Bug 1984318 - CVE-2021-3667 libvirt: improper locking on ACL failure in virStoragePoolLookupByTargetPath API [rhel-9.0]
Summary: CVE-2021-3667 libvirt: improper locking on ACL failure in virStoragePoolLooku...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: beta
: ---
Assignee: Peter Krempa
QA Contact: yafu
URL:
Whiteboard:
Depends On:
Blocks: CVE-2021-3667
TreeView+ depends on / blocked
 
Reported: 2021-07-21 09:02 UTC by yafu
Modified: 2021-12-07 22:01 UTC (History)
5 users (show)

Fixed In Version: libvirt-7.6.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 21:57:54 UTC
Type: Bug
Target Upstream Version: 7.6.0


Attachments (Terms of Use)

Description yafu 2021-07-21 09:02:40 UTC
Description of problem:
virStoragePoolObjPtr does not release if virStoragePoolLookupByTargetPathEnsureACL(conn, def) failed

Version-Release number of selected component (if applicable):
libvirt-7.5.0-1.el9.x86_64

How reproducible:


Steps to Reproduce:
1.vim src/storage/storage_driver.c
...
1724 virStoragePoolPtr
1725 storagePoolLookupByTargetPath(virConnectPtr conn,
1726                               const char *path)
1727 {
1728     virStoragePoolObj *obj;
1729     ...
1736 
1737     if ((obj = virStoragePoolObjListSearch(driver->pools,
1738                                            storagePoolLookupByTargetPathCallback,
1739                                            cleanpath))) {
1740         def = virStoragePoolObjGetDef(obj);
1741         if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
1742             return NULL;
1743 
1744         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
1745         virStoragePoolObjEndAPI(&obj);
1746     }
...

2.
3.

Actual results:


Expected results:
virStoragePoolObjPtr should be released by 'virStoragePoolObjEndAPI(&obj)'.

Additional info:

Comment 2 Peter Krempa 2021-07-23 08:27:34 UTC
Fixed upstream:

commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Wed Jul 21 11:22:25 2021 +0200

    storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath
    
    'virStoragePoolObjListSearch' returns a locked and refed object, thus we
    must release it on ACL permission failure.
    
    Fixes: 7aa0e8c0cb8
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

v7.5.0-160-g447f69dec4

Comment 6 yafu 2021-08-12 13:05:08 UTC
Verified with libvirt-7.6.0-1.el9.x86_64.

Test steps are the same as https://bugzilla.redhat.com/show_bug.cgi?id=1986459#c5.


Note You need to log in before you can comment on or make changes to this bug.