Bug 1011429 - CVE-2013-4399 libvirt: libvirtd will be crashed while destroy the guest which has been connected twice by virt-viewer and enable the access-driver in libvirtd.conf [rhel-7.0]
CVE-2013-4399 libvirt: libvirtd will be crashed while destroy the guest which...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
: Security
Depends On:
Blocks: CVE-2013-4399
  Show dependency treegraph
 
Reported: 2013-09-24 05:19 EDT by zhenfeng wang
Modified: 2014-07-30 08:41 EDT (History)
8 users (show)

See Also:
Fixed In Version: libvirt-1.1.1-9.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-30 08:41:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 3 Daniel Berrange 2013-09-27 11:57:26 EDT
commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Sep 27 15:46:07 2013 +0100

    Fix crash in libvirtd when events are registered & ACLs active
    
    When a client disconnects from libvirtd, all event callbacks
    must be removed. This involves running the public API
    
      virConnectDomainEventDeregisterAny
    
    This code does not run in normal API dispatch context, so no
    identity was set. The result was that the access control drivers
    denied the attempt to deregister callbacks. The callbacks thus
    continued to trigger after the client was free'd causing fairly
    predictable use of free memory & a crash.
    
    This can be triggered by any client with readonly access when
    the ACL drivers are active.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 6 zhenfeng wang 2013-10-16 23:33:53 EDT
Verify this bug on libvirt-1.1.1-9.el7.x86_64, steps as following
1.enable the access_driver in libvirtd.conf
#cat /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]

2.prepare a normal guest
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 8     rhel7raw                         running
3.connect the guest with virt-viewer and disconnect it with ctrl+c
# virt-viewer rhel7raw
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(virt-viewer:14096): GSpice-WARNING **: PulseAudio context failed Connection refused

(virt-viewer:14096): GSpice-WARNING **: pa_context_connect() failed: Connection refused

(virt-viewer:14096): GSpice-WARNING **: Error connecting to session dbus: /bin/dbus-launch terminated abnormally without any error message

(virt-viewer:14096): GSpice-WARNING **: Warning no automount-inhibiting implementation available
^C

3.reconnect the guest with virt-viewer and disconnect it with ctl+c
# virt-viewer rhel7raw
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(virt-viewer:14096): GSpice-WARNING **: PulseAudio context failed Connection refused

(virt-viewer:14096): GSpice-WARNING **: pa_context_connect() failed: Connection refused

(virt-viewer:14096): GSpice-WARNING **: Error connecting to session dbus: /bin/dbus-launch terminated abnormally without any error message

(virt-viewer:14096): GSpice-WARNING **: Warning no automount-inhibiting implementation available
^C

4.destroy the guest
#virsh destroy rhel7raw
Domain rhel7raw destroyed

5.Check the libvirtd status
# ps aux|grep libvirtd
root      6777  0.1  0.0 1058292 18340 ?       Ssl  11:12   0:00 /usr/sbin/libvirtd
root      7451  0.0  0.0 112648   928 pts/0    S+   11:19   0:00 grep --color=auto libvirtd
[root@ibm-x3650m3-07 ~]# service libvirtd status
Redirecting to /bin/systemctl status  libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Thu 2013-10-17 11:12:38 CST; 6min ago
 Main PID: 6777 (libvirtd)
   CGroup: name=systemd:/system/libvirtd.service
           ├─1792 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default....
           └─6777 /usr/sbin/libvirtd

Since the libvirtd wasn't crashed and the guest can be destroyed correctly, so mark this bug verified
Comment 8 Petr Matousek 2014-07-30 08:41:08 EDT
Fixed in 7.0 GA, closing.

Note You need to log in before you can comment on or make changes to this bug.