Libvirt Security Notice: LSN-2014-0004 ====================================== Summary: Querying blkiotune after disk hotplug can lead to libvirtd crash Reported on: 20140911 Published on: 20140917 Fixed on: 20140917 Reported by: Luyao Huang <lhuang(a)redhat.com&gt; Patched by: Peter Krempa <pkrempa(a)redhat.com&gt; See also: CVE-2014-3633 Description ----------- The qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition. If management had hot-plugged disks to the live definition, the two arrays are not necessarily the same length, and this could result in the persistent definition dereferencing an out-of-bounds pointer. Impact ------ A read-only client can cause a denial of service attack against a privileged client if the out-of-bounds dereference causes libvirtd to crash, or possibly gain read access to sensitive information residing in the heap. Workaround ---------- The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Broken in: v1.2.5 Broken in: v1.2.6 Broken in: v1.2.7 Broken in: v1.2.8 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Broken in: v0.9.12.3 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 750280023cc0896b05f86e292857ceef5eee3a72 Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 0fa54204f264e3d39387f5762f810d31cce770b2 Branch: v1.0.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: d30fea03a545a2d9f5f228cd3292484ce7850256 Branch: v1.0.3-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 35a802639d713054503f7243e39be0503fe19ec3 Branch: v1.0.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: a45c8466fa3531d35728575a1facc0406f97079a Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cc05c6d5d2f7a577a1a365fbc5451fb6b5f57445 Branch: v1.0.6-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cc19d1c08f49acdcfd5eb0e26561ea88e800f177 Branch: v1.1.0-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: dd8a348e4747a59c60991f3b41567ab0a1dcca0e Branch: v1.1.1-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: ed071fee073bc5a439ec64f0e501d5f90c41dec5 Branch: v1.1.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: d4360edd1ca88cb1f144bf77f7df23ebf1f90632 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Broken in: v1.1.3.6 Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: eefe2e013820a76dfe5132431db72aade911eeab Branch: v1.1.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 92430a6942fc0f4dceea4957f688430f093676ab Branch: v1.2.0-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: e8f6971e3f29a7392224d7056b05b2acf133e58d Branch: v1.2.1-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: fdde9d6a1b8a559f5fa18a68cc8e8a35354b3ae9 Branch: v1.2.2-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 111855e82429249ccd98f9ed0c8c72116e241959 Branch: v1.2.3-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 81edcbb3ca1061d5b54945a7e1e9e2e03891307b Branch: v1.2.4-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 8a07faf3377c4b1e9f4ded59882f305426d02e6c Branch: v1.2.5-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 7156bd0ce2dc92231c393fc7bd493e7aa383d966 Branch: v1.2.6-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 4e701c06c54ec007041e20e5ef085711f38a0266 Branch: v1.2.7-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: cf7a69bc08e79c254f1accd939f4746ca94fe7e7 Branch: v1.2.8-maint Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa Fixed by: 6bdf14150e99ca8921a4017bb9502325e200815b Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|