On 10/24/2011 04:14 AM, Michal Privoznik wrote:
On 22.10.2011 01:16, Eric Blake wrote:
Detected by Coverity. Both text and JSON monitors set only the
bus and unit fields, which means driveAddr.controller spends
life as garbage on the stack, and is then memcpy()'d into the
in-memory representation which the user can see via dumpxml.
* src/qemu/qemu_hotplug.c (qemuDomainAttachSCSIDisk): Only copy
defined fields.
---
I have to admit that Coverity is good - it took me several minutes
to follow the trail down to qemu_monitor_{text,json}.c and prove to
myself that driveAddr.controller really is untouched on success.
I didn't actually try to exploit this one - it depends on whatever
is already on the stack, and your compiler optimization levels,
before you would ever see dumpxml giving bogus information in
the<address controller='garbage'> field of the hotplugged<disk>.
src/qemu/qemu_hotplug.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
ACK
Thanks; pushed.
--
Eric Blake eblake@xxxxxxxxxx +1-801-349-2682
Libvirt virtualization library http://libvirt.org
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list