On 22.10.2011 01:16, Eric Blake wrote:
> Detected by Coverity. Both text and JSON monitors set only the
> bus and unit fields, which means driveAddr.controller spends
> life as garbage on the stack, and is then memcpy()'d into the
> in-memory representation which the user can see via dumpxml.
>
> * src/qemu/qemu_hotplug.c (qemuDomainAttachSCSIDisk): Only copy
> defined fields.
> ---
>
> I have to admit that Coverity is good - it took me several minutes
> to follow the trail down to qemu_monitor_{text,json}.c and prove to
> myself that driveAddr.controller really is untouched on success.
>
> I didn't actually try to exploit this one - it depends on whatever
> is already on the stack, and your compiler optimization levels,
> before you would ever see dumpxml giving bogus information in
> the <address controller='garbage'> field of the hotplugged <disk>.
>
> src/qemu/qemu_hotplug.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
ACK
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list