Libvirt Security Notice: LSN-2014-0010

deadlock on failed migration

Lifecycle

Reported on: 20141208
Published on: 20141208
Fixed on: 20141209

Credits

Reported by: Peter Krempa
Patched by: Peter Krempa

See also

Description

When using fine-grained ACLs to restrict users from migrating domains, a logic bug could leave the domain locked and prevent further operation on that domain.

Impact

A client that lacks the domain:migrate fine-grained ACL could use a failed migration attempt to trigger a denial of service against a more privileged user.

Workaround

The bug is mitigated by the fact that the "perform" and "finish" states of migration can generally be reached only after a successful "begin" or "prepare" state, both of which also require the same domain:migrate permission. Furthermore, the "prepare" state also requires the domain:write permission, and any user which has been granted that permission is already deemed to have full control over the system; even if domain:migrate permission is dynamically denied after migration has already started in order to trigger the flaw, an attack by such a user generally does not constitute a denial of service against a more privileged user. On the other hand, a malicious client that has access to the read-write socket via only a weaker privilege such as domain:read can send RPC commands out of order, to attempt a "perform" without going through the prerequisite states, and thereby trigger the bug in a manner that forms a denial of service. Read-only clients cannot trigger the problem, even via bad RPC commands. It is possible to avoid the bug by not using the fine-grained access control mechanism.

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 2bdcd29c713dfedd813c89f56ae98f6f3898313d
Branch v1.1.0-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 540872ceae9d2850e42d3615f017feb46ab585aa
Branch v1.1.1-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: fb1e0312f4cfc2375ee94d40e5f2999cd761337d
Branch v1.1.2-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 12c35ca8e6a1dff79fe706b24edc094be7df9f93
Branch v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken in: v1.1.3.7
Broken in: v1.1.3.8
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 63934cae465f757c774db1fa4e86d3c8bda4591b
Branch v1.1.4-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 995516ad3dc64fb5a5102ad0fbbea6e1701f0d8d
Branch v1.2.0-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 0d365c6f707f55e77ff14d6a52a59b7d1c43f8a4
Branch v1.2.1-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 75dfd58284de1fdc146b8aa3deb7d6a2057f0391
Branch v1.2.2-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: f5a151754f2080598049baf5d68282f183a30f5c
Branch v1.2.3-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: e0e2f7eafc5adfbac4343592def097cbe8a67653
Branch v1.2.4-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 4ba560e050fa83a2ef2083fbfa0ad9484b9393d4
Branch v1.2.5-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: cd3d695a6be8398b399d0d06c26a618b12ad8946
Branch v1.2.6-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: bad50b7501ebfe8076a6f7809d7b44b7a94c38ef
Branch v1.2.7-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 220759259bcbcc705a96dc1cbaeb2f2ce980c479
Branch v1.2.8-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 372bfe63b501c7580400107682633ad421416f88
Branch v1.2.9-maint
Broken in: v1.2.9.1
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 12496319a24dd923c5f321c84112fd0e73979413
Branch v1.2.10-maint
Broken by: abf75aea247ef6e432e5a51bcdb21972e50a4cd1
Fixed by: 2a121c635306cd498cdabb63a806ae17821b245f

Alternative formats: [xml] [text]