render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
Blob Blame History Raw
From 803a78645bdde8369ead4bc2f63fa878b2ac8d18 Mon Sep 17 00:00:00 2001
Message-Id: <803a78645bdde8369ead4bc2f63fa878b2ac8d18@dist-git>
From: Yi Li <yili@winhong.com>
Date: Thu, 30 Apr 2020 09:49:12 -0400
Subject: [PATCH] storage: Fix daemon crash on lookup storagepool by targetpath

Causing a crash when storagePoolLookupByTargetPath beacuse of
Some types of storage pool have no target elements.
Use STREQ_NULLABLE instead of STREQ
Avoids segfaults when using NULL arguments.

Core was generated by `/usr/sbin/libvirtd'.
Program terminated with signal 11, Segmentation fault.
(gdb) bt
0  0x0000ffff9e951388 in strcmp () from /lib64/libc.so.6
1  0x0000ffff92103e9c in storagePoolLookupByTargetPathCallback (
    obj=0xffff7009aab0, opaque=0xffff801058b0) at storage/storage_driver.c:1649
2  0x0000ffff9f2c52a4 in virStoragePoolObjListSearchCb (
    payload=0xffff801058b0, name=<optimized out>, opaque=<optimized out>)
    at conf/virstorageobj.c:476
3  0x0000ffff9f1f2f7c in virHashSearch (ctable=0xffff800f4f60,
    iter=iter@entry=0xffff9f2c5278 <virStoragePoolObjListSearchCb>,
    data=data@entry=0xffff95af7488, name=name@entry=0x0) at util/virhash.c:696
4  0x0000ffff9f2c64f0 in virStoragePoolObjListSearch (pools=0xffff800f2ce0,
    searcher=searcher@entry=0xffff92103e68 <storagePoolLookupByTargetPathCallback>,
     opaque=<optimized out>) at conf/virstorageobj.c:505
5  0x0000ffff92101f54 in storagePoolLookupByTargetPath (conn=0xffff5c0009f0,
path=0xffff7009a850 "/vms/images") at storage/storage_driver.c:1672

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Yi Li <yili@winhong.com>
(cherry picked from commit dfff16a7c261f8d28e3abe60a47165f845fa952f)

CVE-2020-10703

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-Id: <b15361aee7febad6be8d0b5f7973c9ed48f0910f.1588254371.git.crobinso@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/storage/storage_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 254818e308..f82f38d5e5 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1647,7 +1647,7 @@ storagePoolLookupByTargetPathCallback(virStoragePoolObjPtr obj,
         return false;
 
     def = virStoragePoolObjGetDef(obj);
-    return STREQ(path, def->target.path);
+    return STREQ_NULLABLE(path, def->target.path);
 }
 
 
-- 
2.26.2