From: Daniel P. Berrange <berrange@redhat.com>
Date: Mon, 13 May 2013 12:58:22 +0000 (+0100)
Subject: Forbid use of ':' in RBD pool names
X-Git-Tag: CVE-2013-1962~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a2bc1517a7322af7eff07e2854a75bb5f41a10f;p=thirdparty%2Flibvirt.git

Forbid use of ':' in RBD pool names

The QEMU command line syntax for RBD disks is

   file=rbd:pool/image:opt1=val1:opt2=val2...

There is no way to escape the ':' if it appears in the
pool or image name. Thus it must be explicitly forbidden
if it occurs in the libvirt XML. People are known to
be abusing the lack of escaping in current libvirt to
pass arbitrary args to QEMU.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index eddc263680..36b264b114 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2383,6 +2383,13 @@ qemuBuildRBDString(virConnectPtr conn,
     char *secret = NULL;
     size_t secret_size;
 
+    if (strchr(disk->src, ':')) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("':' not allowed in RBD source volume name '%s'"),
+                       disk->src);
+        return -1;
+    }
+
     virBufferEscape(opt, ',', ",", "rbd:%s", disk->src);
     if (disk->auth.username) {
         virBufferEscape(opt, '\\', ":", ":id=%s", disk->auth.username);
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-invalid.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-invalid.xml
new file mode 100644
index 0000000000..e8d3280013
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-invalid.xml
@@ -0,0 +1,37 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='poolname/imagename:rbd_cache=1:rbd_cache_size=67108864:rbd_cache_max_dirty=0'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+      </source>
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 98ceb83fba..579c016c28 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -160,6 +160,9 @@ static int testCompareXMLToArgvFiles(const char *xml,
                                      VIR_NETDEV_VPORT_PROFILE_OP_NO_OP))) {
         if (flags & FLAG_EXPECT_FAILURE) {
             ret = 0;
+            if (virTestGetDebug() > 1)
+                fprintf(stderr, "Got expected error: %s\n",
+                        virGetLastErrorMessage());
             virResetLastError();
         }
         goto out;
@@ -528,6 +531,8 @@ mymain(void)
             QEMU_CAPS_DRIVE, QEMU_CAPS_DRIVE_FORMAT);
     DO_TEST("disk-drive-network-rbd-ipv6",
             QEMU_CAPS_DRIVE, QEMU_CAPS_DRIVE_FORMAT);
+    DO_TEST_FAILURE("disk-drive-network-rbd-invalid",
+                    QEMU_CAPS_DRIVE, QEMU_CAPS_DRIVE_FORMAT);
     DO_TEST("disk-drive-no-boot",
             QEMU_CAPS_DRIVE, QEMU_CAPS_DEVICE, QEMU_CAPS_BOOTINDEX);
     DO_TEST("disk-usb",  NONE);