RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1011429 - CVE-2013-4399 libvirt: libvirtd will be crashed while destroy the guest which has been connected twice by virt-viewer and enable the access-driver in libvirtd.conf [rhel-7.0]
Summary: CVE-2013-4399 libvirt: libvirtd will be crashed while destroy the guest which...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: CVE-2013-4399
TreeView+ depends on / blocked
 
Reported: 2013-09-24 09:19 UTC by zhenfeng wang
Modified: 2014-07-30 12:41 UTC (History)
8 users (show)

Fixed In Version: libvirt-1.1.1-9.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-30 12:41:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 3 Daniel Berrangé 2013-09-27 15:57:26 UTC 
commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
Author: Daniel P. Berrange <berrange>
Date:   Fri Sep 27 15:46:07 2013 +0100

    Fix crash in libvirtd when events are registered & ACLs active
    
    When a client disconnects from libvirtd, all event callbacks
    must be removed. This involves running the public API
    
      virConnectDomainEventDeregisterAny
    
    This code does not run in normal API dispatch context, so no
    identity was set. The result was that the access control drivers
    denied the attempt to deregister callbacks. The callbacks thus
    continued to trigger after the client was free'd causing fairly
    predictable use of free memory & a crash.
    
    This can be triggered by any client with readonly access when
    the ACL drivers are active.
    
    Signed-off-by: Daniel P. Berrange <berrange>
Comment 6 zhenfeng wang 2013-10-17 03:33:53 UTC 
Verify this bug on libvirt-1.1.1-9.el7.x86_64, steps as following
1.enable the access_driver in libvirtd.conf
#cat /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]

2.prepare a normal guest
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 8     rhel7raw                         running
3.connect the guest with virt-viewer and disconnect it with ctrl+c
# virt-viewer rhel7raw
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(virt-viewer:14096): GSpice-WARNING **: PulseAudio context failed Connection refused

(virt-viewer:14096): GSpice-WARNING **: pa_context_connect() failed: Connection refused

(virt-viewer:14096): GSpice-WARNING **: Error connecting to session dbus: /bin/dbus-launch terminated abnormally without any error message

(virt-viewer:14096): GSpice-WARNING **: Warning no automount-inhibiting implementation available
^C

3.reconnect the guest with virt-viewer and disconnect it with ctl+c
# virt-viewer rhel7raw
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(virt-viewer:14096): GSpice-WARNING **: PulseAudio context failed Connection refused

(virt-viewer:14096): GSpice-WARNING **: pa_context_connect() failed: Connection refused

(virt-viewer:14096): GSpice-WARNING **: Error connecting to session dbus: /bin/dbus-launch terminated abnormally without any error message

(virt-viewer:14096): GSpice-WARNING **: Warning no automount-inhibiting implementation available
^C

4.destroy the guest
#virsh destroy rhel7raw
Domain rhel7raw destroyed

5.Check the libvirtd status
# ps aux|grep libvirtd
root      6777  0.1  0.0 1058292 18340 ?       Ssl  11:12   0:00 /usr/sbin/libvirtd
root      7451  0.0  0.0 112648   928 pts/0    S+   11:19   0:00 grep --color=auto libvirtd
[root@ibm-x3650m3-07 ~]# service libvirtd status
Redirecting to /bin/systemctl status  libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Thu 2013-10-17 11:12:38 CST; 6min ago
 Main PID: 6777 (libvirtd)
   CGroup: name=systemd:/system/libvirtd.service
           ├─1792 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default....
           └─6777 /usr/sbin/libvirtd

Since the libvirtd wasn't crashed and the guest can be destroyed correctly, so mark this bug verified
Comment 8 Petr Matousek 2014-07-30 12:41:08 UTC 
Fixed in 7.0 GA, closing.
Note You need to log in before you can comment on or make changes to this bug.