LSN-2014-0004: Querying blkiotune after disk hotplug can lead to libvirtd crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



        Libvirt Security Notice: LSN-2014-0004
        ======================================

       Summary: Querying blkiotune after disk hotplug can lead to
                libvirtd crash
   Reported on: 20140911
  Published on: 20140917
      Fixed on: 20140917
   Reported by: Luyao Huang <lhuang@xxxxxxxxxx>
    Patched by: Peter Krempa <pkrempa@xxxxxxxxxx>
      See also: CVE-2014-3633

Description
-----------

The qemu implementation of virDomainGetBlockIoTune computed an index
into the array of disks for the live definition, then used it as the
index into the array of disks for the persistent definition. If
management had hot-plugged disks to the live definition, the two
arrays are not necessarily the same length, and this could result in
the persistent definition dereferencing an out-of-bounds pointer.

Impact
------

A read-only client can cause a denial of service attack against a
privileged client if the out-of-bounds dereference causes libvirtd
to crash, or possibly gain read access to sensitive information
residing in the heap.

Workaround
----------

The out-of-bounds access is only possible on domains that have had
disks hot-plugged or removed from the live image without also
updating the persistent definition to match; keeping the two
definitions matched or using only transient domains will avoid the
problem. Denying access to the readonly libvirt socket will avoid
the potential for a denial of service attack, but will not prevent
the out-of-bounds access from causing a crash for a privileged
client, although such a crash is no longer a security problem.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v0.9.8
   Broken in: v0.9.9
   Broken in: v0.9.10
   Broken in: v0.9.11
   Broken in: v0.9.12
   Broken in: v0.9.13
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b

      Branch: v0.9.11-maint
   Broken in: v0.9.11.1
   Broken in: v0.9.11.2
   Broken in: v0.9.11.3
   Broken in: v0.9.11.4
   Broken in: v0.9.11.5
   Broken in: v0.9.11.6
   Broken in: v0.9.11.7
   Broken in: v0.9.11.8
   Broken in: v0.9.11.9
   Broken in: v0.9.11.10
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa

      Branch: v0.9.12-maint
   Broken in: v0.9.12.1
   Broken in: v0.9.12.2
   Broken in: v0.9.12.3
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 750280023cc0896b05f86e292857ceef5eee3a72

      Branch: v0.10.2-maint
   Broken in: v0.10.2.1
   Broken in: v0.10.2.2
   Broken in: v0.10.2.3
   Broken in: v0.10.2.4
   Broken in: v0.10.2.5
   Broken in: v0.10.2.6
   Broken in: v0.10.2.7
   Broken in: v0.10.2.8
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 0fa54204f264e3d39387f5762f810d31cce770b2

      Branch: v1.0.2-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: d30fea03a545a2d9f5f228cd3292484ce7850256

      Branch: v1.0.3-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 35a802639d713054503f7243e39be0503fe19ec3

      Branch: v1.0.4-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: a45c8466fa3531d35728575a1facc0406f97079a

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: cc05c6d5d2f7a577a1a365fbc5451fb6b5f57445

      Branch: v1.0.6-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: cc19d1c08f49acdcfd5eb0e26561ea88e800f177

      Branch: v1.1.0-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: dd8a348e4747a59c60991f3b41567ab0a1dcca0e

      Branch: v1.1.1-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: ed071fee073bc5a439ec64f0e501d5f90c41dec5

      Branch: v1.1.2-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: d4360edd1ca88cb1f144bf77f7df23ebf1f90632

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: eefe2e013820a76dfe5132431db72aade911eeab

      Branch: v1.1.4-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 92430a6942fc0f4dceea4957f688430f093676ab

      Branch: v1.2.0-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: e8f6971e3f29a7392224d7056b05b2acf133e58d

      Branch: v1.2.1-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: fdde9d6a1b8a559f5fa18a68cc8e8a35354b3ae9

      Branch: v1.2.2-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 111855e82429249ccd98f9ed0c8c72116e241959

      Branch: v1.2.3-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 81edcbb3ca1061d5b54945a7e1e9e2e03891307b

      Branch: v1.2.4-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 8a07faf3377c4b1e9f4ded59882f305426d02e6c

      Branch: v1.2.5-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 7156bd0ce2dc92231c393fc7bd493e7aa383d966

      Branch: v1.2.6-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 4e701c06c54ec007041e20e5ef085711f38a0266

      Branch: v1.2.7-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: cf7a69bc08e79c254f1accd939f4746ca94fe7e7

      Branch: v1.2.8-maint
   Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
    Fixed by: 6bdf14150e99ca8921a4017bb9502325e200815b


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]