virdevmapper: fix stat comparison in virDMSanitizepath

Introduced by commit <22494556542c676d1b9e7f1c1f2ea13ac17e1e3e> which
fixed a CVE.

If the @path passed to virDMSanitizepath() is not a DM name or not a
path to DM name this function could return incorrect sanitized path as
it would always be the first device under /dev/mapper/.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>

diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
index 6c39a2a44db59e70cb8ce868f2c84869b9896f72..c4719d0670757f9e5e9650e0b2d9b747f3b8465f 100644 (file)
--- a/src/util/virdevmapper.c
+++ b/src/util/virdevmapper.c
@@ -204,7 +204,7 @@ virDMSanitizepath(const char *path)
         g_autofree char *tmp = g_strdup_printf(DEV_DM_DIR "/%s", ent->d_name);
 
         if (stat(tmp, &sb[1]) == 0 &&
-            sb[0].st_rdev == sb[0].st_rdev) {
+            sb[0].st_rdev == sb[1].st_rdev) {
             return g_steal_pointer(&tmp);
         }
     }