03cc27
From 1abebbf11f518fcd8a70133245be7b8ea4b094ea Mon Sep 17 00:00:00 2001
03cc27
Message-Id: <1abebbf11f518fcd8a70133245be7b8ea4b094ea@dist-git>
03cc27
From: Jonathon Jongsma <jjongsma@redhat.com>
03cc27
Date: Fri, 1 May 2020 16:53:39 -0500
03cc27
Subject: [PATCH] qemu: don't hold monitor and agent job when setting time
03cc27
03cc27
We have to assume that the guest agent may be malicious so we don't want
03cc27
to allow any agent queries to block any other libvirt API. By holding
03cc27
a monitor job while we're querying the agent, we open ourselves up to a
03cc27
DoS.
03cc27
03cc27
Split the function so that the portion issuing the agent command only
03cc27
holds an agent job and the portion issuing the monitor command holds
03cc27
only a monitor job.
03cc27
03cc27
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
03cc27
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
03cc27
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
03cc27
(cherry picked from commit e005c95f56fee9ed780be7f8db103d690bd34cbd)
03cc27
03cc27
CVE-2019-20485
03cc27
03cc27
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
03cc27
Message-Id: <20200501215341.27683-4-jjongsma@redhat.com>
03cc27
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
03cc27
---
03cc27
 src/qemu/qemu_driver.c | 54 +++++++++++++++++++++++++++---------------
03cc27
 1 file changed, 35 insertions(+), 19 deletions(-)
03cc27
03cc27
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
03cc27
index 888c586a79..0f6641702d 100644
03cc27
--- a/src/qemu/qemu_driver.c
03cc27
+++ b/src/qemu/qemu_driver.c
03cc27
@@ -19455,6 +19455,35 @@ qemuDomainGetTime(virDomainPtr dom,
03cc27
     return ret;
03cc27
 }
03cc27
 
03cc27
+static int
03cc27
+qemuDomainSetTimeAgent(virQEMUDriverPtr driver,
03cc27
+                       virDomainObjPtr vm,
03cc27
+                       long long seconds,
03cc27
+                       unsigned int nseconds,
03cc27
+                       bool rtcSync)
03cc27
+{
03cc27
+    qemuAgentPtr agent;
03cc27
+    int ret = -1;
03cc27
+
03cc27
+    if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
03cc27
+        return -1;
03cc27
+
03cc27
+    if (virDomainObjCheckActive(vm) < 0)
03cc27
+        goto endjob;
03cc27
+
03cc27
+    if (!qemuDomainAgentAvailable(vm, true))
03cc27
+        goto endjob;
03cc27
+
03cc27
+    agent = qemuDomainObjEnterAgent(vm);
03cc27
+    ret = qemuAgentSetTime(agent, seconds, nseconds, rtcSync);
03cc27
+    qemuDomainObjExitAgent(vm, agent);
03cc27
+
03cc27
+ endjob:
03cc27
+    qemuDomainObjEndJob(driver, vm);
03cc27
+    return ret;
03cc27
+}
03cc27
+
03cc27
+
03cc27
 static int
03cc27
 qemuDomainSetTime(virDomainPtr dom,
03cc27
                   long long seconds,
03cc27
@@ -19464,7 +19493,6 @@ qemuDomainSetTime(virDomainPtr dom,
03cc27
     virQEMUDriverPtr driver = dom->conn->privateData;
03cc27
     qemuDomainObjPrivatePtr priv;
03cc27
     virDomainObjPtr vm;
03cc27
-    qemuAgentPtr agent;
03cc27
     bool rtcSync = flags & VIR_DOMAIN_TIME_SYNC;
03cc27
     int ret = -1;
03cc27
     int rv;
03cc27
@@ -19479,14 +19507,6 @@ qemuDomainSetTime(virDomainPtr dom,
03cc27
 
03cc27
     priv = vm->privateData;
03cc27
 
03cc27
-    if (qemuDomainObjBeginJobWithAgent(driver, vm,
03cc27
-                                       QEMU_JOB_MODIFY,
03cc27
-                                       QEMU_AGENT_JOB_MODIFY) < 0)
03cc27
-        goto cleanup;
03cc27
-
03cc27
-    if (virDomainObjCheckActive(vm) < 0)
03cc27
-        goto endjob;
03cc27
-
03cc27
     /* On x86, the rtc-reset-reinjection QMP command must be called after
03cc27
      * setting the time to avoid trouble down the line. If the command is
03cc27
      * not available, don't set the time at all and report an error */
03cc27
@@ -19496,18 +19516,14 @@ qemuDomainSetTime(virDomainPtr dom,
03cc27
         virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
03cc27
                        _("cannot set time: qemu doesn't support "
03cc27
                          "rtc-reset-reinjection command"));
03cc27
-        goto endjob;
03cc27
+        goto cleanup;
03cc27
     }
03cc27
 
03cc27
-    if (!qemuDomainAgentAvailable(vm, true))
03cc27
-        goto endjob;
03cc27
-
03cc27
-    agent = qemuDomainObjEnterAgent(vm);
03cc27
-    rv = qemuAgentSetTime(agent, seconds, nseconds, rtcSync);
03cc27
-    qemuDomainObjExitAgent(vm, agent);
03cc27
+    if (qemuDomainSetTimeAgent(driver, vm, seconds, nseconds, rtcSync) < 0)
03cc27
+        goto cleanup;
03cc27
 
03cc27
-    if (rv < 0)
03cc27
-        goto endjob;
03cc27
+    if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
03cc27
+        goto cleanup;
03cc27
 
03cc27
     if (virDomainObjCheckActive(vm) < 0)
03cc27
         goto endjob;
03cc27
@@ -19526,7 +19542,7 @@ qemuDomainSetTime(virDomainPtr dom,
03cc27
     ret = 0;
03cc27
 
03cc27
  endjob:
03cc27
-    qemuDomainObjEndJobWithAgent(driver, vm);
03cc27
+    qemuDomainObjEndJob(driver, vm);
03cc27
 
03cc27
  cleanup:
03cc27
     virDomainObjEndAPI(&vm;;
03cc27
-- 
03cc27
2.26.2
03cc27