1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
From 3352c8af264a7b9b741208790ecca0bbc6733f42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Fri, 14 Jun 2019 08:47:42 +0200
Subject: [PATCH 08/11] api: disallow virDomainSaveImageGetXMLDesc on read-only
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Conflicts:
src/libvirt-domain.c
src/remote/remote_protocol.x
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Upstream-Status: Backport
CVE: CVE-2019-10161
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
src/libvirt-domain.c | 11 ++---------
src/qemu/qemu_driver.c | 2 +-
src/remote/remote_protocol.x | 3 +--
3 files changed, 4 insertions(+), 12 deletions(-)
Index: libvirt-4.7.0/src/libvirt-domain.c
===================================================================
--- libvirt-4.7.0.orig/src/libvirt-domain.c
+++ libvirt-4.7.0/src/libvirt-domain.c
@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
* previously by virDomainSave() or virDomainSaveFlags().
*
* No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
- * connections. For this API, @flags should not contain either
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ * VIR_DOMAIN_XML_SECURE.
*
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
* error. The caller must free() the returned value.
@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
virCheckConnectReturn(conn, NULL);
virCheckNonNullArgGoto(file, error);
-
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
- _("virDomainSaveImageGetXMLDesc with secure flag"));
- goto error;
- }
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->domainSaveImageGetXMLDesc) {
char *ret;
Index: libvirt-4.7.0/src/qemu/qemu_driver.c
===================================================================
--- libvirt-4.7.0.orig/src/qemu/qemu_driver.c
+++ libvirt-4.7.0/src/qemu/qemu_driver.c
@@ -6791,7 +6791,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
if (fd < 0)
goto cleanup;
- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
goto cleanup;
ret = qemuDomainDefFormatXML(driver, def, flags);
Index: libvirt-4.7.0/src/remote/remote_protocol.x
===================================================================
--- libvirt-4.7.0.orig/src/remote/remote_protocol.x
+++ libvirt-4.7.0/src/remote/remote_protocol.x
@@ -5226,8 +5226,7 @@ enum remote_procedure {
/**
* @generate: both
* @priority: high
- * @acl: domain:read
- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+ * @acl: domain:write
*/
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
|
