From 0a213a6808d5d076e7c9658960a13c27642a68a8 Mon Sep 17 00:00:00 2001 Message-ID: <0a213a6808d5d076e7c9658960a13c27642a68a8.1690808082.git.jdenemar@redhat.com> From: Peter Krempa Date: Thu, 13 Jul 2023 16:16:37 +0200 Subject: [PATCH] storage: Fix returning of locked objects from 'virStoragePoolObjListSearch' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2023-3750 'virStoragePoolObjListSearch' explicitly documents that it's returning a pointer to a locked and ref'd pool that maches the lookup function. This was not the case as in commit 0c4b391e2a9 (released in libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD' which auto-unlocked it when leaving the scope, even when the code was originally "leaking" the lock. Revert the corresponding conversion and add a comment that this function is intentionally leaking a locked object. Fixes: 0c4b391e2a9 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851 Signed-off-by: Peter Krempa Reviewed-by: Ján Tomko (cherry picked from commit 9a47442366fcf8a7b6d7422016d7bbb6764a1098) --- src/conf/virstorageobj.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c index 7010e97d61..59fa5da372 100644 --- a/src/conf/virstorageobj.c +++ b/src/conf/virstorageobj.c @@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload, virStoragePoolObj *obj = (virStoragePoolObj *) payload; struct _virStoragePoolObjListSearchData *data = (struct _virStoragePoolObjListSearchData *)opaque; - VIR_LOCK_GUARD lock = virObjectLockGuard(obj); + virObjectLock(obj); + + /* If we find the matching pool object we must return while the object is + * locked as the caller wants to return a locked object. */ if (data->searcher(obj, data->opaque)) return 1; + virObjectUnlock(obj); + return 0; } -- 2.41.0