Libvirt Security Notice: LSN-2013-0009

Missing bounds checking on parameter count in migration API

Lifecycle

Reported on: 20130829
Published on: 20130829
Fixed on: 20130829

Credits

Reported by: Daniel Berrange
Patched by: Daniel Berrange

See also

Description

The virDomainMigrate*Params RPC calls did not check how many parameters were supplied by the user.

Impact

A malicious user with the ability to start migration can cause libvirtd to allocate arbitrary amounts of memory by specifying too many parameters.

Workaround

Prevent untrusted users from using the migration APIs by setting a suitable access control policy

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Fixed in: v1.1.2
Broken by: c0762b6518c32c1d6b17b7a222301fbfd90ba582
Fixed by: fd6f6a48619eb221afeb1c5965537534cd54e01d
Branch v1.1.0-maint
Broken by: c0762b6518c32c1d6b17b7a222301fbfd90ba582
Fixed by: c30273ffba1579560548a16da063b95a8c9a1dc9
Branch v1.1.1-maint
Broken by: c0762b6518c32c1d6b17b7a222301fbfd90ba582
Fixed by: dfae2d6208926c6adb12a440b5e4640c1ac049d0

Alternative formats: [xml] [text]