[libvirt PATCH 09/11] virdevmapper: fix stat comparison in virDMSanitizepath
Peter Krempa
pkrempa at redhat.com
Mon Nov 16 16:08:32 UTC 2020
On Mon, Nov 16, 2020 at 16:38:56 +0100, Pavel Hrdina wrote:
> Introduced by commit <22494556542c676d1b9e7f1c1f2ea13ac17e1e3e>.
This is a real bug and the commit message neglects to mention what the
implications are.
This basically returns the first entry of /dev/mapper/ if the previous
conditions don't match. That seems serious.
Especially since the original commit fixes a CVE!
>
> Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
> ---
> src/util/virdevmapper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
> index 6c39a2a44d..c4719d0670 100644
> --- a/src/util/virdevmapper.c
> +++ b/src/util/virdevmapper.c
> @@ -204,7 +204,7 @@ virDMSanitizepath(const char *path)
> g_autofree char *tmp = g_strdup_printf(DEV_DM_DIR "/%s", ent->d_name);
>
> if (stat(tmp, &sb[1]) == 0 &&
> - sb[0].st_rdev == sb[0].st_rdev) {
> + sb[0].st_rdev == sb[1].st_rdev) {
> return g_steal_pointer(&tmp);
If you improve the commit message:
Reviewed-by: Peter Krempa <pkrempa at redhat.com>
More information about the libvir-list
mailing list