[libvirt] [PATCH] Fix crash in libvirtd when events are registered & ACLs active

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; When a client disconnects from libvirtd, all event callbacks must be removed. This involves running the public API virConnectDomainEventDeregisterAny This code does not run in normal API dispatch context, so no identity was set. The result was that the access control drivers denied the attempt to deregister callbacks. The callbacks thus continued to trigger after the client was free'd causing fairly predictable use of free memory & a crash. This can be triggered by any client with readonly access when the ACL drivers are active. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; --- daemon/remote.c | 6 ++++++ 1 file changed, 6 insertions(+) NB, this bug is a publically reported security flaw and I'll be backporting it to other stable branches. A CVE will be assigned soon and will notify when that info is available. diff --git a/daemon/remote.c b/daemon/remote.c index 9497cc1..f3de6a0 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) /* Deregister event delivery callback */ if (priv->conn) { + virIdentityPtr sysident = virIdentityGetSystem(); size_t i; + virIdentitySetCurrent(sysident); + for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { if (priv->domainEventCallbackID[i] != -1) { VIR_DEBUG("Deregistering to relay remote events %zu", i); @@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) } virConnectClose(priv->conn); + + virIdentitySetCurrent(NULL); + virObjectUnref(sysident); } VIR_FREE(priv); -- 1.8.3.1