Bug 1048627 (CVE-2013-6456) - CVE-2013-6456 libvirt: unsafe usage of paths under /proc/$PID/root
Summary: CVE-2013-6456 libvirt: unsafe usage of paths under /proc/$PID/root
Alias: CVE-2013-6456
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1045643 1048628
Blocks: 1048642
TreeView+ depends on / blocked
Reported: 2014-01-05 23:25 UTC by Murray McAllister
Modified: 2019-09-29 13:11 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-21 15:35:46 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-01-05 23:25:06 UTC
Eric Blake from Red Hat notes:

The LXC driver will open paths under /proc/$PID/root for some operations it performs on running guests. For the virDomainShutdown and virDomainReboot APIs it will use this to access the /dev/initctl path in the container. For the virDomainDeviceAttach / virDomainDeviceDettach APIs it will use this to create device nodes in the container's /dev filesystem. If any of the path components under control of the container are symlinks the container can cause the libvirtd daemon to access the incorrect files.


A container can cause the administrator to shutdown or reboot the host OS if /dev/initctl in the container is made to be an absolute symlink back to itself or /run/initctl. A container can cause the host administrator to mknod in an arbitrary host directory when invoking the virDomainDeviceAttach API by replacing '/dev' with an
absolute symlink. A container can cause the host administrator to delete host device when invoking the virDomainDeviceDettach API by replacing '/dev' with an absolute symlink.


Do not use the virDomainShutdown or virDomainReboot APIs without also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the LXC driver to send a SIGTERM or SIGHUP signal respectively, to the init process instead of using /dev/initct. Do not use the virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless the guest OS is trusted.

This issue affects the versions of libvirt in Fedora 19 and later. Red Hat Enterprise Linux 5 and 6 are not affected.

Comment 1 Murray McAllister 2014-01-05 23:30:12 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1048628]

Comment 2 Fedora Update System 2014-02-28 18:32:23 UTC
libvirt- has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.