Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
L
libvirt
Manage
Activity
Members
Labels
Plan
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Libvirt Packaging Team
libvirt
Commits
5878698a
Commit
5878698a
authored
16 years ago
by
Guido Günther
Committed by
Guido Günther
16 years ago
Browse files
Options
Downloads
Patches
Plain Diff
cherry-pick patch for CVE-2008-5086 from experimental
parent
e0cb9fe6
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
debian/patches/0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
+188
-0
188 additions, 0 deletions
...1-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
debian/patches/series
+1
-0
1 addition, 0 deletions
debian/patches/series
with
189 additions
and
0 deletions
debian/patches/0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
0 → 100644
+
188
−
0
View file @
5878698a
From 7855c34e1517163aa7a4c58f6c4fff762cef515b Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@redhat.com>
Date: Wed, 17 Dec 2008 16:55:58 +0000
Subject: [PATCH] Fix missing read-only access checks (CVE-2008-5086)
The following methods in libvirt.c are missing a check against the
read-only connection flag:
virDomainMigrate
virDomainMigratePrepare
virDomainMigratePerform
virDomainMigrateFinish
virDomainMigratePrepare2
virDomainMigrateFinish2
virDomainBlockPeek
virDomainMemoryPeek
virDomainSetAutostart
virNetworkSetAutostart
virConnectFindStoragePoolSources
virStoragePoolSetAutostart
If using PolicyKit auth, the default policy will allow any local user
to make a read-only connection to the libvirtd daemon without needing
authentication.
If not using PolicyKit, the default libvirtd.conf configuration settings
will allow an unprivileged user to make a read-only connection to the
libvirtd daemon without needing authentication.
Thus out of the box unprivileged local users may be able to migrate VMs,
set or unset the autostart flag for domains, networks & storage pools,
and access privileged data in the VM memory, or disks.
All TCP remote connections are read-write, and default settings require
full authentication, thus remote access is not impacted by this flaw.
Administrators can apply a workaround by editting /etc/libvirt/libvirtd.conf
to explicitly set 'unix_sock_ro_perms' parameter to '0700'. Restart the
libvirtd daemon after making this change.
The first vulnerable release was 0.3.2, where the virDomainMigrate API
was added for the Xen driver. Other APIs were added in various subsequent
releases depending on the hypervisor driver in question.
The attached patch has been committed to CVS, and OS distributors are
recommended to apply this patch to all existing releases shipped. It
was diff'd against current CVS head, and applies against 0.5.1, and
is trivially re-diffable for all earlier releases.
This flaw has been assigned the identifier CVE-2008-5086
Daniel
---
src/libvirt.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 55 insertions(+), 0 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c
index ed98323..02f67b7 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -2180,6 +2180,16 @@
virDomainMigrate (virDomainPtr domain,
return NULL;
}
+ if (domain->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return NULL;
+ }
+ if (dconn->flags & VIR_CONNECT_RO) {
+ /* NB, delibrately report error against source object, not dest here */
+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return NULL;
+ }
+
/* Check that migration is supported by both drivers. */
if (!VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn,
VIR_DRV_FEATURE_MIGRATION_V1) ||
@@ -2257,6 +2267,11 @@
__virDomainMigratePrepare (virConnectPtr dconn,
return -1;
}
+ if (dconn->flags & VIR_CONNECT_RO) {
+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return -1;
+ }
+
if (dconn->driver->domainMigratePrepare)
return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen,
uri_in, uri_out,
@@ -2287,6 +2302,11 @@
__virDomainMigratePerform (virDomainPtr domain,
}
conn = domain->conn;
+ if (domain->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return -1;
+ }
+
if (conn->driver->domainMigratePerform)
return conn->driver->domainMigratePerform (domain, cookie, cookielen,
uri,
@@ -2314,6 +2334,11 @@
__virDomainMigrateFinish (virConnectPtr dconn,
return NULL;
}
+ if (dconn->flags & VIR_CONNECT_RO) {
+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return NULL;
+ }
+
if (dconn->driver->domainMigrateFinish)
return dconn->driver->domainMigrateFinish (dconn, dname,
cookie, cookielen,
@@ -2671,6 +2696,11 @@
virDomainBlockPeek (virDomainPtr dom,
}
conn = dom->conn;
+ if (dom->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return (-1);
+ }
+
if (!path) {
virLibDomainError (dom, VIR_ERR_INVALID_ARG,
_("path is NULL"));
@@ -2746,6 +2776,11 @@
virDomainMemoryPeek (virDomainPtr dom,
}
conn = dom->conn;
+ if (dom->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return (-1);
+ }
+
/* Flags must be VIR_MEMORY_VIRTUAL at the moment.
*
* Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is
@@ -3013,6 +3048,11 @@
virDomainSetAutostart(virDomainPtr domain,
conn = domain->conn;
+ if (domain->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return (-1);
+ }
+
if (conn->driver->domainSetAutostart)
return conn->driver->domainSetAutostart (domain, autostart);
@@ -3963,6 +4003,11 @@
virNetworkSetAutostart(virNetworkPtr network,
return (-1);
}
+ if (network->conn->flags & VIR_CONNECT_RO) {
+ virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return (-1);
+ }
+
conn = network->conn;
if (conn->networkDriver && conn->networkDriver->networkSetAutostart)
@@ -4161,6 +4206,11 @@
virConnectFindStoragePoolSources(virConnectPtr conn,
return NULL;
}
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return NULL;
+ }
+
if (conn->storageDriver && conn->storageDriver->findPoolSources)
return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags);
@@ -4834,6 +4884,11 @@
virStoragePoolSetAutostart(virStoragePoolPtr pool,
return (-1);
}
+ if (pool->conn->flags & VIR_CONNECT_RO) {
+ virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ return (-1);
+ }
+
conn = pool->conn;
if (conn->storageDriver && conn->storageDriver->poolSetAutostart)
--
1.6.0.3
This diff is collapsed.
Click to expand it.
debian/patches/series
+
1
−
0
View file @
5878698a
...
...
@@ -8,3 +8,4 @@
0008-Increase-initial-qemu-monitor-read-timeout.patch
0009-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
0010-raise-error-on-invalid-volume-format.patch
0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment