[libvirt] SECURITY: CVE-2013-6436: libvirtd daemon crash when reading memory tunables for LXC guest in shutoff status

Daniel P. Berrange berrange at redhat.com
Fri Dec 20 14:13:03 UTC 2013


        Libvirt Security Notice
        =======================

       Summary: libvirtd daemon crash when reading memory tunables
                for LXC guest in shutoff status
   Reported on: 20131209
  Published on: 20131220
      Fixed on: 20131220
   Reported by: Martin Kletzander <mkletzan at redhat.com>                    
    Patched by: Martin Kletzander <mkletzan at redhat.com>                
      See also: CVE-2013-6436

Description
-----------

The lxcDomainGetMemoryParameters method in the LXC driver did not
check whether the guest being accessed was running or not. When
shutoff there will be no virCgroupPtr instance associated with the
guest. Reading memory tunables involves calling methods with the
virCgroupPtr object as a parameter. This will lead to a crash
accessing a NULL pointer.

Impact
------

A user who has permission to invoke the virDomainGetMemoryParameters
API against the LXC driver will be able to crash the libvirtd
daemon. Access to this API is granted to any user who connects to
the read-only libvirtd UNIX domain socket. If ACLs are active,
access is granted to any user with the 'read' permission on the
'domain' object, which is granted by default to all users. As a
result an unprivileged user will be able to inflict a denial of
service attack on other users of the libvirtd daemon with higher
privilege.

Workaround
----------

The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git

      Branch: master
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: f8c1cb90213508c4f32549023b0572ed774e48aa

      Branch: v1.0.5-maint
   Broken in: v1.0.5
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 218bd2e8716bcb4c90acf6ecaf879d606b46606b

      Branch: v1.0.6-maint
   Broken in: v1.0.6
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 80d682fd90bb7e97d8670be4cba1fe153438d7a0

      Branch: v1.1.0-maint
   Broken in: v1.1.0
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 30a589bc4731488ca3428515ed57ce5446a83bbd

      Branch: v1.1.1-maint
   Broken in: v1.1.1
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 9a68d1354233f4cfca686655f8021e9477977e6e

      Branch: v1.1.2-maint
   Broken in: v1.1.2
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 79384018480f11ec6f2c2196039e67a9196d3e3a

      Branch: v1.1.3-maint
   Broken in: v1.1.3
   Broken in: v1.1.3.1
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 66247dc5fffe5b9447f4db377c5adf02e6db97c4

      Branch: v1.1.4-maint
   Broken in: v1.1.4
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 09956c7db764a0958034de6fac58aaaaf8e878bf

      Branch: v1.2.0-maint
   Broken in: v1.2.0
   Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
    Fixed by: 705f388bceb4fce21b7c5ebc6310cb467c362239


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list