Bug 1984318

Summary: CVE-2021-3667 libvirt: improper locking on ACL failure in virStoragePoolLookupByTargetPath API [rhel-9.0]
Product: Red Hat Enterprise Linux 9 Reporter: yafu <yafu>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED CURRENTRELEASE QA Contact: yafu <yafu>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: jdenemar, lmen, pkrempa, virt-maint, xuzhang
Target Milestone: betaKeywords: Security, SecurityTracking, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-7.6.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 7.6.0
Embargoed:
Bug Depends On:    
Bug Blocks: 1986094    

Description yafu 2021-07-21 09:02:40 UTC 
Description of problem:
virStoragePoolObjPtr does not release if virStoragePoolLookupByTargetPathEnsureACL(conn, def) failed

Version-Release number of selected component (if applicable):
libvirt-7.5.0-1.el9.x86_64

How reproducible:


Steps to Reproduce:
1.vim src/storage/storage_driver.c
...
1724 virStoragePoolPtr
1725 storagePoolLookupByTargetPath(virConnectPtr conn,
1726                               const char *path)
1727 {
1728     virStoragePoolObj *obj;
1729     ...
1736 
1737     if ((obj = virStoragePoolObjListSearch(driver->pools,
1738                                            storagePoolLookupByTargetPathCallback,
1739                                            cleanpath))) {
1740         def = virStoragePoolObjGetDef(obj);
1741         if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
1742             return NULL;
1743 
1744         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
1745         virStoragePoolObjEndAPI(&obj);
1746     }
...

2.
3.

Actual results:


Expected results:
virStoragePoolObjPtr should be released by 'virStoragePoolObjEndAPI(&obj)'.

Additional info:
Comment 1 Peter Krempa 2021-07-21 09:29:41 UTC 
https://listman.redhat.com/archives/libvir-list/2021-July/msg00532.html
Comment 2 Peter Krempa 2021-07-23 08:27:34 UTC 
Fixed upstream:

commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
Author: Peter Krempa <pkrempa>
Date:   Wed Jul 21 11:22:25 2021 +0200

    storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath
    
    'virStoragePoolObjListSearch' returns a locked and refed object, thus we
    must release it on ACL permission failure.
    
    Fixes: 7aa0e8c0cb8
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
    Signed-off-by: Peter Krempa <pkrempa>
    Reviewed-by: Michal Privoznik <mprivozn>

v7.5.0-160-g447f69dec4
Comment 6 yafu 2021-08-12 13:05:08 UTC 
Verified with libvirt-7.6.0-1.el9.x86_64.

Test steps are the same as https://bugzilla.redhat.com/show_bug.cgi?id=1986459#c5.