[libvirt] LSN-2013-0019: libvirtd crash when reading numa tunables for libxl guest in shutoff status

Eric Blake eblake at redhat.com
Wed Jan 22 23:21:53 UTC 2014 

        Libvirt Security Notice: LSN-2013-0019
        ======================================

       Summary: libvirtd crash when reading numa tunables for
                libxl guest in shutoff status
   Reported on: 20131220
  Published on: 20131220
      Fixed on: 20131220
   Reported by: Dario Faggioli <dario.faggioli at citrix.com>

    Patched by: Dario Faggioli <dario.faggioli at citrix.com>
      See also: CVE-2013-6457

Description
-----------

The libxlDomainGetNumaParameters method in the libxl driver did not
check whether the guest being accessed was running or not. When
shutoff, the code attempts to clean up an uninitialized bitmap,
causing malloc corruption most commonly observed as a crash.

Impact
------

A user who has permission to invoke the virDomainGetNumaParameters
API against the libxl driver will be able to crash the libvirtd
daemon. Access to this API is granted to any user who connects to
the read-only libvirtd UNIX domain socket. If ACLs are active,
access is granted to any user with the 'read' permission on the
'domain' object, which is granted by default to all users. As a
result an unprivileged user will be able to inflict a denial of
service attack on other users of the libvirtd daemon with higher
privilege.

Workaround
----------

The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
    Fixed in: v1.2.1
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: f9ee91d35510ccbc6fc42cef8864b291b2d220f4

      Branch: v1.1.1-maint
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: d5f89a6dd725baf8bca1f1e28f5b858bf0053a99

      Branch: v1.1.2-maint
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: 52c40003805f1702f103095dc5c3d00cf38e7a82

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
    Fixed in: v1.1.3.3
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: 5904ba60159ce67826f301e78103191600a07600

      Branch: v1.1.4-maint
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: 626eb91f964a032af56b448e63fde9f74e592290

      Branch: v1.2.0-maint
   Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
    Fixed by: 36378d1a41464517d7c31d8854fcfd8f69221409


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140122/d2a73a87/attachment-0001.sig>

More information about the libvir-list mailing list