[PATCH] libvirt: fix CVE-2021-3667


Xu, Yanfei
 

Backport a fix for CVE-2021-3667.

The CVE discription: An improper locking issue was found in the
virStoragePoolLookupByTargetPath API of libvirt. It occurs in the
storagePoolLookupByTargetPath function where a locked virStoragePoolObj
object is not properly released on ACL permission failure. Clients
connecting to the read-write socket with limited ACL permissions could
use this flaw to acquire the lock and prevent other users from accessing
storage pool/volume APIs, resulting in a denial of service condition.
The highest threat from this vulnerability is to system availability.

Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094

Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
...nlock-object-on-ACL-fail-in-storageP.patch | 40 +++++++++++++++++++
recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
new file mode 100644
index 00000000..608322d9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@@ -0,0 +1,40 @@
+From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+
+Upstream-status: Backport
+CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index ecb5b86b4f..de66f1f9e5 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+ storagePoolLookupByTargetPathCallback,
+ cleanpath))) {
+ def = virStoragePoolObjGetDef(obj);
+- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++ virStoragePoolObjEndAPI(&obj);
+ return NULL;
++ }
+
+ pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+ virStoragePoolObjEndAPI(&obj);
+--
+2.27.0
+
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index cc7bb2cb..4ec11fb5 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://gnutls-helper.py \
file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
file://0001-security-fix-SELinux-label-generation-logic.patch \
+ file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
"

SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
--
2.27.0

Join meta-virtualization@lists.yoctoproject.org to automatically receive all group messages.