Libvirt Security Notice: LSN-2014-0005
======================================
Summary: virConnectListAllDomains can deadlock
Reported on: 20140922
Published on: 20141001
Fixed on: 20141001
Reported by: Pavel Hrdina <phrdina(a)redhat.com>
Patched by: Pavel Hrdina <phrdina(a)redhat.com>
See also: CVE-2014-3657
Description
-----------
The common implementation of virConnectListAllDomains used an early
return statement instead of jumping to a cleanup label when the API
was used with a NULL list parameter to merely obtain a count of
domains that match the filters. Because it missed the cleanup label,
this left the list of domains locked and prevented all further APIs
from accessing the list.
Impact
------
A read-only client can cause a denial of service attack against a
privileged client by passing a NULL parameter to force the deadlock
condition.
Workaround
----------
As long as all callers pass a non-NULL argument to
virConnectListAllDomains to collect an actual list rather than just
a count, the deadlock will not occur (this mode of operation is the
only mode used by virsh and in the python bindings, which is why the
bug has existed undetected for so long). Denying access to the
readonly libvirt socket will avoid the potential for a denial of
service attack, but will not prevent the deadlock if a privileged
client passes a NULL argument, although such a hang is no longer a
security problem.
Affected product
----------------
Name: libvirt
Repository:
git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v0.9.13
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Fixed in: v1.2.9
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: fc22b2e74890873848b43fffae43025d22053669
Branch: v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken in: v0.10.2.8
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: a397e887ed40898cc177e118dffdea8e1f4c6184
Branch: v1.0.2-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 905f2281e3dbb199191098235e335a2f54bb85c9
Branch: v1.0.3-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 31674d08fc1b54cd30ad9422ba84090a8b4a3f48
Branch: v1.0.4-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 26a87db8ea9320f08f5f029f4e1a47c04b322c64
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: f18b86e35f25eacbe1c68cd32caea0310e9d220c
Branch: v1.0.6-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 4e41e40fde8e9eb5bfd67467450aeb4767b45b9c
Branch: v1.1.0-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: b64eaab92267480e78133c3d2e7b698f046fe5d0
Branch: v1.1.1-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 64c04d03ce8d364043e692659220ae1094f1a0cf
Branch: v1.1.2-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 75d051c7313aaa977bb67fde9b4094ed6da5ad4e
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 0b13d34e89405b6017a935d3c19d6a80ce7f3c6b
Branch: v1.1.4-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: da254a088ca74377615d127562677fb23c987faa
Branch: v1.2.0-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 861f9b1c4536b27d2961039aaf73f66732543654
Branch: v1.2.1-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: c639118634cab93bdf7a8c1bdf7f1f4fd1f8a8ce
Branch: v1.2.2-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 4ce1bd6e3783eef817ffd265616a2e6aa4cca2a3
Branch: v1.2.3-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 64700acc914e8ed7e091db2c67b48e7ef7ed99fc
Branch: v1.2.4-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 98e0692c968e194d5fd7176c6768da91ab48d651
Branch: v1.2.5-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: af56bafcc9bfb39778790e9cd7f522b98354d978
Branch: v1.2.6-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: 7dcab231de3749e8056597b9b2271cd32b3797bf
Branch: v1.2.7-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: cd685ddb5d35df227aa5be9ae84368775c20e325
Branch: v1.2.8-maint
Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0
Fixed by: c074b4044e021db6765727ea18bca8408758c7a9
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org