[libvirt] LSN-2013-0018: Unsafe usage of paths under /proc/$PID/root by the LXC driver

Daniel P. Berrange berrange at redhat.com
Wed Feb 19 12:11:08 UTC 2014


        Libvirt Security Notice: LSN-2013-0018
        ======================================

       Summary: Unsafe usage of paths under /proc/$PID/root by the
                LXC driver
   Reported on: 20131217
  Published on: 20131217
      Fixed on: 20140219
   Reported by: Reco <recoverym4n at gmail.com>                    
    Patched by: Reco <recoverym4n at gmail.com>,
                Eric Blake <eblake at redhat.com>,
                Daniel Berrange <berrange at redhat.com>                
      See also: CVE-2013-6456, debian bug #732394

Description
-----------

The LXC driver will open paths under /proc/$PID/root for some
operations it performs on running guests. For the virDomainShutdown
and virDomainReboot APIs it will use this to access the /dev/initctl
path in the container. For the virDomainDeviceAttach /
virDomainDeviceDettach APIs it will use this to create device nodes
in the container's /dev filesystem. If any of the path components
under control of the container are symlinks the container can cause
the libvirtd daemon to access the incorrect files.

Impact
------

A container can cause the administrator to shutdown or reboot the
host OS if /dev/initctl in the container is made to be an absolute
symlink back to itself or /run/initctl. A container can cause the
host administrator to mknod in an arbitrary host directory when
invoking the virDomainDeviceAttach API by replacing '/dev' with an
absolute symlink. A container can cause the host administrator to
delete host device when invoking the virDomainDeviceDettach API by
replacing '/dev' with an absolute symlink.

Workaround
----------

Do not use the virDomainShutdown or virDomainReboot APIs without
also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or
VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the
LXC driver to send a SIGTERM or SIGHUP signal respectively, to the
init process instead of using /dev/initct.. Do not use the
virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless
the guest OS is trusted.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.0.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: aebbcdd33c8c18891f0bdbbf8924599a28152c9c
    Fixed by: 4dd3a7d5bc44980135a1b11810ba9aeab42a4a59
    Fixed by: 7fba01c15c1f886b4235825692b4c13e88dd9f7b
    Fixed by: 1754c7f0ab1407dcf7c89636a35711dd9b1febe1
    Fixed by: 1cadeafcaa422844a27ef622e2a7041d0235bcb3
    Fixed by: 5fc590ad9f4071350a8df4d567ba88baacc8334d

      Branch: v1.0.1-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3

      Branch: v1.0.2-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f

      Branch: v1.0.3-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f

      Branch: v1.0.4-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: f84056cf6166332b1f15f3e6584a88f5d42273fe
    Fixed by: 0e9fee68b3bff24e4d3ab48de8129946202f3bc0
    Fixed by: 9849cf6d89e5665667a0df449ddc3fd5582da242
    Fixed by: 21821ed4d1faf5bf563a26e8ac7cd2eb0450d322
    Fixed by: e57058cfe827b1971ca0dee224ff273c9cad7756
    Fixed by: e1e7e05376faf1ed471cb5c1d1e0415458f2af7d

      Branch: v1.0.6-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: e9941eee1a3c1cb0af7bc39076eb0e8c2c4eb603
    Fixed by: 84cf9af8d9a803f2e12df0b8b0c2bd2de544cf93
    Fixed by: f8706947b86e6de2961aacddb5eb2345d9c033b4
    Fixed by: 081e0fabfd8c0f5c3f2c869ddcf11710c445a962
    Fixed by: b2a853e1f6aea9683a30eafd2b069b8be0fcf898
    Fixed by: bd9ec4506e29a9ce682961eee99d0326ed64145d

      Branch: v1.1.0-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: 61c7e0b66e8b37d4ea64024c100d2ed467d5cb47
    Fixed by: 43720035b7f4c175ef2594296d874bc1910840b3
    Fixed by: 212414281f0001da78f2312d7f52dcf124317fc9
    Fixed by: c17dd7ede2affd147ffdc5e8daef85939bda0dd0
    Fixed by: ed46a680a02cf96b229a89f74ddbab69522c9ef5
    Fixed by: 807db4a30ee903f973d496b3293d9e6aaa511174

      Branch: v1.1.1-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: 6ecb7bc3aed7f60edad5289c9b0cfcf99eee6611
    Fixed by: 72a4c29ca72789b13de1ed9cb96df9fb2b0fdde4
    Fixed by: 83f83508e128275bd1b74988162dc6b9f86e00ee
    Fixed by: 398c88edfaef50b9b59eb2d9a61b07c9c940a661
    Fixed by: dd055960df60c536957664f0ae3c591feecf7b09
    Fixed by: 14d69bd00e4455a1d174d14c5af73975cf9e904a

      Branch: v1.1.2-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: f639b2d17ce935b650bb2aca7bdd8d727cab8b02
    Fixed by: a06bdfcb446f182e490f70422a8431c3bcb2c801
    Fixed by: 77ddbad2a9272239a09673c5d6993793308514e9
    Fixed by: a6e9270ec79924fabd5a872984bb5d38eaf3df8a
    Fixed by: eae2a2ada81c5828991bb1b9438f7556a7e51ce8
    Fixed by: 21368274a9aa91e8a5f0addb3a6bba8dad91e334

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
    Fixed in: v1.1.3.4
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: a3a3cfcb7c400bcde198b5b929ff2d4f889dee78
    Fixed by: cb016b9ef1a6d786657a98546db8412f86510367
    Fixed by: 72e379ed93b4707e26bbc5e3457a85833f50eb1a
    Fixed by: fcf05c194cb1cca6b5c703073b97ed1408a2c546
    Fixed by: d5c0b57fffbe651c425b4de6c11712030cce7e7e
    Fixed by: fef343339127b989746214b86901553da6d17863

      Branch: v1.1.4-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: 28681077373f1fa567b7f56117a22047f90925fe
    Fixed by: 0e931dfcda308fbb84eef42bc92e257e39af083d
    Fixed by: 3101022b4d4fee46916b87b1c21a3956a91d94b2
    Fixed by: 1d1daaf58677cfa843b6891a98dc6cdb42116434
    Fixed by: 80f57ec4224af65392db09fb8f47be7434e2fc86
    Fixed by: ba4065b6f64fca7706070b8458fdf0bc06115b9b

      Branch: v1.2.0-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: 3e97a53caa9adddd47da1c22dbed81ef2e02f735
    Fixed by: 17188260657e095f5d210bc73ba1661875a8f885
    Fixed by: 70665ec5f2cd910666bc703727dc6d7c15efe7bf
    Fixed by: 3f43a7727ac068de8aac6b9c030b38fb3cb1426d
    Fixed by: cd48d62aca488a116b47073be2607653a1d3305e
    Fixed by: 8fca7a4fa6b40d21723008d2092536349f20517d

      Branch: v1.2.1-maint
   Broken by: cbb106f807b32f1f6af22d1e92fe0ff9ba6d73b3
   Broken by: de858e3fa7ffcab5f80d07f8a74d94cbaf8716b9
   Broken by: ed77abc58bc5a6837a5021f26e1a335dbfb477bf
   Broken by: a5efb3190913b6903775ca3756f79443d4ea8a5b
   Broken by: 4ad6a013304f6fe29b0866742c902054bfbcf23f
    Fixed by: 8b546028f901dc414463678574ceabbacc37c4cb
    Fixed by: b0ed2d94ace3c57198ce7b4793f906abf5397e36
    Fixed by: ee1269eecd3566729f3909db624f7ebd7bf1b84a
    Fixed by: b9997828231b3492252cb6d9a0ad4f3dc522791e
    Fixed by: 51a897a22e1c031edd46fd077487a2f8e649cb9f
    Fixed by: ad52184399aa414fa3d7e2756e4ea6a45ec0d3a3


-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list