| Reported on: | 20131209 |
|---|---|
| Published on: | 20131220 |
| Fixed on: | 20131220 |
| Reported by: | Martin Kletzander |
|---|---|
| Patched by: | Martin Kletzander |
The lxcDomainGetMemoryParameters method in the LXC driver did not check whether the guest being accessed was running or not. When shutoff there will be no virCgroupPtr instance associated with the guest. Reading memory tunables involves calling methods with the virCgroupPtr object as a parameter. This will lead to a crash accessing a NULL pointer.
A user who has permission to invoke the virDomainGetMemoryParameters API against the LXC driver will be able to crash the libvirtd daemon. Access to this API is granted to any user who connects to the read-only libvirtd UNIX domain socket. If ACLs are active, access is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege.
The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users.