Bug 816560

Summary: CVE-2012-2693 libvirt ignores address bus= device= when identicle vendor ID/product IDs usb devices attached with either virsh or virt-manager [fedora-all]
Product: [Fedora] Fedora Reporter: Ken Booth <kbooth>
Component: libvirtAssignee: Gunannan Ren <gren>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: acathrow, ajia, berrange, crobinso, dallan, dougsland, dyasny, dyuan, jforbes, jyang, laine, lyarwood, mhomolov, mzhan, pmatouse, rwu, veillard, weizhan
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 815755 Environment:
Last Closed: 2012-07-04 12:48:33 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 816601    
Bug Blocks: 831164    

Description Ken Booth 2012-04-26 08:01:39 EDT
+++ This bug was initially created as a clone of Bug #815755 +++

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. Take 2 RSA Tokens and connect them to a hypervisor
2. Use lsusb -v to find a uniquely identifyable property of each device 
3. Either
a) use virt-manager to attach the device with highest bus:device address to a guest
OR
b) write an XML description of the device specifying address bus= device= for the highest numbered RSA token
# virsh attach-device <domain-id> <xml-file>
4) use virsh dumpxml <domain-id> and see which device is actually attached to the guest
  
Actual results:

The device with the lowest bus:device address and matching vendor:product id is attached to the guest

Expected results:

The device specified by the address bus= device= in the XML, or the device selected in the virt-manager GUI should be attached to the guest

Additional info:

In order to confirm the wrong device is attached, login to the guest and run lsusb -v and search for the uniquely identifyable property of the device.

e.g. my RSA Token has bMaxPacketSize0 = 64, but for many of my colleagues it is 32.
Comment 2 Ken Booth 2012-04-30 19:50:29 EDT
Suggested fix ...

$ diff src/qemu/qemu_hostdev.c src/qemu/qemu_hostdev-modified.c
597,599c597,613
<             usbDevice *usb
<                 = usbFindDevice(hostdev->source.subsys.u.usb.vendor,
<                                 hostdev->source.subsys.u.usb.product);
---
>             if (hostdev->source.subsys.u.usb.bus) {
>                 usbDevice *usb
>                     = usbGetDevice(hostdev->source.subsys.u.usb.bus,
>                                    hostdev->source.subsys.u.usb.device);
>                 if ((hostdev->source.subsys.u.usb.vendor != usb->vendor) ||
>                     (hostdev->source.subsys.u.usb.product != usb->product)) {
>                     qemuReportError(VIR_ERR_OPERATION_INVALID,
>                                     _("USB device %s does not match vendor product id"),
>                                     usbDeviceGetName(tmp));
>                     usbFreeDevice(usb);
>                     goto cleanup;
>                 }
>             } else {
>                 usbDevice *usb
>                     = usbFindDevice(hostdev->source.subsys.u.usb.vendor,
>                                     hostdev->source.subsys.u.usb.product);
>             }
Comment 3 Gunannan Ren 2012-05-08 00:54:24 EDT
The patch has been pushed in upstream. So I set it to POST 
https://www.redhat.com/archives/libvir-list/2012-May/msg00289.html
Comment 4 Cole Robinson 2012-07-04 12:48:33 EDT
Fixed in currentrelease