A race condition leading to a stack use-after-free bug was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). Quoting libvirt maintainer Daniel P. Berrangé: The 'virtproxyd' daemon can be used to trigger requests which could potentially exercise the bug. If libvirt is configured with fine grained access control, this could in theory let a user escape their otherwise limited access. A local unprivileged user can access virtproxyd without authenticating. Remote users would need to authenticate before they could exercise it.
Red Hat would like to thank Martin Širokov for reporting this issue.
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 2278618]
Upstream fix: https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4351 https://access.redhat.com/errata/RHSA-2024:4351
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4432 https://access.redhat.com/errata/RHSA-2024:4432
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4757 https://access.redhat.com/errata/RHSA-2024:4757