Libvirt Security Notice: LSN-2013-0019
libvirtd crash when reading numa tunables for libxl guest in shutoff status
Lifecycle
| Reported on: |
20131220 |
| Published on: |
20131220 |
| Fixed on: |
20131220 |
Credits
See also
Description
The libxlDomainGetNumaParameters method in the libxl driver
did not check whether the guest being accessed was running or
not. When shutoff, the code attempts to clean up an uninitialized
bitmap, causing malloc corruption most commonly observed as a crash.
Impact
A user who has permission to invoke the virDomainGetNumaParameters
API against the libxl driver will be able to crash the libvirtd
daemon. Access to this API is granted to any user who connects to the
read-only libvirtd UNIX domain socket. If ACLs are active, access is
granted to any user with the 'read' permission on the 'domain' object,
which is granted by default to all users. As a result an unprivileged
user will be able to inflict a denial of service attack on other users
of the libvirtd daemon with higher privilege.
Workaround
The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter
in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission
should be removed from any untrusted users. This will not prevent the crash,
but will stop unprivileged users from inflicting the denial of service
on higher privileged users.
Affected product: libvirt
Alternative formats:
[xml] [text]