Libvirt Security Notice: LSN-2013-0020 ====================================== Summary: libvirtd crash when hot-plugging disks for qemu domains Reported on: 20131220 Published on: 20131213 Fixed on: 20140107 Reported by: Alexandre M Patched by: Jiri Denemark See also: CVE-2013-6458, redhat bug #1043069 Description ----------- Several methods in the qemu block driver were accessing details about disks associated with a domain outside of a job lock. If another connection is adding or removing disks, the details in use by the first connection could become stale and lead to a libvirtd crash. Among the methods impacted, it is possible to trigger the race from four APIs accessible from read-only clients: virDomainBlockStats, virDomainGetBlockInfo, virDomainGetBlockJobInfo, and virDomainGetBlockIoTune. Impact ------ Each of the four affected APIs could be used by any user that can connect through the read-only libvirtd UNIX domain socket. Also, if ACLs are active, access to the affected APIs is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Additionally, avoiding disk hot-plug actions is sufficient to avoid the problem. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.8.2 Broken in: v0.8.3 Broken in: v0.8.4 Broken in: v0.8.5 Broken in: v0.8.6 Broken in: v0.8.7 Broken in: v0.8.8 Broken in: v0.9.0 Broken in: v0.9.1 Broken in: v0.9.2 Broken in: v0.9.3 Broken in: v0.9.4 Broken in: v0.9.5 Broken in: v0.9.6 Broken in: v0.9.7 Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v0.10.0 Broken in: v0.10.1 Broken in: v0.10.2 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Fixed in: v1.2.1 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: db86da5ca2109e4006c286a09b6c75bfe10676ad Fixed by: b799259583bd65c0b2f5042e6c3ff19637ade881 Fixed by: f93d2caa070f6197ab50d372d286018b0ba6bbd8 Fixed by: 3b56425938e2f97208d5918263efa0d6439e4ecd Branch: v0.8.3-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v0.9.6-maint Broken in: v0.9.6.1 Broken in: v0.9.6.2 Broken in: v0.9.6.3 Broken in: v0.9.6.4 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Fixed in: v0.9.12.3 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c430c002dd8287c5d7b834993ddfbd61435248c4 Fixed by: 4dd29d3bdf4bf3a4c4b1077ddf4355bcf548ca2f Fixed by: 3e7d9e54e9ce286fe1bee5d32089cd58d63e5cee Fixed by: 2786686eb5855e0046817d47055cd784881ca8cb Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 5f5e9eb23dead857b1858da8b97a6cb0442fabed Fixed by: 7a9bcfa1ccc190e33e6fa931df8143cc9623cf24 Fixed by: 95836cb26b1d91b8e9eba0c4764bc24cccc78684 Fixed by: f59d02c487659e9d9f8e152673a0fe4d612172b2 Branch: v1.0.0-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v1.0.1-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v1.0.2-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 561b03f9165a860139edd3c03bb3e35a2c2f85ca Fixed by: 324279f2c867f404712c659adc4f399f8d343eda Fixed by: c973eb035ee0d8863d0f2ed25f0523e3e7fee433 Fixed by: d0a4e2498d7d3b1cf1683b0720b9bc6edabcd364 Branch: v1.0.3-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 59d46c6cd5cb892ce68e83c99c14023f29e073a7 Fixed by: 12ca0aaf2fc32647d3a570780a2c7467a26b0ecd Fixed by: da2d96d12521a20305d0ea3190539e1c4b367d75 Fixed by: c51986ba820dde30e48b4f1694862c3cf4d8b7ec Branch: v1.0.4-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: d003b8f294801adfc655096cfc80480e7f2e17ae Fixed by: e966f1155ccb1c4e3ddc41a02b1107af2d98f98d Fixed by: fa5c087aef266e27a0641c720bbbf95cd5ace6b1 Fixed by: 473b751d895d248f37766bab32e20ee00ac3913a Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Fixed in: v1.0.5.9 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c67b0de046b16dca352537e8f39ff935a5fded76 Fixed by: 923319189022c5806da01b963dddd8dff0d6c747 Fixed by: 6cd879829aaf02f56182feb16b4284d5b3fdcfd7 Fixed by: dee5fc756648e62062da3366583fc343413e1ba7 Branch: v1.0.6-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 938ef6e611b39630b00b368b8b8d7db7e619ed99 Fixed by: 6eae1538c1d5b7aaee34f3ca81389906d8af0626 Fixed by: 8bdc22d281105fe32c85da58faf817ab9b2da369 Fixed by: ac8feea58029fea294c3c60c220592ca7c9734c8 Branch: v1.1.0-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 5efb996317f1f8a57fea625526075be9ef84e69c Fixed by: c1f8276a81de8d31578f16cc6bfdafc5e807427d Fixed by: 1478ebf2bcadbaf3b66d9e91086bcca39a41bb65 Fixed by: 8cc2474f0645fab308090f477e98317b0dff485f Branch: v1.1.1-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 84c251faec7a0003863fe1c9b1abc7960f395faa Fixed by: 3451828a28a333e570af621eceb93245763fa044 Fixed by: 571629b2dfd2eeb8001efddac2569b12621d1db3 Fixed by: c5b379e17daa2f641363712212a18b3b31cacdea Branch: v1.1.2-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 17db7e28a1ec77382bb8fa96205ef2cf6deefa88 Fixed by: 54cb7f05ec5c822bb786833367dc80327648f2c0 Fixed by: bcb9a035a99cf8389069c401c94605aedccdc4df Fixed by: 82daa87f6a020ba2d1274b300f8e95f903fbe0f8 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Fixed in: v1.1.3.3 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 1bfc35e3f837ab7b399fe664281b7db06db96a05 Fixed by: 0e98442e3bcbf832f49a6d36f94558bb026e3f3a Fixed by: 7354aaf4607beaa9f4a6d68e3b26a28c97494e58 Fixed by: a7844b9ec2718dad9f5e5316cc0673e95098d812 Branch: v1.1.4-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c8fa19d9e385d8bae368385aece1c3f493be4e71 Fixed by: 4ee6ed6f50a71868fbb8a5f28edbcfd7170f5bf5 Fixed by: 36c1691c6d61aa5a0d9a65d64bc3af3e15692d62 Fixed by: 8fcc0f0237f728361065caf6fac0fce1965230a0 Branch: v1.2.0-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 13051a86cb093d4c421a8669ccd7591578d004aa Fixed by: 3a0286f978c19ecc7b2ef2242b33688239428f85 Fixed by: 4d8c603ca2cb1fb70c0e0d2e0d51d1fe3261c7b9 Fixed by: c6fbbe85aa496d178d5e4188bee166a5abb97029