From: Eric Blake <eblake@redhat.com>
Date: Thu, 26 May 2011 14:18:46 +0000 (-0600)
Subject: security: plug regression introduced in disk probe logic
X-Git-Tag: CVE-2011-2178^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b598ac555c8fe67ffc39ac8ef25fe7e6b28ae3f2;p=thirdparty%2Flibvirt.git

security: plug regression introduced in disk probe logic

Regression introduced in commit d6623003 (v0.8.8) - using the
wrong sizeof operand meant that security manager private data
was overlaying the allowDiskFormatProbing member of struct
_virSecurityManager.  This reopens disk probing, which was
supposed to be prevented by the solution to CVE-2010-2238.

* src/security/security_manager.c
(virSecurityManagerGetPrivateData): Use correct offset.
---

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0246dd88bd..6f0becdb78 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -107,7 +107,9 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
 
 void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr)
 {
-    return ((char*)mgr) + sizeof(mgr);
+    /* This accesses the memory just beyond mgr, which was allocated
+     * via VIR_ALLOC_VAR earlier.  */
+    return mgr + 1;
 }