| Reported on: | 20130919 |
|---|---|
| Published on: | 20130919 |
| Fixed on: | 20130920 |
| Reported by: | Marian Krcmarik |
|---|---|
| Patched by: | Martin Kletzander |
When migrating a guest with a live SPICE connection, the source libvirtd did not properly track that the migration job was still waiting for status from the handshakes involved in seamless migration.
If another client was querying domain status at the same time as the ongoing seamless SPICE migration, the incorrect job status could lead to memory corruption and a crash of libvirtd on the source side of the migration. As queries can be performed by an unprivileged user, this can be used to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege.
The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Additionally, avoiding SPICE seamless migration is sufficient to avoid the problem.