1962306 – (CVE-2021-3559) CVE-2021-3559 libvirt: nodedev-list command may cause libvirt to crash on hosts with GRID driver installed

Bug 1962306 (CVE-2021-3559) - CVE-2021-3559 libvirt: nodedev-list command may cause libvirt to crash on hosts with GRID driver installed

Summary: CVE-2021-3559 libvirt: nodedev-list command may cause libvirt to crash on hos...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3559
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1962605 (view as bug list)
Depends On:
Blocks:	1958756 1962337
TreeView+	depends on / blocked

Reported:	2021-05-19 17:36 UTC by Mauro Matteo Cascella
Modified:	2021-05-20 12:36 UTC (History)
CC List:	15 users (show)
Fixed In Version:	libvirt 7.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in libvirt in the virConnectListAllNodeDevices API. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-05-20 08:57:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2021-05-19 17:36:17 UTC

The virsh nodedev-list command may cause libvirt to crash on hosts with GRID driver installed. The flaw exists in the virConnectListAllNodeDevices API. This issue could be used by an unprivileged user with a read-only connection to perform a denial of service attack by leveraging the virConnectListAllNodeDevices API via nodedev-list.

Fixed upstream in libvirt-v7.0.0:
https://gitlab.com/libvirt/libvirt/-/commit/4c4d0e2da07b5a035b26a0ff13ec27070f7c7b1a

Comment 2 Mauro Matteo Cascella 2021-05-20 07:55:48 UTC

More precisely, the bug is due to incorrect operator precedence when dereferencing an array pointer in virNodeDeviceGetMdevTypesCaps() in src/conf/node_device_conf.c. It can be triggered by an unprivileged client executing the nodedev-list command on a host that has a PCI device and driver that supports mediated devices.

This flaw was introduced in libvirt version 6.10.0 via commit:
https://gitlab.com/libvirt/libvirt/-/commit/f1b08901f7ae7557f79d83bdac33cc0bd79d1437

Comment 4 Product Security DevOps Team 2021-05-20 08:57:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3559

Comment 5 Dhananjay Arunesh 2021-05-20 11:24:34 UTC

*** Bug 1962605 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.