Bug 2100862 (CVE-2022-2211)

Summary: CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, ddepaula, eglynn, jferlan, jjoyce, lersek, lhh, mburns, michal.skrivanek, mperina, rhos-maint, rjones, spower, tgolembi, virt-maint, yoguo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in libguestfs. This issue occurs while calculating the greatest possible number of matching keys in the get_keys() function. This flaw leads to a denial of service, either by mistake or malicious actor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-06 13:33:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2101279, 2101280, 2101281, 2101282, 2101283, 2101284, 2101286, 2101287, 2102719, 2102720, 2102721    
Bug Blocks: 2100854    

Description Vipul Nair 2022-06-24 13:44:35 UTC 
A buffer overflow was found in get_keys
get_keys()

When calculating the greatest possible number of matching keys in
get_keys(), the current expression

  MIN (1, ks->nr_keys)

is wrong -- it will return at most 1.

If all "nr_keys" keys match however, then we require "nr_keys" non-NULL
entries in the result array; in other words, we need

  MAX (1, ks->nr_keys)

(The comment just above the expression is correct; the code is wrong.)

This buffer overflow is easiest to trigger in those guestfs tools that
parse the "--key" option in C; that is, with "OPTION_key". For example,
the command

$ virt-cat $(seq -f '--key /dev/sda2:key:%g' 200) -d DOMAIN /no-such-file

which passes 200 (different) passphrases for the LUKS-encrypted block
device "/dev/sda2", crashes with a SIGSEGV.
Comment 1 Sandipan Roy 2022-06-27 04:01:16 UTC 
Created libguestfs tracking bugs for this issue:

Affects: fedora-all [bug 2101279]
Comment 5 Richard W.M. Jones 2022-06-28 08:01:12 UTC 
We also need bugs against:

virt-v2v in RHEL 9.1
virt-v2v in RHEL 8.7
guestfs-tools in RHEL 9.1

Don't bother with bugs against z-stream or EUS, I'm not going to through that
process for a low severity bug.
Comment 6 Laszlo Ersek 2022-06-28 12:00:43 UTC 
[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211
Message-Id: <e5f2b088-7aef-c3bc-b660-d11dd0f55f1d>
https://listman.redhat.com/archives/libguestfs/2022-June/029274.html

[libguestfs-common PATCH 00/12] LUKS decryption with Clevis+Tang | CVE-2022-2211
Message-Id: <20220628114915.5030-1-lersek>
https://listman.redhat.com/archives/libguestfs/2022-June/029277.html

[libguestfs PATCH 0/3] LUKS decryption with Clevis+Tang | CVE-2022-2211
Message-Id: <20220628115418.5376-1-lersek>
https://listman.redhat.com/archives/libguestfs/2022-June/029290.html
Comment 7 Laszlo Ersek 2022-06-29 13:35:52 UTC 
(In reply to Laszlo Ersek from comment #6)
> [libguestfs-common PATCH 00/12] LUKS decryption with Clevis+Tang | CVE-2022-2211
> Message-Id: <20220628114915.5030-1-lersek>
> https://listman.redhat.com/archives/libguestfs/2022-June/029277.html

The CVE fix (the first patch in this series) has been pushed upstream: commit 35467027f657.

> [libguestfs PATCH 0/3] LUKS decryption with Clevis+Tang | CVE-2022-2211
> Message-Id: <20220628115418.5376-1-lersek>
> https://listman.redhat.com/archives/libguestfs/2022-June/029290.html

The documentation of the CVE (the first patch in this series) has been pushed upstream: commit 99844660b48e.
Comment 8 Laszlo Ersek 2022-06-29 13:46:02 UTC 
Additional commits:
- guestfs-tools: b2e7de29b413 ("update common submodule for CVE-2022-2211 fix", 2022-06-29)
- virt-v2v: 795d5dfcef77 ("update common submodule for CVE-2022-2211 fix", 2022-06-29)
Comment 9 Richard W.M. Jones 2022-06-30 07:58:45 UTC 
Setting needinfo again, see comment 5.
Comment 10 Laszlo Ersek 2022-06-30 08:45:31 UTC 
I'm sorry, I only meant to clear the needinfo flag from myself, from comment 3.
Comment 11 Vipul Nair 2022-06-30 13:02:59 UTC 
done
Comment 14 errata-xmlrpc 2022-11-08 09:13:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472
Comment 15 errata-xmlrpc 2022-11-15 09:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7958 https://access.redhat.com/errata/RHSA-2022:7958
Comment 16 errata-xmlrpc 2022-11-15 09:48:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7959 https://access.redhat.com/errata/RHSA-2022:7959
Comment 17 errata-xmlrpc 2022-11-15 09:50:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7968 https://access.redhat.com/errata/RHSA-2022:7968
Comment 18 Product Security DevOps Team 2022-12-06 13:33:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2211