diff --git a/libvirt.spec b/libvirt.spec index 3e62b29beb0c3c6ebdefaa078821ecfe9bf22685..6db78f8293d27e9fa2ffff18d629ed2aaab3189d 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -101,7 +101,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 18 +Release: 19 License: LGPLv2+ URL: https://libvirt.org/ @@ -153,6 +153,7 @@ Patch0040: virDevMapperGetTargets-Don-t-ignore-EBADF.patch Patch0041: virdevmapper-Don-t-cache-device-mapper-major.patch Patch0042: virdevmapper-Handle-kernel-without-device-mapper-sup.patch Patch0043: virsh-Display-vhostuser-socket-path-in-domblklist.patch +Patch0044: nwfilter-fix-crash-when-counting-number-of-network-f.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1887,6 +1888,9 @@ exit 0 %changelog +* Mon Jun 20 2022 yezengruan +- nwfilter: fix crash when counting number of network filters (CVE-2022-0897) + * Wed Jun 15 2022 yezengruan - libvir.spec: build without dtrace diff --git a/nwfilter-fix-crash-when-counting-number-of-network-f.patch b/nwfilter-fix-crash-when-counting-number-of-network-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..75f4478ffe93efbcfacabaa420e309670a095e6c --- /dev/null +++ b/nwfilter-fix-crash-when-counting-number-of-network-f.patch @@ -0,0 +1,54 @@ +From 68a8d65095a144e9ce77e3ea2121155485fe195d Mon Sep 17 00:00:00 2001 +From: AlexChen +Date: Tue, 8 Mar 2022 17:28:38 +0000 +Subject: [PATCH] nwfilter: fix crash when counting number of network filters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virNWFilterObjListNumOfNWFilters method iterates over the +driver->nwfilters, accessing virNWFilterObj instances. As such +it needs to be protected against concurrent modification of +the driver->nwfilters object. + +This API allows unprivileged users to connect, so users with +read-only access to libvirt can cause a denial of service +crash if they are able to race with a call of virNWFilterUndefine. +Since network filters are usually statically defined, this is +considered a low severity problem. + +This is assigned CVE-2022-0897. + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrangé +cherry-picked from a4947e8f63c3e6 +Signed-off-by: AlexChen +--- + src/nwfilter/nwfilter_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c +index 1c407727db..27500d192a 100644 +--- a/src/nwfilter/nwfilter_driver.c ++++ b/src/nwfilter/nwfilter_driver.c +@@ -514,11 +514,15 @@ nwfilterLookupByName(virConnectPtr conn, + static int + nwfilterConnectNumOfNWFilters(virConnectPtr conn) + { ++ int ret; + if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) + return -1; + +- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, +- virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverLock(); ++ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, ++ virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverUnlock(); ++ return ret; + } + + +-- +2.27.0 +