwSqUfrmzJ45/c3yW4xhKsm7KCdPtksgK1eknhg3N 8kYhJrFvOFeEq/5O6CG9m0/GgLWFj2Y= X-MC-Unique: HjamKWcHNvuMNJ4lp6thQQ-1 X-Mimecast-MFC-AGG-ID: HjamKWcHNvuMNJ4lp6thQQ_1762514806 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762514806; x=1763119606; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ljv77ArYkHP+nyXzGcXnoZRV32lj3ykU7WcevCkmNKQ=; b=q7wu+ZIfXJFKYv0AdbVlJoOUsGLIbd2M8PbczfU7cWptG3lVBT+YdKyJB/XUeT1CRc o2eunXLD5XCqXjT1DGzA0xkW8cTvLsF1yF5oIS9pOm2W9i0kASHIbgU3BszDCaw7IywQ 1FQ8VsyCPhHf9J/ysX9qUVroZyWC6bPgcgU0qGmTFfVPHDBBc4ntFXENDygfk+mwRw4O iQXekx8K+vQZfb5Ix9vFokZ7nd9lXv+XfIrk/vNQxDCcysY18u2FV38ugxpjLz06/o6i JzowVfrOna/iTXwlwandVpHqMJ2ELVzRGfAe0WW6brf9RtdCNQI6tFpcTBrTze9C9Jjf q75w== X-Gm-Message-State: AOJu0Yz8bXJcm0wkVoadSFKR8I0Hsd4Knhd9gmDvPsFe27ZHbDLHCDqi z+ZlBaUul9HA0KQWpOo4obFfsb0InLJQmfIhLF+58CJE0sYl23OxmHUPe4XhJn6KFpjKqIb1Jul ySkxhL4Ey+ezo2O4sIjAMFlfG+wnyczcb95eEtWZDMIyG5NqbRgYB1LfuWmg= X-Gm-Gg: ASbGnct/vdyrDMTBFVI+mHI4VP9oIHVBICetRHIjfO7ewN8coZPGSADeU29T/GfKSWN OzKWFZks5DwGp9h0X4lr+0FMQsOpgU6f/zRQbwsAI20zNkqcv24elproCRllcFs9ayA9+kxS+y/ E5hewmcjsGE/OLcFgk+yw0MvcH799HDciW+GlI51ZHr5qNKBme7cluS8m8vsk4PZspVKVCBqFoP 364rT5wA8oBp86bTflhErFa+bMPbFh0Yv3f2Q6LsQYislJ2Hhu0Lf6t8veCkXWec7F1oE+DkiUl 6UCcTDcur0FL7y2lFa6icqPzIHnIs1vl8E2ueByfziJE879JXZA3Q3lz2oAJ9TepX12fuXcTulz ZI4gED6E5 X-Received: by 2002:a05:6000:40ce:b0:429:cf03:8b2c with SMTP id ffacd0b85a97d-42ae5ac2311mr2737301f8f.29.1762514805858; Fri, 07 Nov 2025 03:26:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IGnMa3TiflN9dIeq42syPqopNPvc+drps9PGhpHLHrp8Jx6wq4RF9U7PzHfC7HI0d1V0aaPqA== X-Received: by 2002:a05:6000:40ce:b0:429:cf03:8b2c with SMTP id ffacd0b85a97d-42ae5ac2311mr2737270f8f.29.1762514805391; Fri, 07 Nov 2025 03:26:45 -0800 (PST) To: devel@lists.libvirt.org Subject: [PATCH 7/7] qemu: Check ACLs before parsing the whole domain XML Date: Fri, 7 Nov 2025 12:26:35 +0100 Message-ID: <6e1dc1c6a136c8431ab0c33dd96a4a8580e10cd3.1762514681.git.mkletzan@redhat.com> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 7mPlZYsclmiA736lVpUG2XcetG7eL7udAoQgDOEuAVk_1762514806 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: BDJY4DZBXNSUXAI35ZS6U2LGW3KDSR2N X-Message-ID-Hash: BDJY4DZBXNSUXAI35ZS6U2LGW3KDSR2N X-MailFrom: mkletzan@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2=20=D0=A2=D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD?= X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Martin Kletzander via Devel Reply-To: Martin Kletzander X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762515702049154100 From: Martin Kletzander Utilise the new virDomainDefIDsParseString() for that. This is one of the more complex ones since there is also a function that reads relevant metadata from a save image XML. In order _not_ to extract the parsing out of the function (and make the function basically trivial and all callers more complex) add a callback to the function which will be used to check the ACLs. Fixes: CVE-2025-12748 Reported-by: =D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=A2= =D0=B5=D1=80=D0=B5=D1=88=D0=B8=D0=BD Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- src/qemu/qemu_driver.c | 90 ++++++++++++++++++++------------------- src/qemu/qemu_migration.c | 21 ++++++++- src/qemu/qemu_migration.h | 4 +- src/qemu/qemu_saveimage.c | 25 +++++++++-- src/qemu/qemu_saveimage.h | 4 +- src/qemu/qemu_snapshot.c | 4 +- 6 files changed, 95 insertions(+), 53 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index a1b1edcbbf51..837935d524bc 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1556,11 +1556,17 @@ static virDomainPtr qemuDomainCreateXML(virConnectP= tr conn, if (flags & VIR_DOMAIN_START_RESET_NVRAM) start_flags |=3D VIR_QEMU_PROCESS_START_RESET_NVRAM; =20 - if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, - NULL, parse_flags))) - goto cleanup; + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) + return NULL; =20 if (virDomainCreateXMLEnsureACL(conn, def) < 0) + return NULL; + + g_clear_pointer(&def, virObjectUnref); + + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) goto cleanup; =20 if (!(vm =3D virDomainObjListAdd(driver->domains, &def, @@ -5780,7 +5786,7 @@ qemuDomainRestoreInternal(virConnectPtr conn, if (flags & VIR_DOMAIN_SAVE_RESET_NVRAM) reset_nvram =3D true; =20 - if (qemuSaveImageGetMetadata(driver, NULL, path, &def, &data) < 0) + if (qemuSaveImageGetMetadata(driver, NULL, path, ensureACL, conn, &def= , &data) < 0) goto cleanup; =20 sparse =3D data->header.format =3D=3D QEMU_SAVE_FORMAT_SPARSE; @@ -5793,9 +5799,6 @@ qemuDomainRestoreInternal(virConnectPtr conn, if (fd < 0) goto cleanup; =20 - if (ensureACL(conn, def) < 0) - goto cleanup; - if (virHookPresent(VIR_HOOK_DRIVER_QEMU)) { int hookret; =20 @@ -5923,10 +5926,9 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, co= nst char *path, =20 virCheckFlags(VIR_DOMAIN_SAVE_IMAGE_XML_SECURE, NULL); =20 - if (qemuSaveImageGetMetadata(driver, NULL, path, &def, &data) < 0) - goto cleanup; - - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + if (qemuSaveImageGetMetadata(driver, NULL, path, + virDomainSaveImageGetXMLDescEnsureACL, + conn, &def, &data) < 0) goto cleanup; =20 ret =3D qemuDomainDefFormatXML(driver, NULL, def, flags); @@ -5956,7 +5958,9 @@ qemuDomainSaveImageDefineXML(virConnectPtr conn, cons= t char *path, else if (flags & VIR_DOMAIN_SAVE_PAUSED) state =3D 0; =20 - if (qemuSaveImageGetMetadata(driver, NULL, path, &def, &data) < 0) + if (qemuSaveImageGetMetadata(driver, NULL, path, + virDomainSaveImageDefineXMLEnsureACL, + conn, &def, &data) < 0) goto cleanup; =20 fd =3D qemuSaveImageOpen(driver, path, false, false, NULL, true); @@ -5964,9 +5968,6 @@ qemuDomainSaveImageDefineXML(virConnectPtr conn, cons= t char *path, if (fd < 0) goto cleanup; =20 - if (virDomainSaveImageDefineXMLEnsureACL(conn, def) < 0) - goto cleanup; - if (STREQ(data->xml, dxml) && (state < 0 || state =3D=3D data->header.was_running)) { /* no change to the XML */ @@ -6038,7 +6039,8 @@ qemuDomainManagedSaveGetXMLDesc(virDomainPtr dom, uns= igned int flags) goto cleanup; } =20 - if (qemuSaveImageGetMetadata(driver, priv->qemuCaps, path, &def, &data= ) < 0) + if (qemuSaveImageGetMetadata(driver, priv->qemuCaps, path, + NULL, NULL, &def, &data) < 0) goto cleanup; =20 ret =3D qemuDomainDefFormatXML(driver, priv->qemuCaps, def, flags); @@ -6102,7 +6104,7 @@ qemuDomainObjRestore(virConnectPtr conn, bool sparse =3D false; g_autoptr(qemuMigrationParams) restoreParams =3D NULL; =20 - ret =3D qemuSaveImageGetMetadata(driver, NULL, path, &def, &data); + ret =3D qemuSaveImageGetMetadata(driver, NULL, path, NULL, NULL, &def,= &data); if (ret < 0) { if (qemuSaveImageIsCorrupt(driver, path)) { if (unlink(path) < 0) { @@ -6464,6 +6466,15 @@ qemuDomainDefineXMLFlags(virConnectPtr conn, if (flags & VIR_DOMAIN_DEFINE_VALIDATE) parse_flags |=3D VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(xml, driver->xmlopt, parse_fl= ags))) + return NULL; + + if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) + return NULL; + + g_clear_pointer(&def, virObjectUnref); + if (!(def =3D virDomainDefParseString(xml, driver->xmlopt, NULL, parse_flags))) return NULL; @@ -6471,9 +6482,6 @@ qemuDomainDefineXMLFlags(virConnectPtr conn, if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) goto cleanup; =20 - if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) - goto cleanup; - if (!(vm =3D virDomainObjListAdd(driver->domains, &def, driver->xmlopt, 0, &oldDef))) @@ -10769,10 +10777,9 @@ qemuDomainMigratePrepareTunnel(virConnectPtr dconn, return -1; } =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepareTunnelEnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepareTunnelEn= sureACL))) return -1; =20 return qemuMigrationDstPrepareTunnel(driver, dconn, @@ -10822,10 +10829,9 @@ qemuDomainMigratePrepare2(virConnectPtr dconn, return -1; } =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepare2EnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepare2EnsureA= CL))) return -1; =20 /* Do not use cookies in v2 protocol, since the cookie @@ -11045,10 +11051,9 @@ qemuDomainMigratePrepare3(virConnectPtr dconn, QEMU_MIGRATION_DESTINAT= ION))) return -1; =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepare3EnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepare3EnsureA= CL))) return -1; =20 return qemuMigrationDstPrepareDirect(driver, dconn, @@ -11148,10 +11153,9 @@ qemuDomainMigratePrepare3Params(virConnectPtr dcon= n, return -1; } =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepare3ParamsEnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepare3ParamsE= nsureACL))) return -1; =20 return qemuMigrationDstPrepareDirect(driver, dconn, @@ -11193,10 +11197,9 @@ qemuDomainMigratePrepareTunnel3(virConnectPtr dcon= n, QEMU_MIGRATION_DESTINAT= ION))) return -1; =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepareTunnel3EnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepareTunnel3E= nsureACL))) return -1; =20 return qemuMigrationDstPrepareTunnel(driver, dconn, @@ -11245,10 +11248,9 @@ qemuDomainMigratePrepareTunnel3Params(virConnectPt= r dconn, QEMU_MIGRATION_DESTINAT= ION))) return -1; =20 - if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname))) - return -1; - - if (virDomainMigratePrepareTunnel3ParamsEnsureACL(dconn, def) < 0) + if (!(def =3D qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname,= &origname, + dconn, + virDomainMigratePrepareTunnel3P= aramsEnsureACL))) return -1; =20 return qemuMigrationDstPrepareTunnel(driver, dconn, diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 9109c4526db1..dcf9ea444ef9 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -4030,7 +4030,9 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, virQEMUCaps *qemuCaps, const char *dom_xml, const char *dname, - char **origname) + char **origname, + virConnectPtr sconn, + int (*ensureACL)(virConnectPtr, virDomainDef *)) { virDomainDef *def; char *name =3D NULL; @@ -4041,6 +4043,22 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, return NULL; } =20 + /* Avoid parsing the whole domain definition for ACL checks */ + if (!(def =3D virDomainDefIDsParseString(dom_xml, driver->xmlopt, + VIR_DOMAIN_DEF_PARSE_INACTIVE))) + goto cleanup; + + if (dname) { + VIR_FREE(def->name); + def->name =3D g_strdup(dname); + } + + if (ensureACL && ensureACL(sconn, def) < 0) { + g_clear_pointer(&def, virObjectUnref); + goto cleanup; + } + g_clear_pointer(&def, virObjectUnref); + if (!(def =3D virDomainDefParseString(dom_xml, driver->xmlopt, qemuCaps, VIR_DOMAIN_DEF_PARSE_INACTIVE))) @@ -4969,6 +4987,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, if (!(persistDef =3D qemuMigrationAnyPrepareDef(driver, priv->qemuCaps, persist_xml, + NULL, NULL, NULL, NULL))) goto error; } else { diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 36865040dffc..50910ecb1f92 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -134,7 +134,9 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, virQEMUCaps *qemuCaps, const char *dom_xml, const char *dname, - char **origname); + char **origname, + virConnectPtr sconn, + int (*ensureACL)(virConnectPtr, virDomainDef *)= ); =20 int qemuMigrationDstPrepareTunnel(virQEMUDriver *driver, diff --git a/src/qemu/qemu_saveimage.c b/src/qemu/qemu_saveimage.c index aa030798ce19..145a0f483283 100644 --- a/src/qemu/qemu_saveimage.c +++ b/src/qemu/qemu_saveimage.c @@ -614,16 +614,21 @@ qemuSaveImageIsCorrupt(virQEMUDriver *driver, const c= har *path) * @driver: qemu driver data * @qemuCaps: pointer to qemuCaps if the domain is running or NULL * @path: path of the save image + * @ensureACL: ACL callback to check against the definition or NULL + * @conn: parameter for the @ensureACL callback * @ret_def: returns domain definition created from the XML stored in the = image * @ret_data: returns structure filled with data from the image header * - * Open the save image file, read libvirt's save image metadata, and popul= ate - * the @ret_def and @ret_data structures. Returns 0 on success and -1 on f= ailure. + * Open the save image file, read libvirt's save image metadata, optionally + * check ACLs before parsing the whole domain definition and populate the + * @ret_def and @ret_data structures. Returns 0 on success and -1 on failu= re. */ int qemuSaveImageGetMetadata(virQEMUDriver *driver, virQEMUCaps *qemuCaps, const char *path, + int (*ensureACL)(virConnectPtr, virDomainDef *), + virConnectPtr conn, virDomainDef **ret_def, virQEMUSaveData **ret_data) { @@ -631,6 +636,8 @@ qemuSaveImageGetMetadata(virQEMUDriver *driver, VIR_AUTOCLOSE fd =3D -1; virQEMUSaveData *data; g_autoptr(virDomainDef) def =3D NULL; + unsigned int parse_flags =3D VIR_DOMAIN_DEF_PARSE_INACTIVE | + VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE; int rc; =20 if ((fd =3D qemuDomainOpenFile(cfg, NULL, path, O_RDONLY, NULL)) < 0) @@ -640,10 +647,20 @@ qemuSaveImageGetMetadata(virQEMUDriver *driver, return rc; =20 data =3D *ret_data; + + if (ensureACL) { + /* Parse only the IDs for ACL checks */ + g_autoptr(virDomainDef) aclDef =3D virDomainDefIDsParseString(data= ->xml, + driver= ->xmlopt, + parse_= flags); + + if (!aclDef || ensureACL(conn, aclDef) < 0) + return -1; + } + /* Create a domain from this XML */ if (!(def =3D virDomainDefParseString(data->xml, driver->xmlopt, qemuC= aps, - VIR_DOMAIN_DEF_PARSE_INACTIVE | - VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE= ))) + parse_flags))) return -1; =20 *ret_def =3D g_steal_pointer(&def); diff --git a/src/qemu/qemu_saveimage.h b/src/qemu/qemu_saveimage.h index 89c694138505..15b73eb39575 100644 --- a/src/qemu/qemu_saveimage.h +++ b/src/qemu/qemu_saveimage.h @@ -98,9 +98,11 @@ int qemuSaveImageGetMetadata(virQEMUDriver *driver, virQEMUCaps *qemuCaps, const char *path, + int (*ensureACL)(virConnectPtr, virDomainDef *), + virConnectPtr conn, virDomainDef **ret_def, virQEMUSaveData **ret_data) - ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5); + ATTRIBUTE_NONNULL(6) ATTRIBUTE_NONNULL(7); =20 int qemuSaveImageOpen(virQEMUDriver *driver, diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c index d4994dd54ed7..5aa7d1b3a79d 100644 --- a/src/qemu/qemu_snapshot.c +++ b/src/qemu/qemu_snapshot.c @@ -2486,8 +2486,8 @@ qemuSnapshotRevertExternalPrepare(virDomainObj *vm, g_autoptr(virDomainDef) savedef =3D NULL; =20 memdata->path =3D snapdef->memorysnapshotfile; - if (qemuSaveImageGetMetadata(driver, NULL, memdata->path, &savedef, - &memdata->data) < 0) + if (qemuSaveImageGetMetadata(driver, NULL, memdata->path, NULL, NU= LL, + &savedef, &memdata->data) < 0) return -1; =20 memdata->fd =3D qemuSaveImageOpen(driver, memdata->path, --=20 2.51.2