From: Martin Kletzander <mkletzan@redhat.com>
Date: Thu, 6 Nov 2025 14:31:12 +0000 (+0100)
Subject: bhyve: Check ACLs before parsing the whole domain XML
X-Git-Tag: CVE-2025-12748~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b45f10bc0a2f30ccdbf2cb55da2e4f85b3ebfb23;p=thirdparty%2Flibvirt.git

bhyve: Check ACLs before parsing the whole domain XML

Utilise the new virDomainDefIDsParseString() for that.

Fixes: CVE-2025-12748
Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c
index 00a484ae21..3a4e83d3d2 100644
--- a/src/bhyve/bhyve_driver.c
+++ b/src/bhyve/bhyve_driver.c
@@ -486,6 +486,15 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag
     if (!caps)
         return NULL;
 
+    /* Avoid parsing the whole domain definition for ACL checks */
+    if (!(def = virDomainDefIDsParseString(xml, provconn->xmlopt, parse_flags)))
+        return NULL;
+
+    if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
+        return NULL;
+
+    g_clear_pointer(&def, virDomainDefFree);
+
     if ((def = virDomainDefParseString(xml, privconn->xmlopt,
                                        NULL, parse_flags)) == NULL)
         goto cleanup;
@@ -493,9 +502,6 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag
     if (virXMLCheckIllegalChars("name", def->name, "\n") < 0)
         goto cleanup;
 
-    if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
-        goto cleanup;
-
     if (bhyveDomainAssignAddresses(def, NULL) < 0)
         goto cleanup;
 
@@ -889,11 +895,17 @@ bhyveDomainCreateXML(virConnectPtr conn,
     if (flags & VIR_DOMAIN_START_AUTODESTROY)
         start_flags |= VIR_BHYVE_PROCESS_START_AUTODESTROY;
 
-    if ((def = virDomainDefParseString(xml, privconn->xmlopt,
-                                       NULL, parse_flags)) == NULL)
-        goto cleanup;
+    /* Avoid parsing the whole domain definition for ACL checks */
+    if (!(def = virDomainDefIDsParseString(xml, provconn->xmlopt, parse_flags)))
+        return NULL;
 
     if (virDomainCreateXMLEnsureACL(conn, def) < 0)
+        return NULL;
+
+    g_clear_pointer(&def, virDomainDefFree);
+
+    if ((def = virDomainDefParseString(xml, privconn->xmlopt,
+                                       NULL, parse_flags)) == NULL)
         goto cleanup;
 
     if (bhyveDomainAssignAddresses(def, NULL) < 0)