Libvirt Security Notice
=======================
Summary: libvirtd daemon crash when reading memory tunables
for LXC guest in shutoff status
Reported on: 20131209
Published on: 20131220
Fixed on: 20131220
Reported by: Martin Kletzander <mkletzan(a)redhat.com>
Patched by: Martin Kletzander <mkletzan(a)redhat.com>
See also: CVE-2013-6436
Description
-----------
The lxcDomainGetMemoryParameters method in the LXC driver did not
check whether the guest being accessed was running or not. When
shutoff there will be no virCgroupPtr instance associated with the
guest. Reading memory tunables involves calling methods with the
virCgroupPtr object as a parameter. This will lead to a crash
accessing a NULL pointer.
Impact
------
A user who has permission to invoke the virDomainGetMemoryParameters
API against the LXC driver will be able to crash the libvirtd
daemon. Access to this API is granted to any user who connects to
the read-only libvirtd UNIX domain socket. If ACLs are active,
access is granted to any user with the 'read' permission on the
'domain' object, which is granted by default to all users. As a
result an unprivileged user will be able to inflict a denial of
service attack on other users of the libvirtd daemon with higher
privilege.
Workaround
----------
The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.
Affected product
----------------
Name: libvirt
Repository:
git://libvirt.org/git/libvirt.git
Branch: master
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: f8c1cb90213508c4f32549023b0572ed774e48aa
Branch: v1.0.5-maint
Broken in: v1.0.5
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 218bd2e8716bcb4c90acf6ecaf879d606b46606b
Branch: v1.0.6-maint
Broken in: v1.0.6
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 80d682fd90bb7e97d8670be4cba1fe153438d7a0
Branch: v1.1.0-maint
Broken in: v1.1.0
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 30a589bc4731488ca3428515ed57ce5446a83bbd
Branch: v1.1.1-maint
Broken in: v1.1.1
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 9a68d1354233f4cfca686655f8021e9477977e6e
Branch: v1.1.2-maint
Broken in: v1.1.2
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 79384018480f11ec6f2c2196039e67a9196d3e3a
Branch: v1.1.3-maint
Broken in: v1.1.3
Broken in: v1.1.3.1
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 66247dc5fffe5b9447f4db377c5adf02e6db97c4
Branch: v1.1.4-maint
Broken in: v1.1.4
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 09956c7db764a0958034de6fac58aaaaf8e878bf
Branch: v1.2.0-maint
Broken in: v1.2.0
Broken by: cfed9ad4fb28e268e1467a0071c2fbc0c0873969
Fixed by: 705f388bceb4fce21b7c5ebc6310cb467c362239
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|