Bug 1828190 (CVE-2020-12430)

Summary: CVE-2020-12430 libvirt: memory leak in domstats may allow read-only user to perform DoS attack
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agedosier, berrange, clalancette, eblake, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 6.1.0 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in the libvirt API that is responsible for retrieving domain stats when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the `domstats` command, resulting in a potential denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:59:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1804548, 1828216, 1828403    
Bug Blocks: 1823456    

Description Mauro Matteo Cascella 2020-04-27 09:32:41 UTC 
A libvirt flaw affecting the domstats command was reported internally. This bug may allow a user on a read-only connection to cause a memory leak in domstats, resulting in a potential denial of service.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1804548

Upstream fix:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581
Comment 1 Mauro Matteo Cascella 2020-04-27 15:11:11 UTC 
The affected function qemuDomainGetStatsIOThread() in qemu_driver.c is called by the libvirt API virDomainListGetStats when managing QEMU guests. A NULL-terminated list is returned even when no iothreads are present. As neither qemuDomainGetStatsIOThread() nor the caller did perform any cleanup, the list was returned without being properly free'd, thus resulting in a memory leak. The patch adds a `goto cleanup` statement in case there are no iothreads, to make sure the NULL-terminated list is free'd appropriately.
Comment 2 Mauro Matteo Cascella 2020-04-27 15:31:17 UTC 
Function qemuDomainGetStatsIOThread() was introduced in libvirt upstream version 4.10.0 via commit:
  -> https://libvirt.org/git/?p=libvirt.git;a=commit;h=d1eac92784573559b6fd56836e33b215c89308e3

$ git tag --contains d1eac9278
v4.10.0
v4.10.0-rc1
v4.10.0-rc2
v5.0.0
[...]

Whilst libvirt API virDomainListGetStats was introduced in version 1.2.10 via commit:
  -> https://libvirt.org/git/?p=libvirt.git;a=commit;h=76a5bc4eef9f60ef73f5e0b272f4e0a5270e31de
Comment 4 Mauro Matteo Cascella 2020-04-27 16:44:40 UTC 
Statement:

Versions of `libvirt` as shipped with Red Hat Enterprise Linux are marked as "notaffected" because they do not include the vulnerable code, which was introduced in a later version of the package. Specifically, the affected function `qemuDomainGetStatsIOThread()` was introduced in `libvirt` upstream version 4.10.0.

RHEL Advanced Virtualization is affected by this flaw as it ships a more recent version of the package.