Bug 2063883 (CVE-2022-0897)

Summary: CVE-2022-0897 libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agedosier, berrange, clalancette, crobinso, eblake, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, security-response-team, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 8.0.0-8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-06 13:03:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063901, 2063902, 2063903, 2063904, 2068431    
Bug Blocks: 2062200, 2063859    

Description Mauro Matteo Cascella 2022-03-14 15:03:03 UTC 
The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. However, it fails to acquire the driver mutex, thus there is no protection to stop another thread from concurrently modifying the driver->nwfilters object. An unprivileged user could exploit this issue via libvirt API virConnectNumOfNWFilters to crash the libvirtd/virtnwfilterd daemon.
Comment 2 Daniel Berrangé 2022-03-17 14:30:38 UTC 
The upstream patch is now public, merged as https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36

commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36
Author: Daniel P. Berrangé <berrange>
Date:   Tue Mar 8 17:28:38 2022 +0000

    nwfilter: fix crash when counting number of network filters
    
    The virNWFilterObjListNumOfNWFilters method iterates over the
    driver->nwfilters, accessing virNWFilterObj instances. As such
    it needs to be protected against concurrent modification of
    the driver->nwfilters object.
    
    This API allows unprivileged users to connect, so users with
    read-only access to libvirt can cause a denial of service
    crash if they are able to race with a call of virNWFilterUndefine.
    Since network filters are usually statically defined, this is
    considered a low severity problem.
    
    This is assigned CVE-2022-0897.
    
    Reviewed-by: Eric Blake <eblake>
    Signed-off-by: Daniel P. Berrangé <berrange>
Comment 3 Mauro Matteo Cascella 2022-03-25 09:55:37 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2068431]
Comment 4 errata-xmlrpc 2022-11-08 09:13:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472
Comment 5 errata-xmlrpc 2022-11-15 09:55:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8003 https://access.redhat.com/errata/RHSA-2022:8003
Comment 6 Product Security DevOps Team 2022-12-06 13:03:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0897