Bug 2024326 (CVE-2021-3975)

Summary: CVE-2021-3975 libvirt: segmentation fault during VM shutdown can lead to vdsm hang
Product: [Other] Security Response Reporter: gkamathe
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agedosier, berrange, clalancette, crobinso, eblake, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, security-response-team, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 7.1.0 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 17:45:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2021617, 2024334, 2025044, 2026403    
Bug Blocks: 2022767    

Description gkamathe 2021-11-17 20:17:25 UTC 
A use-after-free flaw was found in qemuProcessHandleMonitorEOF() within src/qemu/qemu_process.c, here qemuMonitorUnregister() is called using multiple threads without being adequately protected by a monitor lock. This issue could be used by a unprivileged user to perform a denial of service attack by causing segmentation fault on libvirt


Fixed upstream in libvirt:
https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7
Comment 1 gkamathe 2021-11-17 20:35:12 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2024334]
Comment 6 errata-xmlrpc 2022-05-10 13:17:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759
Comment 7 Product Security DevOps Team 2022-05-10 17:45:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3975