From 799c1b70cdcfffd313315e9ab31d96bbb836aed6 Mon Sep 17 00:00:00 2001

Message-Id: <799c1b70cdcfffd313315e9ab31d96bbb836aed6@dist-git>

From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>

Date: Tue, 18 Jun 2019 13:29:59 +0200

Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only

 connections

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The virDomainSaveImageGetXMLDesc API is taking a path parameter,

which can point to any path on the system. This file will then be

read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161

Reported-by: Matthias Gerstner <mgerstner@suse.de>

Signed-off-by: Ján Tomko <jtomko@redhat.com>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:

  src/libvirt-domain.c

  src/remote/remote_protocol.x

Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE

alias for VIR_DOMAIN_XML_SECURE is not backported.

Just skip the commit since we now disallow the whole API on read-only

connections, regardless of the flag.

Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/libvirt-domain.c         | 11 ++---------

 src/qemu/qemu_driver.c       |  2 +-

 src/remote/remote_protocol.x |  3 +--

 3 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c

index ad0ded9ee3..0ba85b9360 100644

--- a/src/libvirt-domain.c

+++ b/src/libvirt-domain.c

@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,

  * previously by virDomainSave() or virDomainSaveFlags().

  *

  * No security-sensitive data will be included unless @flags contains

- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only

- * connections.  For this API, @flags should not contain either

- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.

+ * VIR_DOMAIN_XML_SECURE.

  *

  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of

  * error.  The caller must free() the returned value.

@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

     virCheckConnectReturn(conn, NULL);

     virCheckNonNullArgGoto(file, error);

-

-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {

-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",

-                       _("virDomainSaveImageGetXMLDesc with secure flag"));

-        goto error;

-    }

+    virCheckReadOnlyGoto(conn->flags, error);

     if (conn->driver->domainSaveImageGetXMLDesc) {

         char *ret;

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c

index 21d836a540..fcccdb57c3 100644

--- a/src/qemu/qemu_driver.c

+++ b/src/qemu/qemu_driver.c

@@ -6784,7 +6784,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,

     if (fd < 0)

         goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)

+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)

         goto cleanup;

     ret = qemuDomainDefFormatXML(driver, def, flags);

diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x

index 28c8febabd..52b92334fa 100644

--- a/src/remote/remote_protocol.x

+++ b/src/remote/remote_protocol.x

@@ -5226,8 +5226,7 @@ enum remote_procedure {

     /**

      * @generate: both

      * @priority: high

-     * @acl: domain:read

-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE

+     * @acl: domain:write

      */

     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,

-- 

2.22.0