Bug 1962306 (CVE-2021-3559)

Summary: CVE-2021-3559 libvirt: nodedev-list command may cause libvirt to crash on hosts with GRID driver installed
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agedosier, berrange, clalancette, darunesh, eblake, jdenemar, jmforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 7.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvirt in the virConnectListAllNodeDevices API. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-20 08:57:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1958756, 1962337    

Description Mauro Matteo Cascella 2021-05-19 17:36:17 UTC 
The virsh nodedev-list command may cause libvirt to crash on hosts with GRID driver installed. The flaw exists in the virConnectListAllNodeDevices API. This issue could be used by an unprivileged user with a read-only connection to perform a denial of service attack by leveraging the virConnectListAllNodeDevices API via nodedev-list.

Fixed upstream in libvirt-v7.0.0:
https://gitlab.com/libvirt/libvirt/-/commit/4c4d0e2da07b5a035b26a0ff13ec27070f7c7b1a
Comment 2 Mauro Matteo Cascella 2021-05-20 07:55:48 UTC 
More precisely, the bug is due to incorrect operator precedence when dereferencing an array pointer in virNodeDeviceGetMdevTypesCaps() in src/conf/node_device_conf.c. It can be triggered by an unprivileged client executing the nodedev-list command on a host that has a PCI device and driver that supports mediated devices.

This flaw was introduced in libvirt version 6.10.0 via commit:
https://gitlab.com/libvirt/libvirt/-/commit/f1b08901f7ae7557f79d83bdac33cc0bd79d1437
Comment 4 Product Security DevOps Team 2021-05-20 08:57:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3559
Comment 5 Dhananjay Arunesh 2021-05-20 11:24:34 UTC 
*** Bug 1962605 has been marked as a duplicate of this bug. ***