Libvirt Security Notice: LSN-2013-0019 ====================================== Summary: libvirtd crash when reading numa tunables for libxl guest in shutoff status Reported on: 20131220 Published on: 20131220 Fixed on: 20131220 Reported by: Dario Faggioli Patched by: Dario Faggioli See also: CVE-2013-6457 Description ----------- The libxlDomainGetNumaParameters method in the libxl driver did not check whether the guest being accessed was running or not. When shutoff, the code attempts to clean up an uninitialized bitmap, causing malloc corruption most commonly observed as a crash. Impact ------ A user who has permission to invoke the virDomainGetNumaParameters API against the libxl driver will be able to crash the libvirtd daemon. Access to this API is granted to any user who connects to the read-only libvirtd UNIX domain socket. If ACLs are active, access is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Fixed in: v1.2.1 Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: f9ee91d35510ccbc6fc42cef8864b291b2d220f4 Branch: v1.1.1-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: d5f89a6dd725baf8bca1f1e28f5b858bf0053a99 Branch: v1.1.2-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 52c40003805f1702f103095dc5c3d00cf38e7a82 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Fixed in: v1.1.3.3 Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 5904ba60159ce67826f301e78103191600a07600 Branch: v1.1.4-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 626eb91f964a032af56b448e63fde9f74e592290 Branch: v1.2.0-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 36378d1a41464517d7c31d8854fcfd8f69221409