Bug 909274 (CVE-2014-8131) - VUL-0: CVE-2014-8131: libvirt: deadlock and segfault in qemuConnectGetAllDomainStats
Summary: VUL-0: CVE-2014-8131: libvirt: deadlock and segfault in qemuConnectGetAllDoma...
Status: RESOLVED FIXED
Alias: CVE-2014-8131
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: James Fehlig
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111426/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-10 14:29 UTC by Alexander Bergmann
Modified: 2015-01-03 19:21 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-10 14:29:15 UTC 
rh#1172569

When user doesn't have read access on one of the domains he requested,
the for loop in qemuConnectGetAllDomainStats() could exit abruptly or
continue and override pointer which pointed to locked object.

With certain configuration, this can either cause a deadlock (it leaves a
domain locked) or a segmentation fault when domain object has its reference
counter decremented when it was not incremented.

With certain configuration, a remote attacker able to establish a read-only
connection to libvirtd could use this flaw to caus denial of service condition
or crash libvirtd.

Introduced by:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=d1bde8ed
http://libvirt.org/git/?p=libvirt.git;a=commit;h=1f4831ee

Upstream patch:
https://www.redhat.com/archives/libvir-list/2014-December/msg00551.html


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1172569
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8131
Comment 1 Swamp Workflow Management 2014-12-10 23:00:49 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2014-12-17 11:56:47 UTC 
Looks like the whole bulk stats API stuff is quite new. See commit d1bde8ed.

Please confirm that non of SLE is affected by this.

On the openSUSE side its only openSUSE:13.2 that's affected by this.
Comment 3 James Fehlig 2014-12-18 02:33:48 UTC 
(In reply to Alexander Bergmann from comment #2)
> Looks like the whole bulk stats API stuff is quite new. See commit d1bde8ed.

Right.  The vulnerability was introduced in libvirt 1.2.8.

> Please confirm that non of SLE is affected by this.

No SLE products affected.

> On the openSUSE side its only openSUSE:13.2 that's affected by this.

13.2 and tumbleweed.  The latter is fixed by the recent update to 1.2.11.  I've backported fixes for 13.2 and have them queued in Virtualization:openSUSE13.2/libvirt.  But before submitting a maintenancereq, I need to look into a report about libvirtd segfaulting when creating Xen PV domains.
Comment 4 James Fehlig 2014-12-18 02:36:15 UTC 
Forgot to add Jason.  He should be aware of our team's security bugs :-).
Comment 5 Swamp Workflow Management 2015-01-02 09:09:18 UTC 
openSUSE-SU-2015:0008-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 904432,909274,910860,910862
CVE References: CVE-2014-8131,CVE-2014-8135,CVE-2014-8136
Sources used:
openSUSE 13.2 (src):    libvirt-1.2.9-8.1
Comment 6 James Fehlig 2015-01-03 19:21:16 UTC 
Closing the bug now that the fix has been released :-).  And the issue with Xen PV guests I mentioned in #3 turned out to be a Xen bug, so nothing more to do here.