From: Markus Groß Date: Thu, 26 May 2011 14:28:23 +0000 (+0800) Subject: Fix modifying disk devices in qemu driver X-Git-Tag: CVE-2011-2178~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23e5393c40f4dc59d5c5d28c076899be1c231ddf;p=thirdparty%2Flibvirt.git Fix modifying disk devices in qemu driver When modifying the disk devices of a live domain and the domain configuration, the function qemuDomainAttachDeviceConfig first sets dev->data->disk to NULL. Later qemuDomainAttachDeviceLive accesses dev->data.disk and causes a segfault. * src/qemu/qemu_driver.c: fix qemuDomainModifyDeviceFlags() accordingly --- diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6511ffd976..c539474944 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -4418,12 +4418,13 @@ qemuDomainModifyDeviceFlags(virDomainPtr dom, const char *xml, "%s", _("cannot modify device on transient domain")); goto endjob; } - dev = virDomainDeviceDefParse(driver->caps, vm->def, xml, - VIR_DOMAIN_XML_INACTIVE); - if (dev == NULL) - goto endjob; if (flags & VIR_DOMAIN_DEVICE_MODIFY_CONFIG) { + dev = virDomainDeviceDefParse(driver->caps, vm->def, xml, + VIR_DOMAIN_XML_INACTIVE); + if (dev == NULL) + goto endjob; + /* Make a copy for updated domain. */ vmdef = virDomainObjCopyPersistentDef(driver->caps, vm); if (!vmdef) @@ -4447,6 +4448,13 @@ qemuDomainModifyDeviceFlags(virDomainPtr dom, const char *xml, ret = 0; if (!ret && (flags & VIR_DOMAIN_DEVICE_MODIFY_LIVE)) { + /* If dev exists it was created to modify the domain config. Free it. */ + virDomainDeviceDefFree(dev); + dev = virDomainDeviceDefParse(driver->caps, vm->def, xml, + VIR_DOMAIN_XML_INACTIVE); + if (dev == NULL) + goto endjob; + switch (action) { case QEMU_DEVICE_ATTACH: ret = qemuDomainAttachDeviceLive(vm, dev, dom);