Libvirt Security Notice: LSN-2014-0004

Querying blkiotune after disk hotplug can lead to libvirtd crash

Lifecycle

Reported on: 20140911
Published on: 20140917
Fixed on: 20140917

Credits

Reported by: Luyao Huang
Patched by: Peter Krempa

See also

Description

The qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition. If management had hot-plugged disks to the live definition, the two arrays are not necessarily the same length, and this could result in the persistent definition dereferencing an out-of-bounds pointer.

Impact

A read-only client can cause a denial of service attack against a privileged client if the out-of-bounds dereference causes libvirtd to crash, or possibly gain read access to sensitive information residing in the heap.

Workaround

The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem.

Affected product: libvirt

Branch master
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Fixed in: v1.2.9
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Branch v0.9.12-maint
Broken in: v0.9.12.1
Broken in: v0.9.12.2
Broken in: v0.9.12.3
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 750280023cc0896b05f86e292857ceef5eee3a72
Branch v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken in: v0.10.2.8
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 0fa54204f264e3d39387f5762f810d31cce770b2
Branch v1.0.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: d30fea03a545a2d9f5f228cd3292484ce7850256
Branch v1.0.3-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 35a802639d713054503f7243e39be0503fe19ec3
Branch v1.0.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: a45c8466fa3531d35728575a1facc0406f97079a
Branch v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cc05c6d5d2f7a577a1a365fbc5451fb6b5f57445
Branch v1.0.6-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cc19d1c08f49acdcfd5eb0e26561ea88e800f177
Branch v1.1.0-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: dd8a348e4747a59c60991f3b41567ab0a1dcca0e
Branch v1.1.1-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: ed071fee073bc5a439ec64f0e501d5f90c41dec5
Branch v1.1.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: d4360edd1ca88cb1f144bf77f7df23ebf1f90632
Branch v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Fixed in: v1.1.3.7
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: eefe2e013820a76dfe5132431db72aade911eeab
Branch v1.1.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 92430a6942fc0f4dceea4957f688430f093676ab
Branch v1.2.0-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: e8f6971e3f29a7392224d7056b05b2acf133e58d
Branch v1.2.1-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: fdde9d6a1b8a559f5fa18a68cc8e8a35354b3ae9
Branch v1.2.2-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 111855e82429249ccd98f9ed0c8c72116e241959
Branch v1.2.3-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 81edcbb3ca1061d5b54945a7e1e9e2e03891307b
Branch v1.2.4-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 8a07faf3377c4b1e9f4ded59882f305426d02e6c
Branch v1.2.5-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 7156bd0ce2dc92231c393fc7bd493e7aa383d966
Branch v1.2.6-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 4e701c06c54ec007041e20e5ef085711f38a0266
Branch v1.2.7-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: cf7a69bc08e79c254f1accd939f4746ca94fe7e7
Branch v1.2.8-maint
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa
Fixed by: 6bdf14150e99ca8921a4017bb9502325e200815b

Alternative formats: [xml] [text]