From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 6 Jan 2014 13:26:14 +0000 (+0100)
Subject: qemu: range check numa memory placement mode
X-Git-Tag: CVE-2013-6458-1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e7490c734a538983f9c5ae680cdb36edbaffe65;p=thirdparty%2Flibvirt.git

qemu: range check numa memory placement mode

https://bugzilla.redhat.com/show_bug.cgi?id=1047234

Add a range check for supported numa memory placement modes provided by
the user before setting them in the domain definition. Without the check
the user is able to provide a (yet) unknown mode which is then stored in
the domain definition. This potentially causes a NULL dereference when
the defintion is formatted into the XML.

To reproduce run:
 virsh numatune DOMNAME --mode 6 --nodeset 0

The XML will then contain:
  <numatune>
      <memory mode='(null)' nodeset='0'/>
  </numatune>

With this fix, the command fails:
 error: Unable to change numa parameters
 error: invalid argument: unsupported numa_mode: '6'
---

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 819ad7f2a5..7e45ffcfbb 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -8276,6 +8276,14 @@ qemuDomainSetNumaParameters(virDomainPtr dom,
         if (STREQ(param->field, VIR_DOMAIN_NUMA_MODE)) {
             int mode = param->value.i;
 
+            if (mode >= VIR_NUMA_TUNE_MEM_PLACEMENT_MODE_LAST ||
+                mode < VIR_NUMA_TUNE_MEM_PLACEMENT_MODE_DEFAULT)
+            {
+                virReportError(VIR_ERR_INVALID_ARG,
+                               _("unsupported numa_mode: '%d'"), mode);
+                goto cleanup;
+            }
+
             if ((flags & VIR_DOMAIN_AFFECT_LIVE) &&
                 vm->def->numatune.memory.mode != mode) {
                 virReportError(VIR_ERR_OPERATION_INVALID, "%s",