Libvirt Security Notice: LSN-2013-0021

libvirtd crash during seamless SPICE migration

Lifecycle

Reported on: 20130919
Published on: 20130919
Fixed on: 20130920

Credits

Reported by: Marian Krcmarik
Patched by: Martin Kletzander

See also

Description

When migrating a guest with a live SPICE connection, the source libvirtd did not properly track that the migration job was still waiting for status from the handshakes involved in seamless migration.

Impact

If another client was querying domain status at the same time as the ongoing seamless SPICE migration, the incorrect job status could lead to memory corruption and a crash of libvirtd on the source side of the migration. As queries can be performed by an unprivileged user, this can be used to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege.

Workaround

The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Additionally, avoiding SPICE seamless migration is sufficient to avoid the problem.

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Fixed in: v1.1.3
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: 484cc3217b73b865f00bf42a9c12187b37200699
Branch v1.1.0-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: 476d0e38af11f3ff50d85e3f7aecad4cd8208c76
Branch v1.1.1-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: fea2550974137918c2bc9e01f3eb00421585450c
Branch v1.1.2-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: b6ea7abcf72d7d0aaf90e17aa8e8e88db8f778ea

Alternative formats: [xml] [text]