MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 20:59:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

libvirt: fix CVE-2021-3667

Browse Source 
Backport a fix for CVE-2021-3667.

The CVE discription: An improper locking issue was found in the
virStoragePoolLookupByTargetPath API of libvirt. It occurs in the
storagePoolLookupByTargetPath function where a locked virStoragePoolObj
object is not properly released on ACL permission failure. Clients
connecting to the read-write socket with limited ACL permissions could
use this flaw to acquire the lock and prevent other users from accessing
storage pool/volume APIs, resulting in a denial of service condition.
The highest threat from this vulnerability is to system availability.

Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094

Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Xu, Yanfei 2021-11-24 10:51:33 +08:00 committed by Bruce Ashfield
parent 3d8ac6655c
commit be2c9d6efe
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch Normal file
View File

@ -0,0 +1,40 @@
From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Wed, 21 Jul 2021 11:22:25 +0200
Subject: [PATCH] storage_driver: Unlock object on ACL fail in
storagePoolLookupByTargetPath
'virStoragePoolObjListSearch' returns a locked and refed object, thus we
must release it on ACL permission failure.
Fixes: 7aa0e8c0cb8
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Upstream-status: Backport
CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
src/storage/storage_driver.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index ecb5b86b4f..de66f1f9e5 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
storagePoolLookupByTargetPathCallback,
cleanpath))) {
def = virStoragePoolObjGetDef(obj);
- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
+ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
+ virStoragePoolObjEndAPI(&obj);
return NULL;
+ }
pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
virStoragePoolObjEndAPI(&obj);
--
2.27.0

1
recipes-extended/libvirt/libvirt_6.3.0.bb
View File

@ -45,6 +45,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2020-25637_3.patch \ file://CVE-2020-25637_3.patch \
file://CVE-2020-25637_4.patch \ file://CVE-2020-25637_4.patch \
file://CVE-2021-3631.patch \ file://CVE-2021-3631.patch \
file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
" "
SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02" SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"