Libvirt Security Notice: LSN-2014-0010

deadlock on failed migration

Lifecycle

Credits

See also

• CVE-2014-8136

Description

When using fine-grained ACLs to restrict users from migrating domains, a logic bug could leave the domain locked and prevent further operation on that domain.

Impact

A client that lacks the domain:migrate fine-grained ACL could use a failed migration attempt to trigger a denial of service against a more privileged user.

Workaround

The bug is mitigated by the fact that the "perform" and "finish" states of migration can generally be reached only after a successful "begin" or "prepare" state, both of which also require the same domain:migrate permission. Furthermore, the "prepare" state also requires the domain:write permission, and any user which has been granted that permission is already deemed to have full control over the system; even if domain:migrate permission is dynamically denied after migration has already started in order to trigger the flaw, an attack by such a user generally does not constitute a denial of service against a more privileged user. On the other hand, a malicious client that has access to the read-write socket via only a weaker privilege such as domain:read can send RPC commands out of order, to attempt a "perform" without going through the prerequisite states, and thereby trigger the bug in a manner that forms a denial of service. Read-only clients cannot trigger the problem, even via bad RPC commands. It is possible to avoid the bug by not using the fine-grained access control mechanism.

Affected product: libvirt

Alternative formats: [xml] [text]