Libvirt Security Notice ======================= Summary: libvirtd daemon crash when reading memory tunables for LXC guest in shutoff status Reported on: 20131209 Published on: 20131220 Fixed on: 20131220 Reported by: Martin Kletzander <mkletzan@xxxxxxxxxx> Patched by: Martin Kletzander <mkletzan@xxxxxxxxxx> See also: CVE-2013-6436 Description ----------- The lxcDomainGetMemoryParameters method in the LXC driver did not check whether the guest being accessed was running or not. When shutoff there will be no virCgroupPtr instance associated with the guest. Reading memory tunables involves calling methods with the virCgroupPtr object as a parameter. This will lead to a crash accessing a NULL pointer. Impact ------ A user who has permission to invoke the virDomainGetMemoryParameters API against the LXC driver will be able to crash the libvirtd daemon. Access to this API is granted to any user who connects to the read-only libvirtd UNIX domain socket. If ACLs are active, access is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git Branch: master Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: f8c1cb90213508c4f32549023b0572ed774e48aa Branch: v1.0.5-maint Broken in: v1.0.5 Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 218bd2e8716bcb4c90acf6ecaf879d606b46606b Branch: v1.0.6-maint Broken in: v1.0.6 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 80d682fd90bb7e97d8670be4cba1fe153438d7a0 Branch: v1.1.0-maint Broken in: v1.1.0 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 30a589bc4731488ca3428515ed57ce5446a83bbd Branch: v1.1.1-maint Broken in: v1.1.1 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 9a68d1354233f4cfca686655f8021e9477977e6e Branch: v1.1.2-maint Broken in: v1.1.2 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 79384018480f11ec6f2c2196039e67a9196d3e3a Branch: v1.1.3-maint Broken in: v1.1.3 Broken in: v1.1.3.1 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 66247dc5fffe5b9447f4db377c5adf02e6db97c4 Branch: v1.1.4-maint Broken in: v1.1.4 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 09956c7db764a0958034de6fac58aaaaf8e878bf Branch: v1.2.0-maint Broken in: v1.2.0 Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969 Fixed by: 705f388bceb4fce21b7c5ebc6310cb467c362239 Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list