libvirt: fix CVE-2022-0897

Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
2025-07-19 20:59:41 +02:00 · 2022-04-13 10:32:59 +08:00 · 2022-04-13 10:32:59 +08:00 · 35de9ccfa5
commit 35de9ccfa5
parent d03d2d7895
2 changed files with 58 additions and 0 deletions
--- a/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch
+++ b/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch
@ -0,0 +1,57 @@
+From d470667167fa585d2bc3b996fb3bf2786d44be9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 8 Mar 2022 17:28:38 +0000
+Subject: [PATCH] nwfilter: fix crash when counting number of network filters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virNWFilterObjListNumOfNWFilters method iterates over the
+driver->nwfilters, accessing virNWFilterObj instances. As such
+it needs to be protected against concurrent modification of
+the driver->nwfilters object.
+
+This API allows unprivileged users to connect, so users with
+read-only access to libvirt can cause a denial of service
+crash if they are able to race with a call of virNWFilterUndefine.
+Since network filters are usually statically defined, this is
+considered a low severity problem.
+
+This is assigned CVE-2022-0897.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36]
+CVE: CVE-2022-0897
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/nwfilter/nwfilter_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
+index 1c40772..27500d1 100644
+--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
+@@ -514,11 +514,15 @@ nwfilterLookupByName(virConnectPtr conn,
+ static int
+ nwfilterConnectNumOfNWFilters(virConnectPtr conn)
+ {
+    int ret;
+     if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
+         return -1;
+ 
+-    return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
+-                                        virConnectNumOfNWFiltersCheckACL);
+    nwfilterDriverLock();
+    ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
+                                           virConnectNumOfNWFiltersCheckACL);
+    nwfilterDriverUnlock();
+    return ret;
+ }
+ 
+ 
+-- 
+2.25.1
+
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@ -47,6 +47,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://CVE-2021-3631.patch \
           file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
           file://CVE-2021-3975.patch \
+           file://CVE-2022-0897.patch \
          "

 SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"