From 7d621673b5e33c2dcd7e247f37b3d1bd298b66d8 Mon Sep 17 00:00:00 2001 Message-Id: <7d621673b5e33c2dcd7e247f37b3d1bd298b66d8@dist-git> From: =?UTF-8?q?J=C3=A1n=20Tomko?= Date: Thu, 10 Jan 2019 12:49:11 +0100 Subject: [PATCH] qemu: require reply from guest agent in qemuAgentGetInterfaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since its introduction in commit 0977b8aa071 (released in v1.2.14) qemuAgentGetInterfaces calls qemuAgentCommand with needReply=false, which allows qemuAgentCommand to return 0 even when it did not get any reply from the agent. Set needReply to true, since we dereference it right after. This can be hit if libvirt is waiting for an event from the agent (e.g. shutdown) and the agent cannot reply in time (e.g. due to the guest being shut down), as reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1663051 Signed-off-by: Ján Tomko Reviewed-by: Jiri Denemark (cherry picked from commit 7cfd1fbb1332ae5df678b9f41a62156cb2e88c73) Signed-off-by: Ján Tomko 8.0: https://bugzilla.redhat.com/show_bug.cgi?id=1665000 CVE-2019-3840 Message-Id: <714971c077bf26ec0d1a2b7283cafb7ab253ccd5.1547120910.git.jtomko@redhat.com> Reviewed-by: Jiri Denemark --- src/qemu/qemu_agent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c index 986e37b07d..d6fd02a4b6 100644 --- a/src/qemu/qemu_agent.c +++ b/src/qemu/qemu_agent.c @@ -1987,7 +1987,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon, if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL))) goto cleanup; - if (qemuAgentCommand(mon, cmd, &reply, false, + if (qemuAgentCommand(mon, cmd, &reply, true, VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0) goto cleanup; -- 2.21.0