4372d3
From dc6ab8b51ff53ba22abfb84f24641aa87320038a Mon Sep 17 00:00:00 2001
4372d3
Message-Id: <dc6ab8b51ff53ba22abfb84f24641aa87320038a@dist-git>
4372d3
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
4372d3
Date: Tue, 8 Mar 2022 17:28:38 +0000
4372d3
Subject: [PATCH] nwfilter: fix crash when counting number of network filters
4372d3
MIME-Version: 1.0
4372d3
Content-Type: text/plain; charset=UTF-8
4372d3
Content-Transfer-Encoding: 8bit
4372d3
4372d3
The virNWFilterObjListNumOfNWFilters method iterates over the
4372d3
driver->nwfilters, accessing virNWFilterObj instances. As such
4372d3
it needs to be protected against concurrent modification of
4372d3
the driver->nwfilters object.
4372d3
4372d3
This API allows unprivileged users to connect, so users with
4372d3
read-only access to libvirt can cause a denial of service
4372d3
crash if they are able to race with a call of virNWFilterUndefine.
4372d3
Since network filters are usually statically defined, this is
4372d3
considered a low severity problem.
4372d3
4372d3
This is assigned CVE-2022-0897.
4372d3
4372d3
Reviewed-by: Eric Blake <eblake@redhat.com>
4372d3
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
4372d3
(cherry picked from commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36)
4372d3
https://bugzilla.redhat.com/show_bug.cgi?id=2063902
4372d3
---
4372d3
 src/nwfilter/nwfilter_driver.c | 8 ++++++--
4372d3
 1 file changed, 6 insertions(+), 2 deletions(-)
4372d3
4372d3
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
4372d3
index 200451d6b1..956aca6421 100644
4372d3
--- a/src/nwfilter/nwfilter_driver.c
4372d3
+++ b/src/nwfilter/nwfilter_driver.c
4372d3
@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn,
4372d3
 static int
4372d3
 nwfilterConnectNumOfNWFilters(virConnectPtr conn)
4372d3
 {
4372d3
+    int ret;
4372d3
     if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
4372d3
         return -1;
4372d3
 
4372d3
-    return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
4372d3
-                                        virConnectNumOfNWFiltersCheckACL);
4372d3
+    nwfilterDriverLock();
4372d3
+    ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
4372d3
+                                           virConnectNumOfNWFiltersCheckACL);
4372d3
+    nwfilterDriverUnlock();
4372d3
+    return ret;
4372d3
 }
4372d3
 
4372d3
 
4372d3
-- 
4372d3
2.35.1
4372d3