rpms / libvirt

Clone
Source Code
GIT

Blame SOURCES/libvirt-nwfilter-fix-crash-when-counting-number-of-network-filters.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale
  1.   dc2b6e092b3c748ed54423eecc1eb6cf7edf4786
  2.   SOURCES
  3.   libvirt-nwfilter-fix-crash-when-counting-number-of-network-filters.patch
Blob History Raw
459f93 
From dc6ab8b51ff53ba22abfb84f24641aa87320038a Mon Sep 17 00:00:00 2001
459f93 
Message-Id: <dc6ab8b51ff53ba22abfb84f24641aa87320038a@dist-git>
459f93 
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
459f93 
Date: Tue, 8 Mar 2022 17:28:38 +0000
459f93 
Subject: [PATCH] nwfilter: fix crash when counting number of network filters
459f93 
MIME-Version: 1.0
459f93 
Content-Type: text/plain; charset=UTF-8
459f93 
Content-Transfer-Encoding: 8bit
459f93
459f93 
The virNWFilterObjListNumOfNWFilters method iterates over the
459f93 
driver->nwfilters, accessing virNWFilterObj instances. As such
459f93 
it needs to be protected against concurrent modification of
459f93 
the driver->nwfilters object.
459f93
459f93 
This API allows unprivileged users to connect, so users with
459f93 
read-only access to libvirt can cause a denial of service
459f93 
crash if they are able to race with a call of virNWFilterUndefine.
459f93 
Since network filters are usually statically defined, this is
459f93 
considered a low severity problem.
459f93
459f93 
This is assigned CVE-2022-0897.
459f93
459f93 
Reviewed-by: Eric Blake <eblake@redhat.com>
459f93 
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
459f93 
(cherry picked from commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36)
459f93 
https://bugzilla.redhat.com/show_bug.cgi?id=2063902
459f93 
---
459f93 
 src/nwfilter/nwfilter_driver.c | 8 ++++++--
459f93 
 1 file changed, 6 insertions(+), 2 deletions(-)
459f93
459f93 
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
459f93 
index 200451d6b1..956aca6421 100644
459f93 
--- a/src/nwfilter/nwfilter_driver.c
459f93 
+++ b/src/nwfilter/nwfilter_driver.c
459f93 
@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn,
459f93 
 static int
459f93 
 nwfilterConnectNumOfNWFilters(virConnectPtr conn)
459f93 
 {
459f93 
+    int ret;
459f93 
     if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
459f93 
         return -1;
459f93
459f93 
-    return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
459f93 
-                                        virConnectNumOfNWFiltersCheckACL);
459f93 
+    nwfilterDriverLock();
459f93 
+    ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
459f93 
+                                           virConnectNumOfNWFiltersCheckACL);
459f93 
+    nwfilterDriverUnlock();
459f93 
+    return ret;
459f93 
 }
459f93
459f93
459f93 
--
459f93 
2.35.1
459f93

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation