From f97340639134f6fbafb00f87898b4abddf9b4d4d Mon Sep 17 00:00:00 2001

Message-Id: <f97340639134f6fbafb00f87898b4abddf9b4d4d@dist-git>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Tue, 18 Feb 2014 15:45:32 -0700

Subject: [PATCH] Fix path used for USB device attach with LXC

https://bugzilla.redhat.com/show_bug.cgi?id=1045643

prereq of CVE-2013-6456

The LXC code missed the 'usb' component out of the path

/dev/bus/usb/$BUSNUM/$DEVNUM, so it failed to actually

setup cgroups for the device. This was in fact lucky

because the call to virLXCSetupHostUsbDeviceCgroup

was also mistakenly passing '&priv->cgroup' instead of

just 'priv->cgroup'. So once the path is fixed, libvirtd

would then crash trying to access the bogus virCgroupPtr

pointer. This would have been a security issue, were it

not for the bogus path preventing the pointer reference

being reached.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit c3648972222d4eb056e6e667c193ba56a7aa3557)

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/lxc/lxc_driver.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c

index 48456ad..63c545c 100644

--- a/src/lxc/lxc_driver.c

+++ b/src/lxc/lxc_driver.c

@@ -3338,7 +3338,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLive(virLXCDriverPtr driver,

                     (unsigned long long)priv->initpid) < 0)

         goto cleanup;

-    if (virAsprintf(&dstdir, "%s/dev/bus/%03d",

+    if (virAsprintf(&dstdir, "%s/dev/bus/usb/%03d",

                     vroot,

                     def->source.subsys.u.usb.bus) < 0)

         goto cleanup;

@@ -3403,7 +3403,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLive(virLXCDriverPtr driver,

     if (virUSBDeviceFileIterate(usb,

                                 virLXCSetupHostUsbDeviceCgroup,

-                                &priv->cgroup) < 0)

+                                priv->cgroup) < 0)

         goto cleanup;

     ret = 0;

-- 

1.9.0