[Libvirt-announce] LSN-2014-0005: CVE-2014-3657

Eric Blake eblake at redhat.com
Wed Oct 1 18:44:18 UTC 2014 

        Libvirt Security Notice: LSN-2014-0005
        ======================================

       Summary: virConnectListAllDomains can deadlock
   Reported on: 20140922
  Published on: 20141001
      Fixed on: 20141001
   Reported by: Pavel Hrdina <phrdina at redhat.com>
    Patched by: Pavel Hrdina <phrdina at redhat.com>
      See also: CVE-2014-3657

Description
-----------

The common implementation of virConnectListAllDomains used an early
return statement instead of jumping to a cleanup label when the API
was used with a NULL list parameter to merely obtain a count of
domains that match the filters. Because it missed the cleanup label,
this left the list of domains locked and prevented all further APIs
from accessing the list.

Impact
------

A read-only client can cause a denial of service attack against a
privileged client by passing a NULL parameter to force the deadlock
condition.

Workaround
----------

As long as all callers pass a non-NULL argument to
virConnectListAllDomains to collect an actual list rather than just
a count, the deadlock will not occur (this mode of operation is the
only mode used by virsh and in the python bindings, which is why the
bug has existed undetected for so long). Denying access to the
readonly libvirt socket will avoid the potential for a denial of
service attack, but will not prevent the deadlock if a privileged
client passes a NULL argument, although such a hang is no longer a
security problem.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v0.9.13
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
    Fixed in: v1.2.9
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: fc22b2e74890873848b43fffae43025d22053669

      Branch: v0.10.2-maint
   Broken in: v0.10.2.1
   Broken in: v0.10.2.2
   Broken in: v0.10.2.3
   Broken in: v0.10.2.4
   Broken in: v0.10.2.5
   Broken in: v0.10.2.6
   Broken in: v0.10.2.7
   Broken in: v0.10.2.8
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: a397e887ed40898cc177e118dffdea8e1f4c6184

      Branch: v1.0.2-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 905f2281e3dbb199191098235e335a2f54bb85c9

      Branch: v1.0.3-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 31674d08fc1b54cd30ad9422ba84090a8b4a3f48

      Branch: v1.0.4-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 26a87db8ea9320f08f5f029f4e1a47c04b322c64

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: f18b86e35f25eacbe1c68cd32caea0310e9d220c

      Branch: v1.0.6-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 4e41e40fde8e9eb5bfd67467450aeb4767b45b9c

      Branch: v1.1.0-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: b64eaab92267480e78133c3d2e7b698f046fe5d0

      Branch: v1.1.1-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 64c04d03ce8d364043e692659220ae1094f1a0cf

      Branch: v1.1.2-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 75d051c7313aaa977bb67fde9b4094ed6da5ad4e

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 0b13d34e89405b6017a935d3c19d6a80ce7f3c6b

      Branch: v1.1.4-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: da254a088ca74377615d127562677fb23c987faa

      Branch: v1.2.0-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 861f9b1c4536b27d2961039aaf73f66732543654

      Branch: v1.2.1-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: c639118634cab93bdf7a8c1bdf7f1f4fd1f8a8ce

      Branch: v1.2.2-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 4ce1bd6e3783eef817ffd265616a2e6aa4cca2a3

      Branch: v1.2.3-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 64700acc914e8ed7e091db2c67b48e7ef7ed99fc

      Branch: v1.2.4-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 98e0692c968e194d5fd7176c6768da91ab48d651

      Branch: v1.2.5-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: af56bafcc9bfb39778790e9cd7f522b98354d978

      Branch: v1.2.6-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: 7dcab231de3749e8056597b9b2271cd32b3797bf

      Branch: v1.2.7-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: cd685ddb5d35df227aa5be9ae84368775c20e325

      Branch: v1.2.8-maint
   Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
    Fixed by: c074b4044e021db6765727ea18bca8408758c7a9


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

More information about the Libvirt-announce mailing list