[libvirt] [PATCH] security: plug regression introduced in disk probe logic
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238. * src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset. --- src/security/security_manager.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0246dd8..833c1a2 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + return ((char*)mgr) + sizeof(*mgr); } -- 1.7.4.4
On 05/31/2011 05:35 PM, Eric Blake wrote:
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238.
* src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset. --- src/security/security_manager.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0246dd8..833c1a2 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + return ((char*)mgr) + sizeof(*mgr);
I suppose I could have used: return mgr + 1; instead, since that gives the same address with less typing. Any preferences on which form to commit? -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
2011/6/2 Eric Blake <eblake@redhat.com>:
On 05/31/2011 05:35 PM, Eric Blake wrote:
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238.
* src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset. --- src/security/security_manager.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0246dd8..833c1a2 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + return ((char*)mgr) + sizeof(*mgr);
I suppose I could have used:
return mgr + 1;
instead, since that gives the same address with less typing. Any preferences on which form to commit?
I'd say go with the more readable mgr + 1. Matthias
On 06/01/2011 04:52 PM, Matthias Bolte wrote:
+++ b/src/security/security_manager.c @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + return ((char*)mgr) + sizeof(*mgr);
I suppose I could have used:
return mgr + 1;
instead, since that gives the same address with less typing. Any preferences on which form to commit?
I'd say go with the more readable mgr + 1.
Thanks, and pushed as follows: void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + /* This accesses the memory just beyond mgr, which was allocated + * via VIR_ALLOC_VAR earlier. */ + return mgr + 1; } -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
2011/6/1 Eric Blake <eblake@redhat.com>:
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct
s/FOrmat/Format/
_virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238.
* src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset. --- src/security/security_manager.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0246dd8..833c1a2 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -107,7 +107,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) { - return ((char*)mgr) + sizeof(mgr); + return ((char*)mgr) + sizeof(*mgr); }
ACK. Matthias
participants (2)
-
Eric Blake -
Matthias Bolte