[PATCH] storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath
Mauro Matteo Cascella
mcascell at redhat.com
Thu Jul 22 09:14:15 UTC 2021
Hi Peter,
I'm going to allocate a new (low impact) CVE for this bug.
Thanks.
On Wed, Jul 21, 2021 at 11:34 AM Peter Krempa <pkrempa at redhat.com> wrote:
>
> Adding libvirt-security since I forgot when sending the patch.
>
> On Wed, Jul 21, 2021 at 11:27:41 +0200, Peter Krempa wrote:
> > 'virStoragePoolObjListSearch' returns a locked and refed object, thus we
> > must release it on ACL permission failure.
> >
> > Fixes: 7aa0e8c0cb8
> > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
> > Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> > ---
> > Technically a security issue since it DoS-es the objects a user doesn't
> > have access to for users which do have access.
> >
> > Posting to standard devel list since the bugzilla above is public.
> >
> > src/storage/storage_driver.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
> > index c2ff4b8d06..6aa10d89f6 100644
> > --- a/src/storage/storage_driver.c
> > +++ b/src/storage/storage_driver.c
> > @@ -1738,8 +1738,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
> > storagePoolLookupByTargetPathCallback,
> > cleanpath))) {
> > def = virStoragePoolObjGetDef(obj);
> > - if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
> > + if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
> > + virStoragePoolObjEndAPI(&obj);
> > return NULL;
> > + }
> >
> > pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
> > virStoragePoolObjEndAPI(&obj);
> > --
> > 2.31.1
> >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
More information about the libvir-list
mailing list