On 10/24/2011 04:14 AM, Michal Privoznik wrote:
On 22.10.2011 01:16, Eric Blake wrote:
> Detected by Coverity. Both text and JSON monitors set only the
> bus and unit fields, which means driveAddr.controller spends
> life as garbage on the stack, and is then memcpy()'d into the
> in-memory representation which the user can see via dumpxml.
>
> * src/qemu/qemu_hotplug.c (qemuDomainAttachSCSIDisk): Only copy
> defined fields.
> ---
>
> I have to admit that Coverity is good - it took me several minutes
> to follow the trail down to qemu_monitor_{text,json}.c and prove to
> myself that driveAddr.controller really is untouched on success.
>
> I didn't actually try to exploit this one - it depends on whatever
> is already on the stack, and your compiler optimization levels,
> before you would ever see dumpxml giving bogus information in
> the<address controller='garbage'> field of the
hotplugged<disk>.
>
> src/qemu/qemu_hotplug.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
ACK
Thanks; pushed.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library
http://libvirt.org