[libvirt] LSN-2014-0004: Querying blkiotune after disk hotplug can lead to libvirtd crash
Daniel P. Berrange
berrange at redhat.com
Thu Sep 18 14:50:38 UTC 2014
Libvirt Security Notice: LSN-2014-0004
======================================
Summary: Querying blkiotune after disk hotplug can lead to
libvirtd crash
Reported on: 20140911
Published on: 20140917
Fixed on: 20140917
Reported by: Luyao Huang <lhuang at redhat.com>
Patched by: Peter Krempa <pkrempa at redhat.com>
See also: CVE-2014-3633
Description
-----------
The qemu implementation of virDomainGetBlockIoTune computed an index
into the array of disks for the live definition, then used it as the
index into the array of disks for the persistent definition. If
management had hot-plugged disks to the live definition, the two
arrays are not necessarily the same length, and this could result in
the persistent definition dereferencing an out-of-bounds pointer.
Impact
------
A read-only client can cause a denial of service attack against a
privileged client if the out-of-bounds dereference causes libvirtd
to crash, or possibly gain read access to sensitive information
residing in the heap.
Workaround
----------
The out-of-bounds access is only possible on domains that have had
disks hot-plugged or removed from the live image without also
updating the persistent definition to match; keeping the two
definitions matched or using only transient domains will avoid the
problem. Denying access to the readonly libvirt socket will avoid
the potential for a denial of service attack, but will not prevent
the out-of-bounds access from causing a crash for a privileged
client, although such a crash is no longer a security problem.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
Branch: v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Branch: v0.9.12-maint
Broken in: v0.9.12.1
Broken in: v0.9.12.2
Broken in: v0.9.12.3
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 750280023cc0896b05f86e292857ceef5eee3a72
Branch: v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken in: v0.10.2.8
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 0fa54204f264e3d39387f5762f810d31cce770b2
Branch: v1.0.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: d30fea03a545a2d9f5f228cd3292484ce7850256
Branch: v1.0.3-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 35a802639d713054503f7243e39be0503fe19ec3
Branch: v1.0.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: a45c8466fa3531d35728575a1facc0406f97079a
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cc05c6d5d2f7a577a1a365fbc5451fb6b5f57445
Branch: v1.0.6-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cc19d1c08f49acdcfd5eb0e26561ea88e800f177
Branch: v1.1.0-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: dd8a348e4747a59c60991f3b41567ab0a1dcca0e
Branch: v1.1.1-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: ed071fee073bc5a439ec64f0e501d5f90c41dec5
Branch: v1.1.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: d4360edd1ca88cb1f144bf77f7df23ebf1f90632
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: eefe2e013820a76dfe5132431db72aade911eeab
Branch: v1.1.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 92430a6942fc0f4dceea4957f688430f093676ab
Branch: v1.2.0-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: e8f6971e3f29a7392224d7056b05b2acf133e58d
Branch: v1.2.1-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: fdde9d6a1b8a559f5fa18a68cc8e8a35354b3ae9
Branch: v1.2.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 111855e82429249ccd98f9ed0c8c72116e241959
Branch: v1.2.3-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 81edcbb3ca1061d5b54945a7e1e9e2e03891307b
Branch: v1.2.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 8a07faf3377c4b1e9f4ded59882f305426d02e6c
Branch: v1.2.5-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 7156bd0ce2dc92231c393fc7bd493e7aa383d966
Branch: v1.2.6-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 4e701c06c54ec007041e20e5ef085711f38a0266
Branch: v1.2.7-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cf7a69bc08e79c254f1accd939f4746ca94fe7e7
Branch: v1.2.8-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 6bdf14150e99ca8921a4017bb9502325e200815b
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list