[libvirt] [PATCH] Avoid segfault in virt-aa-helper when handling read-only mount filesystems
This patch fixes a segfault in virt-aa-helper caused by attempting to modify a
string literal in situ. It is triggered when a domain has a <filesystem> with
type='mount' configured readonly, and libvirt is using the AppArmor security
driver for sVirt confinement.
---
Existing code seems to use VIR_STRDUP_QUIET for similar purposes, please
change if VIR_STRDUP is preferred. Needed new cleanup rather than simply
return -1; to avoid introducing leak of tmp.
src/security/virt-aa-helper.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 49e12b9..0bcf642 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -740,6 +740,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms,
bool recursi
bool readonly = true;
bool explicit_deny_rule = true;
char *sub = NULL;
+ char *perms_new = NULL;
if (path == NULL)
return rc;
@@ -764,12 +765,15 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms,
bool recursi
return rc;
}
- if (strchr(perms, 'w') != NULL) {
+ if (VIR_STRDUP_QUIET(perms_new, perms) < 0)
+ goto clean_tmp;
+
+ if (strchr(perms_new, 'w') != NULL) {
readonly = false;
explicit_deny_rule = false;
}
- if ((sub = strchr(perms, 'R')) != NULL) {
+ if ((sub = strchr(perms_new, 'R')) != NULL) {
/* Don't write the invalid R permission, replace it with 'r' */
sub[0] = 'r';
explicit_deny_rule = false;
@@ -787,7 +791,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms,
bool recursi
if (tmp[strlen(tmp) - 1] == '/')
tmp[strlen(tmp) - 1] = '\0';
- virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ?
"/**" : "", perms);
+ virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ?
"/**" : "", perms_new);
if (explicit_deny_rule) {
virBufferAddLit(buf, " # don't audit writes to readonly
files\n");
virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive
? "/**" : "");
@@ -798,6 +802,8 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms,
bool recursi
}
cleanup:
+ VIR_FREE(perms_new);
+ clean_tmp:
VIR_FREE(tmp);
return rc;
--
2.9.3