[hardknott][PATCH] libvirt: fix CVE-2022-0897


Changqing Li
 

From: Changqing Li <changqing.li@...>

Signed-off-by: Changqing Li <changqing.li@...>
---
.../libvirt/libvirt/CVE-2022-0897.patch | 57 +++++++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2022-0897.patch

diff --git a/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch b/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch
new file mode 100644
index 0000000..e98f40b
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch
@@ -0,0 +1,57 @@
+From d470667167fa585d2bc3b996fb3bf2786d44be9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@...>
+Date: Tue, 8 Mar 2022 17:28:38 +0000
+Subject: [PATCH] nwfilter: fix crash when counting number of network filters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virNWFilterObjListNumOfNWFilters method iterates over the
+driver->nwfilters, accessing virNWFilterObj instances. As such
+it needs to be protected against concurrent modification of
+the driver->nwfilters object.
+
+This API allows unprivileged users to connect, so users with
+read-only access to libvirt can cause a denial of service
+crash if they are able to race with a call of virNWFilterUndefine.
+Since network filters are usually statically defined, this is
+considered a low severity problem.
+
+This is assigned CVE-2022-0897.
+
+Reviewed-by: Eric Blake <eblake@...>
+Signed-off-by: Daniel P. Berrangé <berrange@...>
+
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36]
+CVE: CVE-2022-0897
+
+Signed-off-by: Changqing Li <changqing.li@...>
+---
+ src/nwfilter/nwfilter_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
+index 1c40772..27500d1 100644
+--- a/src/nwfilter/nwfilter_driver.c
++++ b/src/nwfilter/nwfilter_driver.c
+@@ -514,11 +514,15 @@ nwfilterLookupByName(virConnectPtr conn,
+ static int
+ nwfilterConnectNumOfNWFilters(virConnectPtr conn)
+ {
++ int ret;
+ if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
+ return -1;
+
+- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
+- virConnectNumOfNWFiltersCheckACL);
++ nwfilterDriverLock();
++ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
++ virConnectNumOfNWFiltersCheckACL);
++ nwfilterDriverUnlock();
++ return ret;
+ }
+
+
+--
+2.25.1
+
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index 8e95ad6..48e5b58 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2021-3631.patch \
file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
file://CVE-2021-3975.patch \
+ file://CVE-2022-0897.patch \
"

SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.25.1

Join meta-virtualization@lists.yoctoproject.org to automatically receive all group messages.