[hardknott][PATCH] libvirt: fix CVE-2021-3667
|
Xu, Yanfei
Backport a fix for CVE-2021-3667.
The CVE discription: An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1986094 Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com> --- ...nlock-object-on-ACL-fail-in-storageP.patch | 40 +++++++++++++++++++ recipes-extended/libvirt/libvirt_6.3.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch new file mode 100644 index 00000000..608322d9 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch @@ -0,0 +1,40 @@ +From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001 +From: Peter Krempa <pkrempa@redhat.com> +Date: Wed, 21 Jul 2021 11:22:25 +0200 +Subject: [PATCH] storage_driver: Unlock object on ACL fail in + storagePoolLookupByTargetPath + +'virStoragePoolObjListSearch' returns a locked and refed object, thus we +must release it on ACL permission failure. + +Fixes: 7aa0e8c0cb8 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 +Signed-off-by: Peter Krempa <pkrempa@redhat.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> + +Upstream-status: Backport +CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094] +Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com> +--- + src/storage/storage_driver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c +index ecb5b86b4f..de66f1f9e5 100644 +--- a/src/storage/storage_driver.c ++++ b/src/storage/storage_driver.c +@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn, + storagePoolLookupByTargetPathCallback, + cleanpath))) { + def = virStoragePoolObjGetDef(obj); +- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) ++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) { ++ virStoragePoolObjEndAPI(&obj); + return NULL; ++ } + + pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL); + virStoragePoolObjEndAPI(&obj); +-- +2.27.0 + diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb index e68053a7..d028366d 100644 --- a/recipes-extended/libvirt/libvirt_6.3.0.bb +++ b/recipes-extended/libvirt/libvirt_6.3.0.bb @@ -45,6 +45,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://CVE-2020-25637_3.patch \ file://CVE-2020-25637_4.patch \ file://CVE-2021-3631.patch \ + file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \ " SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02" -- 2.27.0
|
|
|