| Reported on: | 20131220 |
|---|---|
| Published on: | 20131220 |
| Fixed on: | 20131220 |
| Reported by: | Dario Faggioli |
|---|---|
| Patched by: | Dario Faggioli |
The libxlDomainGetNumaParameters method in the libxl driver did not check whether the guest being accessed was running or not. When shutoff, the code attempts to clean up an uninitialized bitmap, causing malloc corruption most commonly observed as a crash.
A user who has permission to invoke the virDomainGetNumaParameters API against the libxl driver will be able to crash the libvirtd daemon. Access to this API is granted to any user who connects to the read-only libvirtd UNIX domain socket. If ACLs are active, access is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege.
The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users.