[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix libvirtd crash possibility

On 09/12/2012 04:07 PM, Eric Blake wrote:
> On 09/12/2012 03:54 PM, Martin Kletzander wrote:
>> When generating RPC protocol messages, it's strictly needed to have
>> continuousline of numbers or RPC messages. However in case anyone
>> tries backporting some functionality and will skip a number, there is
>> a possibility to make the daemon segfault with newer virsh (version of
>> the library, rpc call, etc.) even unintentionally.
> Indeed, upstream is contiguous, but downstream, we _can't_ backport new
> calls (because that would break .so versioning), but _must_ backport new
> events using the same RPC number as upstream (since events don't break
> .so), so downstream can definitely get into a state of gaps in the
> numbering.  Although upstream will never have the gap, I think a patch
> along these lines is appropriate for upstream, rather than forcing each
> downstream to deal with the gap they create by selective backports.

Correcting myself, there are gaps even in upstream - we MUST assume
malicious clients, that try to invoke an event, and therefore this can
crash upstream libvirtd without any backporting involved if it is not

Looking at the generated daemon/remote_dispatch.h, we can see things like:

{ /* Async event DomainEventBalloonChange => 276 */
{ /* Method DomainGetHostname => 277 */

where a malicious client trying to call RPC 276 will trigger the failure
if we don't patch things.

> Not quite right.  I think the correct fix is to instead make
> virNetServerProgramGetProc() return NULL instead of an uninitialized
> entry, if that entry has a NULL func pointer.

I still think my suggestion is correct, though - fix it at the source,
not at each caller.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]