|
 |
03cc27 |
From 618400932103613617f361134e446c6937c747c6 Mon Sep 17 00:00:00 2001
|
|
|
03cc27 |
Message-Id: <618400932103613617f361134e446c6937c747c6@dist-git>
|
|
|
03cc27 |
From: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
03cc27 |
Date: Fri, 1 May 2020 16:53:40 -0500
|
|
|
03cc27 |
Subject: [PATCH] qemu: remove use of qemuDomainObjBeginJobWithAgent()
|
|
|
03cc27 |
|
|
|
03cc27 |
This function will be removed in a future commit because it allows the
|
|
|
03cc27 |
caller to acquire both monitor and agent jobs at the same time. Holding
|
|
|
03cc27 |
both job types creates a vulnerability to denial of service from a
|
|
|
03cc27 |
malicious guest agent.
|
|
|
03cc27 |
|
|
|
03cc27 |
qemuDomainSetVcpusFlags() always passes NONE for either the monitor job
|
|
|
03cc27 |
or the agent job (and thus is not vulnerable to the DoS), so we can
|
|
|
03cc27 |
simply replace this function with the functions for acquiring the
|
|
|
03cc27 |
appropriate type of job.
|
|
|
03cc27 |
|
|
|
03cc27 |
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
03cc27 |
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
03cc27 |
(cherry picked from commit ffa5066a49686e61991759983b0d7d1ba707fe50)
|
|
|
03cc27 |
|
|
|
03cc27 |
CVE-2019-20485
|
|
|
03cc27 |
|
|
|
03cc27 |
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
03cc27 |
Message-Id: <20200501215341.27683-5-jjongsma@redhat.com>
|
|
|
03cc27 |
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
03cc27 |
---
|
|
|
03cc27 |
src/qemu/qemu_driver.c | 17 ++++++++---------
|
|
|
03cc27 |
1 file changed, 8 insertions(+), 9 deletions(-)
|
|
|
03cc27 |
|
|
|
03cc27 |
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
|
|
03cc27 |
index 0f6641702d..e1d9bbae99 100644
|
|
|
03cc27 |
--- a/src/qemu/qemu_driver.c
|
|
|
03cc27 |
+++ b/src/qemu/qemu_driver.c
|
|
|
03cc27 |
@@ -5003,8 +5003,6 @@ qemuDomainSetVcpusFlags(virDomainPtr dom,
|
|
|
03cc27 |
virDomainDefPtr persistentDef;
|
|
|
03cc27 |
bool hotpluggable = !!(flags & VIR_DOMAIN_VCPU_HOTPLUGGABLE);
|
|
|
03cc27 |
bool useAgent = !!(flags & VIR_DOMAIN_VCPU_GUEST);
|
|
|
03cc27 |
- qemuDomainJob job = QEMU_JOB_NONE;
|
|
|
03cc27 |
- qemuDomainAgentJob agentJob = QEMU_AGENT_JOB_NONE;
|
|
|
03cc27 |
int ret = -1;
|
|
|
03cc27 |
|
|
|
03cc27 |
virCheckFlags(VIR_DOMAIN_AFFECT_LIVE |
|
|
|
03cc27 |
@@ -5019,13 +5017,14 @@ qemuDomainSetVcpusFlags(virDomainPtr dom,
|
|
|
03cc27 |
if (virDomainSetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
|
|
|
03cc27 |
goto cleanup;
|
|
|
03cc27 |
|
|
|
03cc27 |
- if (useAgent)
|
|
|
03cc27 |
- agentJob = QEMU_AGENT_JOB_MODIFY;
|
|
|
03cc27 |
- else
|
|
|
03cc27 |
- job = QEMU_JOB_MODIFY;
|
|
|
03cc27 |
|
|
|
03cc27 |
- if (qemuDomainObjBeginJobWithAgent(driver, vm, job, agentJob) < 0)
|
|
|
03cc27 |
- goto cleanup;
|
|
|
03cc27 |
+ if (useAgent) {
|
|
|
03cc27 |
+ if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
|
|
|
03cc27 |
+ goto cleanup;
|
|
|
03cc27 |
+ } else {
|
|
|
03cc27 |
+ if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
|
|
|
03cc27 |
+ goto cleanup;
|
|
|
03cc27 |
+ }
|
|
|
03cc27 |
|
|
|
03cc27 |
if (virDomainObjGetDefs(vm, flags, &def, &persistentDef) < 0)
|
|
|
03cc27 |
goto endjob;
|
|
|
03cc27 |
@@ -5039,7 +5038,7 @@ qemuDomainSetVcpusFlags(virDomainPtr dom,
|
|
|
03cc27 |
nvcpus, hotpluggable);
|
|
|
03cc27 |
|
|
|
03cc27 |
endjob:
|
|
|
03cc27 |
- if (agentJob)
|
|
|
03cc27 |
+ if (useAgent)
|
|
|
03cc27 |
qemuDomainObjEndAgentJob(vm);
|
|
|
03cc27 |
else
|
|
|
03cc27 |
qemuDomainObjEndJob(driver, vm);
|
|
|
03cc27 |
--
|
|
|
03cc27 |
2.26.2
|
|
|
03cc27 |
|