On 12/20/2013 02:36 PM, Jiri Denemark wrote: > When fixing https://bugzilla.redhat.com/show_bug.cgi?id=1043069 I > realized qemuDomainBlockStats is not the only API that does not acquire > a job early enough. Generally, every API that is going to begin a job > should do that before fetching data from vm->def. The following 5 APIs > failed to do so and moreover used the data fetched early from vm->def > after starting a job. In some circumstances this can lead to a crash. This series has been assigned CVE-2013-6458. I ran out of time today to review the rest of the series and start the backports; but hopefully we can get progress on it before 2014. > > Jiri Denemark (5): > qemu: Do not access stale data in virDomainBlockStats > qemu: Avoid using stale data in virDomainGetBlockInfo > qemu: Fix job usage in qemuDomainBlockJobImpl > qemu: Fix job usage in qemuDomainBlockCopy > qemu: Fix job usage in virDomainGetBlockIoTune > > src/qemu/qemu_driver.c | 92 ++++++++++++++++++++++++-------------------------- > 1 file changed, 44 insertions(+), 48 deletions(-) > -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list