[libvirt] [PATCH 0/4] disallow multiple APIs on read-only connections
One patch per CVE for: CVE-2019-10161 CVE-2019-10166 CVE-2019-10167 CVE-2019-10168 Ján Tomko (4): api: disallow virDomainSaveImageGetXMLDesc on read-only connections api: disallow virDomainManagedSaveDefineXML on read-only connections api: disallow virConnectGetDomainCapabilities on read-only connections api: disallow virConnect*HypervisorCPU on read-only connections src/libvirt-domain.c | 13 ++++--------- src/libvirt-host.c | 2 ++ src/qemu/qemu_driver.c | 2 +- src/remote/remote_protocol.x | 3 +-- 4 files changed, 8 insertions(+), 12 deletions(-) Now pushed. -- 2.20.1
The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt-domain.c | 11 ++--------- src/qemu/qemu_driver.c | 2 +- src/remote/remote_protocol.x | 3 +-- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 509ce5ac8b..b15726caa9 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, * previously by virDomainSave() or virDomainSaveFlags(). * * No security-sensitive data will be included unless @flags contains - * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only - * connections. + * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE. * * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of * error. The caller must free() the returned value. @@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, virCheckConnectReturn(conn, NULL); virCheckNonNullArgGoto(file, error); - - if ((conn->flags & VIR_CONNECT_RO) && - (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) { - virReportError(VIR_ERR_OPERATION_DENIED, "%s", - _("virDomainSaveImageGetXMLDesc with secure flag")); - goto error; - } + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->domainSaveImageGetXMLDesc) { char *ret; diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 2127a5bc3d..40a2aa440f 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -7036,7 +7036,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, if (fd < 0) goto cleanup; - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) + if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) goto cleanup; ret = qemuDomainDefFormatXML(driver, def, flags); diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index d64b494cef..2e45b5cef0 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -5319,8 +5319,7 @@ enum remote_procedure { /** * @generate: both * @priority: high - * @acl: domain:read - * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE + * @acl: domain:write */ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, -- 2.20.1
The virDomainManagedSaveDefineXML can be used to alter the domain's config used for managedsave or even execute arbitrary emulator binaries. Forbid it on read-only connections. Fixes: CVE-2019-10166 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt-domain.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index b15726caa9..6355f497ce 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -9570,6 +9570,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, virCheckDomainReturn(domain, -1); conn = domain->conn; + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->domainManagedSaveDefineXML) { int ret; -- 2.20.1
This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt-domain.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 6355f497ce..50767a75ed 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -11367,6 +11367,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, virResetLastError(); virCheckConnectReturn(conn, NULL); + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->connectGetDomainCapabilities) { char *ret; -- 2.20.1
These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/libvirt-host.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libvirt-host.c b/src/libvirt-host.c index e20d6ee250..2978825d22 100644 --- a/src/libvirt-host.c +++ b/src/libvirt-host.c @@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); virCheckNonNullArgGoto(xmlCPU, error); + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->connectCompareHypervisorCPU) { int ret; @@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, virCheckConnectReturn(conn, NULL); virCheckNonNullArgGoto(xmlCPUs, error); + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->connectBaselineHypervisorCPU) { char *cpu; -- 2.20.1
participants (1)
-
Ján Tomko