libvirt-9.5.0-4.el9
- storage: Fix returning of locked objects from 'virStoragePoolObjListSearch' (CVE-2023-3750, rhbz#2221851) Resolves: rhbz#2221851
This commit is contained in:
		
							parent
							
								
									a63d9ba90e
								
							
						
					
					
						commit
						35bc6239db
					
				| @ -0,0 +1,56 @@ | ||||
| From 0a213a6808d5d076e7c9658960a13c27642a68a8 Mon Sep 17 00:00:00 2001 | ||||
| Message-ID: <0a213a6808d5d076e7c9658960a13c27642a68a8.1690808082.git.jdenemar@redhat.com> | ||||
| From: Peter Krempa <pkrempa@redhat.com> | ||||
| Date: Thu, 13 Jul 2023 16:16:37 +0200 | ||||
| Subject: [PATCH] storage: Fix returning of locked objects from | ||||
|  'virStoragePoolObjListSearch' | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| CVE-2023-3750 | ||||
| 
 | ||||
| 'virStoragePoolObjListSearch' explicitly documents that it's returning | ||||
| a pointer to a locked and ref'd pool that maches the lookup function. | ||||
| 
 | ||||
| This was not the case as in commit 0c4b391e2a9 (released in | ||||
| libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD' | ||||
| which auto-unlocked it when leaving the scope, even when the code was | ||||
| originally "leaking" the lock. | ||||
| 
 | ||||
| Revert the corresponding conversion and add a comment that this function | ||||
| is intentionally leaking a locked object. | ||||
| 
 | ||||
| Fixes: 0c4b391e2a9 | ||||
| Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851 | ||||
| Signed-off-by: Peter Krempa <pkrempa@redhat.com> | ||||
| Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||||
| (cherry picked from commit 9a47442366fcf8a7b6d7422016d7bbb6764a1098) | ||||
| ---
 | ||||
|  src/conf/virstorageobj.c | 7 ++++++- | ||||
|  1 file changed, 6 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
 | ||||
| index 7010e97d61..59fa5da372 100644
 | ||||
| --- a/src/conf/virstorageobj.c
 | ||||
| +++ b/src/conf/virstorageobj.c
 | ||||
| @@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
 | ||||
|      virStoragePoolObj *obj = (virStoragePoolObj *) payload; | ||||
|      struct _virStoragePoolObjListSearchData *data = | ||||
|          (struct _virStoragePoolObjListSearchData *)opaque; | ||||
| -    VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
 | ||||
|   | ||||
| +    virObjectLock(obj);
 | ||||
| +
 | ||||
| +    /* If we find the matching pool object we must return while the object is
 | ||||
| +     * locked as the caller wants to return a locked object. */
 | ||||
|      if (data->searcher(obj, data->opaque)) | ||||
|          return 1; | ||||
|   | ||||
| +    virObjectUnlock(obj);
 | ||||
| +
 | ||||
|      return 0; | ||||
|  } | ||||
|   | ||||
| -- 
 | ||||
| 2.41.0 | ||||
| @ -229,7 +229,7 @@ | ||||
| Summary: Library providing a simple virtualization API | ||||
| Name: libvirt | ||||
| Version: 9.5.0 | ||||
| Release: 3%{?dist}%{?extra_release} | ||||
| Release: 4%{?dist}%{?extra_release} | ||||
| License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 | ||||
| URL: https://libvirt.org/ | ||||
| 
 | ||||
| @ -249,6 +249,7 @@ Patch8: libvirt-conf-domcaps-Add-async-teardown-domain-capability.patch | ||||
| Patch9: libvirt-qemu-S390-does-not-provide-physical-address-size.patch | ||||
| Patch10: libvirt-nodedev-report-mdev-persistence-properly.patch | ||||
| Patch11: libvirt-node_device-Don-t-leak-error-message-buffer-from-virMdevctlListDefined-Active.patch | ||||
| Patch12: libvirt-storage-Fix-returning-of-locked-objects-from-virStoragePoolObjListSearch.patch | ||||
| 
 | ||||
| 
 | ||||
| Requires: libvirt-daemon = %{version}-%{release} | ||||
| @ -2485,6 +2486,9 @@ exit 0 | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Jul 31 2023 Jiri Denemark <jdenemar@redhat.com> - 9.5.0-4 | ||||
| - storage: Fix returning of locked objects from 'virStoragePoolObjListSearch' (CVE-2023-3750, rhbz#2221851) | ||||
| 
 | ||||
| * Fri Jul 21 2023 Jiri Denemark <jdenemar@redhat.com> - 9.5.0-3 | ||||
| - tests: remove acpi support from s390x ccw hotplug tests (rhbz#2168499) | ||||
| - tests: add capabilities for QEMU 8.1.0 on s390x (rhbz#2168499) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user