From f97340639134f6fbafb00f87898b4abddf9b4d4d Mon Sep 17 00:00:00 2001 Message-Id: From: "Daniel P. Berrange" Date: Tue, 18 Feb 2014 15:45:32 -0700 Subject: [PATCH] Fix path used for USB device attach with LXC https://bugzilla.redhat.com/show_bug.cgi?id=1045643 prereq of CVE-2013-6456 The LXC code missed the 'usb' component out of the path /dev/bus/usb/$BUSNUM/$DEVNUM, so it failed to actually setup cgroups for the device. This was in fact lucky because the call to virLXCSetupHostUsbDeviceCgroup was also mistakenly passing '&priv->cgroup' instead of just 'priv->cgroup'. So once the path is fixed, libvirtd would then crash trying to access the bogus virCgroupPtr pointer. This would have been a security issue, were it not for the bogus path preventing the pointer reference being reached. Signed-off-by: Daniel P. Berrange (cherry picked from commit c3648972222d4eb056e6e667c193ba56a7aa3557) Signed-off-by: Jiri Denemark --- src/lxc/lxc_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 48456ad..63c545c 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -3338,7 +3338,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLive(virLXCDriverPtr driver, (unsigned long long)priv->initpid) < 0) goto cleanup; - if (virAsprintf(&dstdir, "%s/dev/bus/%03d", + if (virAsprintf(&dstdir, "%s/dev/bus/usb/%03d", vroot, def->source.subsys.u.usb.bus) < 0) goto cleanup; @@ -3403,7 +3403,7 @@ lxcDomainAttachDeviceHostdevSubsysUSBLive(virLXCDriverPtr driver, if (virUSBDeviceFileIterate(usb, virLXCSetupHostUsbDeviceCgroup, - &priv->cgroup) < 0) + priv->cgroup) < 0) goto cleanup; ret = 0; -- 1.9.0