Libvirt Security Notice: LSN-2014-0009

crash when using virStorageVolUpload

Lifecycle

Reported on: 20141202
Published on: 20141203
Fixed on: 20141203

Credits

Reported by: Pei Zhang
Patched by: Luyao Huang

See also

Description

Incorrect parameter validation of the virStorageVolUpload command could cause libvirtd to attempt to dereference NULL.

Impact

When using fine-grained ACLs, a user that is permitted to modify storage volumes but not create arbitrary domains can use bogus parameters to cause a denial of service attack against more privileged users.

Workaround

Passing valid parameters to virStorageVolUpload will not trigger a problem. It is also possible to prevent the denial of service by stopping the use of the fine grained access control mechanism, or by not granting users the storage_vol:data_write permission if they do not also have the domain:write permission; doing this will not prevent the crash for invalid parameters, but such a crash is no longer a security attack.

Affected product: libvirt

Branch master
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 87b9437f8951f9d24f9a85c6bbfff0e54df8c984
Branch v1.2.8-maint
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 05ba8c50b15f7078ba7981f550fc59c3dc74c469
Branch v1.2.9-maint
Broken in: v1.2.9.1
Fixed in: v1.2.9.2
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: 584e876ba2057b472074dbf177d2397392d70363
Branch v1.2.10-maint
Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
Fixed by: c89df3695b397d155ca15ac174c983ae9a77387e

Alternative formats: [xml] [text]