Libvirt Security Notice: LSN-2014-0005 ====================================== Summary: virConnectListAllDomains can deadlock Reported on: 20140922 Published on: 20141001 Fixed on: 20141001 Reported by: Pavel Hrdina Patched by: Pavel Hrdina See also: CVE-2014-3657 Description ----------- The common implementation of virConnectListAllDomains used an early return statement instead of jumping to a cleanup label when the API was used with a NULL list parameter to merely obtain a count of domains that match the filters. Because it missed the cleanup label, this left the list of domains locked and prevented all further APIs from accessing the list. Impact ------ A read-only client can cause a denial of service attack against a privileged client by passing a NULL parameter to force the deadlock condition. Workaround ---------- As long as all callers pass a non-NULL argument to virConnectListAllDomains to collect an actual list rather than just a count, the deadlock will not occur (this mode of operation is the only mode used by virsh and in the python bindings, which is why the bug has existed undetected for so long). Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the deadlock if a privileged client passes a NULL argument, although such a hang is no longer a security problem. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.9.13 Broken in: v0.10.0 Broken in: v0.10.1 Broken in: v0.10.2 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Broken in: v1.2.5 Broken in: v1.2.6 Broken in: v1.2.7 Broken in: v1.2.8 Fixed in: v1.2.9 Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: fc22b2e74890873848b43fffae43025d22053669 Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: a397e887ed40898cc177e118dffdea8e1f4c6184 Branch: v1.0.0-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Branch: v1.0.1-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Branch: v1.0.2-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 905f2281e3dbb199191098235e335a2f54bb85c9 Branch: v1.0.3-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 31674d08fc1b54cd30ad9422ba84090a8b4a3f48 Branch: v1.0.4-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 26a87db8ea9320f08f5f029f4e1a47c04b322c64 Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: f18b86e35f25eacbe1c68cd32caea0310e9d220c Branch: v1.0.6-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 4e41e40fde8e9eb5bfd67467450aeb4767b45b9c Branch: v1.1.0-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: b64eaab92267480e78133c3d2e7b698f046fe5d0 Branch: v1.1.1-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 64c04d03ce8d364043e692659220ae1094f1a0cf Branch: v1.1.2-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 75d051c7313aaa977bb67fde9b4094ed6da5ad4e Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Broken in: v1.1.3.6 Fixed in: v1.1.3.7 Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 0b13d34e89405b6017a935d3c19d6a80ce7f3c6b Branch: v1.1.4-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: da254a088ca74377615d127562677fb23c987faa Branch: v1.2.0-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 861f9b1c4536b27d2961039aaf73f66732543654 Branch: v1.2.1-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: c639118634cab93bdf7a8c1bdf7f1f4fd1f8a8ce Branch: v1.2.2-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 4ce1bd6e3783eef817ffd265616a2e6aa4cca2a3 Branch: v1.2.3-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 64700acc914e8ed7e091db2c67b48e7ef7ed99fc Branch: v1.2.4-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 98e0692c968e194d5fd7176c6768da91ab48d651 Branch: v1.2.5-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: af56bafcc9bfb39778790e9cd7f522b98354d978 Branch: v1.2.6-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: 7dcab231de3749e8056597b9b2271cd32b3797bf Branch: v1.2.7-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: cd685ddb5d35df227aa5be9ae84368775c20e325 Branch: v1.2.8-maint Broken by: 2c6808044408fba9ff9547ad88bb8a0f44ee21a0 Fixed by: c074b4044e021db6765727ea18bca8408758c7a9