]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
storage: Handle failure from refreshVol CVE-2015-5247-3
authorJohn Ferlan <jferlan@redhat.com>
Mon, 24 Aug 2015 16:38:13 +0000 (12:38 -0400)
committerJohn Ferlan <jferlan@redhat.com>
Wed, 2 Sep 2015 12:59:53 +0000 (08:59 -0400)
Commit id '155ca616' added the 'refreshVol' API. In an NFS root-squash
environment it was possible that if the just created volume from XML wasn't
properly created with the right uid/gid and/or mode, then the followup
refreshVol will fail to open the volume in order to get the allocation/
capacity values. This would leave the volume still on the server and
cause a libvirtd crash because 'voldef' would be in the pool list, but
the cleanup code would free it.

src/storage/storage_driver.c

index ea7e0f3c71513cf94e3c5c4f58d0c70e601241b9..0494e5d7a0695612631a20ac09e92e67f0ef2c42 100644 (file)
@@ -1867,8 +1867,12 @@ storageVolCreateXML(virStoragePoolPtr obj,
     }
 
     if (backend->refreshVol &&
-        backend->refreshVol(obj->conn, pool, voldef) < 0)
+        backend->refreshVol(obj->conn, pool, voldef) < 0) {
+        storageVolDeleteInternal(volobj, backend, pool, voldef,
+                                 0, false);
+        voldef = NULL;
         goto cleanup;
+    }
 
     /* Update pool metadata ignoring the disk backend since
      * it updates the pool values.