2263841 – (CVE-2024-1441) CVE-2024-1441 libvirt: off-by-one error in udevListInterfacesByStatus()

Bug 2263841 (CVE-2024-1441) - CVE-2024-1441 libvirt: off-by-one error in udevListInterfacesByStatus()

Summary: CVE-2024-1441 libvirt: off-by-one error in udevListInterfacesByStatus()

Keywords:
Status:	ASSIGNED
Alias:	CVE-2024-1441
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2268983
Blocks:	2263866
TreeView+	depends on / blocked

Reported:	2024-02-12 12:10 UTC by Mauro Matteo Cascella
Modified:	2024-04-12 06:13 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt 10.1.0
Doc Type:	If docs needed, set a value
Doc Text:	An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2024-02-12 12:10:32 UTC

An off-by-one error was found in libvirt in the udevListInterfacesByStatus() function when the number of interfaces exceeds names_len. The issue can be reproduced by sending a specially crafted entry to the libvirt daemon and can lead to a segmentation fault. An unprivileged user could use this flaw to cause a denial of service condition.

Comment 4 Jiri Denemark 2024-03-11 09:53:12 UTC

The embargo can be removed as the fix was already pushed upstream as

commit c664015fe3a7bf59db26686e9ed69af011c6ebb8
Refs: v10.1.0-rc2-5-gc664015fe3
Author:     Martin Kletzander <mkletzan>
AuthorDate: Tue Feb 27 16:20:12 2024 +0100
Commit:     Jiri Denemark <jdenemar>
CommitDate: Fri Mar 1 11:52:27 2024 +0100

    Fix off-by-one error in udevListInterfacesByStatus

    Ever since this function was introduced in 2012 it could've tried
    filling in an extra interface name.  That was made worse in 2019 when
    the caller functions started accepting NULL arrays of size 0.

    This is assigned CVE-2024-1441.

    Signed-off-by: Martin Kletzander <mkletzan>
    Reported-by: Alexander Kuznetsov <kuznetsovam>
    Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
    Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
    Reviewed-by: Ján Tomko <jtomko>

Comment 5 Mauro Matteo Cascella 2024-03-11 09:58:03 UTC

Thanks for the heads-up, Jiri. Embargo lifted accordingly.

Comment 6 Mauro Matteo Cascella 2024-03-11 10:02:53 UTC

Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2268983]

Note You need to log in before you can comment on or make changes to this bug.