From 7d621673b5e33c2dcd7e247f37b3d1bd298b66d8 Mon Sep 17 00:00:00 2001

Message-Id: <7d621673b5e33c2dcd7e247f37b3d1bd298b66d8@dist-git>

From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>

Date: Thu, 10 Jan 2019 12:49:11 +0100

Subject: [PATCH] qemu: require reply from guest agent in

 qemuAgentGetInterfaces

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Since its introduction in commit 0977b8aa071 (released in v1.2.14)

qemuAgentGetInterfaces calls qemuAgentCommand with needReply=false,

which allows qemuAgentCommand to return 0 even when it did not get

any reply from the agent.

Set needReply to true, since we dereference it right after.

This can be hit if libvirt is waiting for an event from the agent

(e.g. shutdown) and the agent cannot reply in time (e.g. due to

the guest being shut down), as reported in:

https://bugzilla.redhat.com/show_bug.cgi?id=1663051

Signed-off-by: Ján Tomko <jtomko@redhat.com>

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

(cherry picked from commit 7cfd1fbb1332ae5df678b9f41a62156cb2e88c73)

Signed-off-by: Ján Tomko <jtomko@redhat.com>

8.0: https://bugzilla.redhat.com/show_bug.cgi?id=1665000

CVE-2019-3840

Message-Id: <714971c077bf26ec0d1a2b7283cafb7ab253ccd5.1547120910.git.jtomko@redhat.com>

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/qemu/qemu_agent.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c

index 986e37b07d..d6fd02a4b6 100644

--- a/src/qemu/qemu_agent.c

+++ b/src/qemu/qemu_agent.c

@@ -1987,7 +1987,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,

     if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))

         goto cleanup;

-    if (qemuAgentCommand(mon, cmd, &reply, false,

+    if (qemuAgentCommand(mon, cmd, &reply, true,

                          VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)

         goto cleanup;

-- 

2.21.0