On 10/24/2011 04:14 AM, Michal Privoznik wrote:
On 22.10.2011 01:16, Eric Blake wrote:Detected by Coverity. Both text and JSON monitors set only the bus and unit fields, which means driveAddr.controller spends life as garbage on the stack, and is then memcpy()'d into the in-memory representation which the user can see via dumpxml. * src/qemu/qemu_hotplug.c (qemuDomainAttachSCSIDisk): Only copy defined fields. --- I have to admit that Coverity is good - it took me several minutes to follow the trail down to qemu_monitor_{text,json}.c and prove to myself that driveAddr.controller really is untouched on success. I didn't actually try to exploit this one - it depends on whatever is already on the stack, and your compiler optimization levels, before you would ever see dumpxml giving bogus information in the<address controller='garbage'> field of the hotplugged<disk>. src/qemu/qemu_hotplug.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)ACK
Thanks; pushed. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list