[Libvirt-announce] LSN-2014-0010: CVE-2014-8136 deadlock on failed migration

Eric Blake eblake at redhat.com
Tue Dec 23 20:53:39 UTC 2014 

        Libvirt Security Notice: LSN-2014-0008
        ======================================

       Summary: deadlock on failed migration
   Reported on: 20141208
  Published on: 20141208
      Fixed on: 20141209
   Reported by: Peter Krempa <pkrempa at redhat.com>
    Patched by: Peter Krempa <pkrempa at redhat.com>
      See also: CVE-2014-8136

Description
-----------

When using fine-grained ACLs to restrict users from migrating
domains, a logic bug could leave the domain locked and prevent
further operation on that domain.

Impact
------

A client that lacks the domain:migrate fine-grained ACL could use a
failed migration attempt to trigger a denial of service against a
more privileged user.

Workaround
----------

The bug is mitigated by the fact that the "perform" and "finish"
states of migration can generally be reached only after a successful
"begin" or "prepare" state, both of which also require the same
domain:migrate permission. Furthermore, the "prepare" state also
requires the domain:write permission, and any user which has been
granted that permission is already deemed to have full control over
the system; even if domain:migrate permission is dynamically denied
after migration has already started in order to trigger the flaw, an
attack by such a user generally does not constitute a denial of
service against a more privileged user. On the other hand, a
malicious client that has access to the read-write socket via only a
weaker privilege such as domain:read can send RPC commands out of
order, to attempt a "perform" without going through the
prerequisite states, and thereby trigger the bug in a manner that
forms a denial of service. Read-only clients cannot trigger the
problem, even via bad RPC commands. It is possible to avoid the bug
by not using the fine-grained access control mechanism.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
    Fixed in: v1.2.11
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 2bdcd29c713dfedd813c89f56ae98f6f3898313d

      Branch: v1.1.0-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 540872ceae9d2850e42d3615f017feb46ab585aa

      Branch: v1.1.1-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: fb1e0312f4cfc2375ee94d40e5f2999cd761337d

      Branch: v1.1.2-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 12c35ca8e6a1dff79fe706b24edc094be7df9f93

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken in: v1.1.3.7
   Broken in: v1.1.3.8
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 63934cae465f757c774db1fa4e86d3c8bda4591b

      Branch: v1.1.4-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 995516ad3dc64fb5a5102ad0fbbea6e1701f0d8d

      Branch: v1.2.0-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 0d365c6f707f55e77ff14d6a52a59b7d1c43f8a4

      Branch: v1.2.1-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 75dfd58284de1fdc146b8aa3deb7d6a2057f0391

      Branch: v1.2.2-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: f5a151754f2080598049baf5d68282f183a30f5c

      Branch: v1.2.3-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: e0e2f7eafc5adfbac4343592def097cbe8a67653

      Branch: v1.2.4-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 4ba560e050fa83a2ef2083fbfa0ad9484b9393d4

      Branch: v1.2.5-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: cd3d695a6be8398b399d0d06c26a618b12ad8946

      Branch: v1.2.6-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: bad50b7501ebfe8076a6f7809d7b44b7a94c38ef

      Branch: v1.2.7-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 220759259bcbcc705a96dc1cbaeb2f2ce980c479

      Branch: v1.2.8-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 372bfe63b501c7580400107682633ad421416f88

      Branch: v1.2.9-maint
   Broken in: v1.2.9.1
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 12496319a24dd923c5f321c84112fd0e73979413

      Branch: v1.2.10-maint
   Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
    Fixed by: 2a121c635306cd498cdabb63a806ae17821b245f


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

More information about the Libvirt-announce mailing list