Hi Peter, I'm going to allocate a new (low impact) CVE for this bug. Thanks. On Wed, Jul 21, 2021 at 11:34 AM Peter Krempa <pkrempa@redhat.com> wrote:
Adding libvirt-security since I forgot when sending the patch.
On Wed, Jul 21, 2021 at 11:27:41 +0200, Peter Krempa wrote:
'virStoragePoolObjListSearch' returns a locked and refed object, thus we must release it on ACL permission failure.
Fixes: 7aa0e8c0cb8 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- Technically a security issue since it DoS-es the objects a user doesn't have access to for users which do have access.
Posting to standard devel list since the bugzilla above is public.
src/storage/storage_driver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c index c2ff4b8d06..6aa10d89f6 100644 --- a/src/storage/storage_driver.c +++ b/src/storage/storage_driver.c @@ -1738,8 +1738,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn, storagePoolLookupByTargetPathCallback, cleanpath))) { def = virStoragePoolObjGetDef(obj); - if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) + if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) { + virStoragePoolObjEndAPI(&obj); return NULL; + }
pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL); virStoragePoolObjEndAPI(&obj); -- 2.31.1
-- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0