Libvirt Security Notice: LSN-2014-0006
======================================
Summary: virDomainBlockRebase probes file formats in spite
of explicit raw request
Reported on: 20140626
Published on: 20140626
Fixed on: 20140625
Reported by: Eric Blake <eblake(a)redhat.com>
Patched by: Peter Krempa <pkrempa(a)redhat.com>
Description
-----------
When virDomainBlockRebase gained the VIR_DOMAIN_BLOCK_REBASE_COPY
flag, it was documented that libvirt might probe the format of the
destination file under certain circumstances; but since file format
probing is inherently unsafe for raw images (see CVE-2010-2237), the
API also included the VIR_DOMAIN_BLOCK_REBASE_COPY_RAW flag as a
safeguard to avoid the probe, in addition to the normal safeguards
of /etc/libvirt/qemu.conf being able to forbid all probes. However,
if a user has configured to allow probes, then two separate bugs in
the implementation create situations where even though the user
explicitly requested a raw destination, libvirt can end up probing
the file format of the destination after the time that
virDomainBlockAbort is used to pivot to that destination. The first
bug was introduced in v1.0.0, the same release as the initial
support for block copy: if the user requests the raw flag but lets
libvirt create the destination, then the destination file will be
raw but libvirt fails to record the fact. The second bug was
introduced in libvirt v1.2.1 as part of a fix for CVE-2013-6458 (and
therefore very likely to be backported to most builds that include
block copy support): if the user requests the raw flag and reuses an
existing destination file, but then later makes a second attempt to
do a block copy while the first copy is still underway, then libvirt
will forget that the destination is raw. In either scenario, once
libvirt has lost track that the destination is raw, it will probe
for the file format after a pivot. Note that although the block copy
API was not implemented upstream until v1.0.0, it can be backported
to any version that supports virDomainBlockRebase (as old as
v0.9.8), so downstream versions with a lower version number may also
suffer from these bugs.
Impact
------
A malicious guest can store what looks like a different file format
in the header of its disk image, in the hopes that the host will use
block copy to relocate the storage for the guest disk into a raw
file. If the host enables format probing, and either bug triggers,
then the guest will be serviced by a raw destination after a block
copy pivot, and libvirt may deduce the wrong file format in spite of
the API being used correctly to copy to a raw destination. Once
libvirt probes an incorrect format, it may end up incorrectly
labelling host files, granting the guest access to a mislabeled host
file, or otherwise violating sVirt protections. However, for either
bug to actually happen, the host must set
allow_disk_format_probing=1 in /etc/libvirt/qemu.conf; this setting
defaults to 0 with a lengthy comment warning of other possible
security problems if it is set to 1 without properly specifying
formats everywhere. Since any host that sticks with the default
configuration of disallowing probes is immune, this vulnerability
was not assigned a CVE. Furthermore, block copy as implemented in
the affected versions of libvirt is only possible on transient
domains, and most known users of block copy only perform shallow
copies (where the destination is qcow2 rather than raw), which is
also immune to incorrect probe results.
Workaround
----------
The guest cannot trigger the host to misbehave if the host leaves
/etc/libvirt/qemu.conf with its default setting of
allow_disk_format_probing=0. Furthermore, even if probing is
allowed, a host that never performs a block copy to a raw
destination file (whether pre-existing, or created by libvirt) will
not be impacted. Finally, even if block copy occurs where libvirt
forgets that the destination is raw, the worst effects of acting on
probed information occur when booting a guest, so it is sufficient
to edit the domain XML before each start of a guest, and re-add any
lost <driver format='raw'/> element back to any disk that was
previously copied to a raw destination, to ensure that libvirt does
not probe the image and perform incorrect actions based on the
probe. The newer virDomainBlockCopy API is immune to the problem.
Affected product
----------------
Name: libvirt
Repository:
git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Fixed in: v1.2.6
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: 02b364e186d487f54ed410c01af042f23e812d42
Fixed by: 42619ed05d7924978f3e6e2399522fc6f30607de
Branch: v1.0.2-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: c5683680576aa624b7bc29a9c927dc9d5253fe44
Fixed by: 2d03487b702b3946f9ef389614b17bf3c44108a4
Fixed by: 20326db6a536d989e0dd3425a293ee0b4ba7cdb4
Branch: v1.0.3-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: a5987e23d5ff7a79a5c382b964ce3132c593e36d
Fixed by: 6cb267e816fd89e0c362d5a090ec6c0539d5e730
Fixed by: e22f1c2e13523c830dc5f26c87e644b4a0dfd1df
Branch: v1.0.4-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: cd7021934e8031ce1ae777672c094e9f28d39d45
Fixed by: ecb305fdbda47bf4855972cb00ae55752e035447
Fixed by: 261679a8c345d0bab905ec0c52f39259ebe16bd9
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 0135324b9fc0f4b803fcd1464c83ce458ca1b1e0
Fixed by: 39b5123dc0f08955b68d91a14bdc577ffd1a9558
Fixed by: 17df6a9b3997117b43f6caa56b43c54d1841d93c
Branch: v1.0.6-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 3e41a461b3f587c075005e3da4293e02efbc4f0d
Fixed by: 0e307ecf94967cfb4a8ed49db344e4513216a0df
Fixed by: 4fb55871e925f1d02ecd04f626c6cfecae141d7f
Branch: v1.1.0-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ebac034d4dafd1774f4b075f7b2b0fa52736c22e
Fixed by: 1141cdc95373b323779b67062fcb11385c72e810
Fixed by: 2a78c0f97e0c0f19e426403c7fd1ded8a9648b7d
Branch: v1.1.1-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 51d13311b89fe9709df0efef8054010d7e539600
Fixed by: f527b2253e372bb827195ef4af30f46862f6443a
Fixed by: 9bb60cb44357d4b7698db5ca41a524c1411a4358
Branch: v1.1.2-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 939b0818c223cd6e7a59dcf94c8117dfc5df2604
Fixed by: 2fc5924c9eddb25e117bd1bd58eb7aa0a53f1048
Fixed by: f4a7efeebc1935beeeafc4a5ccaabc037a5c10af
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Fixed in: v1.1.3.6
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 0c4822c17b6cdcce812fb9201f19d30232b3812d
Fixed by: ea1d4666d885ec68480f22a65d1a275a293484cd
Fixed by: e7ee7542bb9d66539a0ec8d4a1e72efdfb8ccebe
Branch: v1.1.4-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 94256e697b60ac8514ad9b437e4f6ac5dc369939
Fixed by: b4ef374c2963fe8a034672cb11ed9464009b6fa8
Fixed by: 53bde6b7b4f9bdae6f94a0c196705d4531ae8211
Branch: v1.2.0-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: 26ff7d4c6ebc934c8881b93b526abb957738ed1d
Fixed by: 69380800fbfebc17666c38f2226c09cb6a201747
Fixed by: a103b53f3cd5420e5da986ddbb0de9ab51e54c34
Branch: v1.2.1-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: 60e54a50219b38d8d8ce8f95abd231316d95eeda
Fixed by: a73122a4ab911b7e18fb2837a9173b67beaf8edb
Branch: v1.2.2-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: 684893e6924f0304a6749982ac2b5d90f4c66c47
Fixed by: b7771f928e95c8638aceadae35af328649ada030
Branch: v1.2.3-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: 2f7ea630f019656f353dc4d2fff7dad38a0e61b8
Fixed by: b850e1a95c5d15700a396d7a5466b43113cb3ab5
Branch: v1.2.4-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: b952dbdaa56b62f92eda11087fbcac509b6c8789
Fixed by: 5b3af9c06c42f136efc458b837595e14d3911b1d
Branch: v1.2.5-maint
Broken by: 35c7701c64508f975dfeb8379c56b4b6d0d9b71c
Broken by: ff5f30b6bfa317f2a4c33f69289baf4e887eb048
Fixed by: bc390b175030f613e5f23edbde06ea5d466f6c31
Fixed by: 961758a1c66fb1777eba496eb1b328c8107f6a2d
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org