Libvirt Security Notice: LSN-2010-0001

Ignoring main disk format when looking up disk backing stores


Reported on: 20100615
Published on: 20100712
Fixed on: 20100719


Reported by: Daniel Berrange
Patched by: Daniel Berrange

See also


Prior to starting a guest, or when hotplugging or unplugging a device the libvirt SELinux, DAC and CGroups security drivers need to determine full file chain associated with a disk image. This is done by traversing backing file formats referenced in the disk headers. The code did not, however, honour the disk format recorded in disk XML configuration, when reading disk images so a raw file could be mis-identifed as another type of file.


The SELinux, DAC and CGroups code was not honouring disk formats so could be tricked into giving the VM access to files that were otherwise not permitted by its configuration. This can be done by taking what was expected to be a raw disks file and writing a qcow2 header into it.


Do not use any raw disk images.

Affected product: libvirt

Branch master
Broken in: v0.7.2
Broken in: v0.7.3
Broken in: v0.7.4
Broken in: v0.7.5
Broken in: v0.7.6
Broken in: v0.7.7
Broken in: v0.8.0
Broken in: v0.8.1
Broken in: v0.8.2
Fixed in: v0.8.3
Broken by: fe627697a3830cd2db0efcc201d8caa9e171263d
Broken by: 15f5eaa09895d68b849a0b0ec458acdafe75d080
Broken by: 117d04fb1d388df700cc37c4d2a68189fab280c0
Fixed by: 68719c4bddb85fbcc931a5b7d99ac7c8a0af09b0

Alternative formats: [xml] [text]