816560 – CVE-2012-2693 libvirt ignores address bus= device= when identicle vendor ID/product IDs usb devices attached with either virsh or virt-manager [fedora-all]

Bug 816560 - CVE-2012-2693 libvirt ignores address bus= device= when identicle vendor ID/product IDs usb devices attached with either virsh or virt-manager [fedora-all]

Summary: CVE-2012-2693 libvirt ignores address bus= device= when identicle vendor ID/p...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	17
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Gunannan Ren
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	816601
Blocks:	CVE-2012-2693
TreeView+	depends on / blocked

Reported:	2012-04-26 12:01 UTC by Ken Booth
Modified:	2013-12-19 00:17 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Clone Of:	815755
Environment:
Last Closed:	2012-07-04 16:48:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ken Booth 2012-04-26 12:01:39 UTC

+++ This bug was initially created as a clone of Bug #815755 +++

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. Take 2 RSA Tokens and connect them to a hypervisor
2. Use lsusb -v to find a uniquely identifyable property of each device 
3. Either
a) use virt-manager to attach the device with highest bus:device address to a guest
OR
b) write an XML description of the device specifying address bus= device= for the highest numbered RSA token
# virsh attach-device <domain-id> <xml-file>
4) use virsh dumpxml <domain-id> and see which device is actually attached to the guest
  
Actual results:

The device with the lowest bus:device address and matching vendor:product id is attached to the guest

Expected results:

The device specified by the address bus= device= in the XML, or the device selected in the virt-manager GUI should be attached to the guest

Additional info:

In order to confirm the wrong device is attached, login to the guest and run lsusb -v and search for the uniquely identifyable property of the device.

e.g. my RSA Token has bMaxPacketSize0 = 64, but for many of my colleagues it is 32.

Comment 2 Ken Booth 2012-04-30 23:50:29 UTC

Suggested fix ...

$ diff src/qemu/qemu_hostdev.c src/qemu/qemu_hostdev-modified.c
597,599c597,613
<             usbDevice *usb
<                 = usbFindDevice(hostdev->source.subsys.u.usb.vendor,
<                                 hostdev->source.subsys.u.usb.product);
---
>             if (hostdev->source.subsys.u.usb.bus) {
>                 usbDevice *usb
>                     = usbGetDevice(hostdev->source.subsys.u.usb.bus,
>                                    hostdev->source.subsys.u.usb.device);
>                 if ((hostdev->source.subsys.u.usb.vendor != usb->vendor) ||
>                     (hostdev->source.subsys.u.usb.product != usb->product)) {
>                     qemuReportError(VIR_ERR_OPERATION_INVALID,
>                                     _("USB device %s does not match vendor product id"),
>                                     usbDeviceGetName(tmp));
>                     usbFreeDevice(usb);
>                     goto cleanup;
>                 }
>             } else {
>                 usbDevice *usb
>                     = usbFindDevice(hostdev->source.subsys.u.usb.vendor,
>                                     hostdev->source.subsys.u.usb.product);
>             }

Comment 3 Gunannan Ren 2012-05-08 04:54:24 UTC

The patch has been pushed in upstream. So I set it to POST 
https://www.redhat.com/archives/libvir-list/2012-May/msg00289.html

Comment 4 Cole Robinson 2012-07-04 16:48:33 UTC

Fixed in currentrelease

Note You need to log in before you can comment on or make changes to this bug.