From: Pavel Hrdina <phrdina@redhat.com>
Date: Fri, 13 Nov 2020 09:45:30 +0000 (+0100)
Subject: virdevmapper: fix stat comparison in virDMSanitizepath
X-Git-Tag: v6.10.0-rc1~135
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f711fa9ad09f68ea7f0bcaf999fab9c06dc6a93e;p=thirdparty%2Flibvirt.git

virdevmapper: fix stat comparison in virDMSanitizepath

Introduced by commit <22494556542c676d1b9e7f1c1f2ea13ac17e1e3e> which
fixed a CVE.

If the @path passed to virDMSanitizepath() is not a DM name or not a
path to DM name this function could return incorrect sanitized path as
it would always be the first device under /dev/mapper/.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---

diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
index 6c39a2a44d..c4719d0670 100644
--- a/src/util/virdevmapper.c
+++ b/src/util/virdevmapper.c
@@ -204,7 +204,7 @@ virDMSanitizepath(const char *path)
         g_autofree char *tmp = g_strdup_printf(DEV_DM_DIR "/%s", ent->d_name);
 
         if (stat(tmp, &sb[1]) == 0 &&
-            sb[0].st_rdev == sb[0].st_rdev) {
+            sb[0].st_rdev == sb[1].st_rdev) {
             return g_steal_pointer(&tmp);
         }
     }