Bug 2278616 (CVE-2024-4418)

Summary: CVE-2024-4418 libvirt: stack use-after-free in virNetClientIOEventLoop()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, berrange, ddepaula, eblake, jdenemar, jferlan, jmaloy, jsuchane, knoel, pkrempa, yalzhang, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-09-29 05:27:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2278618    
Bug Blocks: 2278620    

Description Mauro Matteo Cascella 2024-05-02 12:29:32 UTC 
A race condition leading to a stack use-after-free bug was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop().

Quoting libvirt maintainer Daniel P. Berrangé: The 'virtproxyd' daemon can be used to trigger requests which could potentially exercise the bug. If libvirt is configured with fine grained access control, this could in theory let a user escape their otherwise limited access. A local unprivileged user can access virtproxyd without authenticating. Remote users would need to authenticate before they could exercise it.
Comment 1 Mauro Matteo Cascella 2024-05-02 12:31:33 UTC 
Red Hat would like to thank Martin Širokov for reporting this issue.
Comment 2 Mauro Matteo Cascella 2024-05-02 12:33:37 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2278618]
Comment 4 Mauro Matteo Cascella 2024-05-06 09:35:54 UTC 
Upstream fix:
https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1
Comment 5 errata-xmlrpc 2024-07-08 02:45:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4351 https://access.redhat.com/errata/RHSA-2024:4351
Comment 6 errata-xmlrpc 2024-07-09 12:52:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4432 https://access.redhat.com/errata/RHSA-2024:4432
Comment 7 errata-xmlrpc 2024-07-23 16:22:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4757 https://access.redhat.com/errata/RHSA-2024:4757