[Libguestfs] [PATCH nbdkit 0/4] Multiple valgrind improvements and possible security fix.
Eric Blake
eblake at redhat.com
Mon Dec 3 19:03:07 UTC 2018
On 12/2/18 10:39 AM, Richard W.M. Jones wrote:
> I worked out why valgrind wasn't being applied to nbdkit when run by
> many of the tests (patches 1-2). Unfortunately I'm not able to make
> it actually fail tests when valgrind fails. Although the situation is
> marginally improved in that you can now manually examine the *.log
> files and find valgrind failures that way. Also adds valgrinding of
> the Python plugin (patch 3).
>
> Along the way I found that when we create a TLS session object we
> never free it, which is a bit of a problem (although easy to fix -
> patch 4).
>
> I'll need to backport this fix to every stable branch. It's not clear
> how exploitable this is -- it's my feeling that you'd need to open
> millions of TLS sessions which would take forever, and the result
> would only be a denial of service as nbdkit runs out of memory and
> crashes.
Can the leak happen with merely a port probe, or only by someone that
was able to get past the handshake? If the former, then it is a vehicle
for DoS attacks and probably worth a CVE (because the person performing
the port probe can crash nbdkit from servicing real clients, even though
the attacker does not own TLS credentials); if the latter, it is not a
security bug (no escalation in privilege by locking yourself out).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list