Libvirt Security Notice: LSN-2013-0010

Crash when querying domain memory stats

Lifecycle

Reported on: 20130903
Published on: 20130918
Fixed on: 20130918

Credits

Reported by: Daniel Berrange
Patched by: Daniel Berrange

See also

Description

The code handling the virDomainMemoryStats API in the libvirtd daemon dispatch did not correctly initialize variables to NULL. Thus if RPC parameter validation failed it was possible for libvirtd to access uninitialized memory during cleanup.

Impact

A unprivileged user can cause libvirtd to access uninitialized memory by sending an intentionally invalid RPC request for domain memory stats. This could lead to heap corruption in some cases

Workaround

Prevent untrusted users from connecting to the libvirtd daemon or block access to the virDomainMemoryStats API with the access control framework.

Affected product: libvirt

Branch master
Broken in: v0.9.1
Broken in: v0.9.2
Broken in: v0.9.3
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Fixed in: v1.1.3
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: e7f400a110e2e3673b96518170bfea0855dd82c0
Branch v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Broken in: v0.9.6.3
Broken in: v0.9.6.4
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Branch v0.9.12-maint
Broken in: v0.9.12.1
Fixed in: v0.9.12.2
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 2f34eae93a09ac94297eaa91ad8f4b037b2c9e27
Branch v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Fixed in: v0.10.2.8
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 455de1215cc921efcd2b210f129f55c27445d623
Branch v1.0.0-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Branch v1.0.1-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Branch v1.0.2-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 9579f4576c066bc20a8dd952b08657b326f71052
Branch v1.0.3-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: a413bc2dda06f47c2ec90ec924dbceb9dd0bbf97
Branch v1.0.4-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 95983486d9f882746e7e3c4ce621ecadd7466a40
Branch v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Fixed in: v1.0.5.6
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 118d26dc1fd99e0d113af364638be3e9a32f706e
Branch v1.0.6-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 6d1acf71955c0d02168217ad0a87ef8b779e0f89
Branch v1.1.0-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 2bfbf7a18e48127efd9b3d2d0976db6dffc476ff
Branch v1.1.1-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: f229972fd92374eed356c3ede74b886ebe77734e
Branch v1.1.2-maint
Broken by: 158ba8730e44b7dd07a21ab90499996c5dec080a
Fixed by: 10d159fee27d007de42890626340c581cd12d788

Alternative formats: [xml] [text]