From da0f1599ce3e001c809a2ddb9d0a1c75491dda94 Mon Sep 17 00:00:00 2001 From: "Xu, Yanfei" Date: Tue, 23 Nov 2021 15:50:31 +0800 Subject: libvirt: fix CVE-2021-3667 Backport a fix for CVE-2021-3667. The CVE discription: An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094 Signed-off-by: Yanfei Xu Signed-off-by: Bruce Ashfield --- ...ver-Unlock-object-on-ACL-fail-in-storageP.patch | 40 ++++++++++++++++++++++ recipes-extended/libvirt/libvirt_7.2.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch (limited to 'recipes-extended') diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch new file mode 100644 index 00000000..608322d9 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch @@ -0,0 +1,40 @@ +From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Wed, 21 Jul 2021 11:22:25 +0200 +Subject: [PATCH] storage_driver: Unlock object on ACL fail in + storagePoolLookupByTargetPath + +'virStoragePoolObjListSearch' returns a locked and refed object, thus we +must release it on ACL permission failure. + +Fixes: 7aa0e8c0cb8 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 +Signed-off-by: Peter Krempa +Reviewed-by: Michal Privoznik + +Upstream-status: Backport +CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094] +Signed-off-by: Yanfei Xu +--- + src/storage/storage_driver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c +index ecb5b86b4f..de66f1f9e5 100644 +--- a/src/storage/storage_driver.c ++++ b/src/storage/storage_driver.c +@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn, + storagePoolLookupByTargetPathCallback, + cleanpath))) { + def = virStoragePoolObjGetDef(obj); +- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) ++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) { ++ virStoragePoolObjEndAPI(&obj); + return NULL; ++ } + + pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL); + virStoragePoolObjEndAPI(&obj); +-- +2.27.0 + diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb index cc7bb2cb..4ec11fb5 100644 --- a/recipes-extended/libvirt/libvirt_7.2.0.bb +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb @@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://gnutls-helper.py \ file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \ file://0001-security-fix-SELinux-label-generation-logic.patch \ + file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \ " SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3" -- cgit v1.2.3-54-g00ecf