Bug 980112 (CVE-2013-2218) - CVE-2013-2218 libvirt: virConnectListAllInterfaces crash
Summary: CVE-2013-2218 libvirt: virConnectListAllInterfaces crash
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-2218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 980118
Blocks: 980122
TreeView+ depends on / blocked
 
Reported: 2013-07-01 13:05 UTC by Petr Matousek
Modified: 2023-05-11 23:22 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-01 13:15:02 UTC
Embargoed:


Attachments (Terms of Use)

Description Petr Matousek 2013-07-01 13:05:00 UTC
Daniel P. Berrange reported:

"As non-root, simply run:

  # virsh -c qemu:///system --readonly iface-list --inactive                                                                                                                                                   

The libvirtd daemon will crash with one of a number of different
stack traces, for example:

*** Error in `/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd': invalid fastbin entry (free): 0x00007f03fc02a1b0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3cd5e7cef8)[0x7f0425cf7ef8]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virFree+0x2e)[0x7f04293fd79e]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogVMessage+0x37d)[0x7f042942384d]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogMessage+0x97)[0x7f0429423b27]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virObjectUnref+0x65)[0x7f04294324d5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virIdentitySetCurrent+0x35)[0x7f042941ae25]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virNetServerProgramDispatch+0x392)[0x7f0429539be2]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0x195d68)[0x7f0429533d68]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa62e5)[0x7f04294442e5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa594e)[0x7f042944394e]
/lib64/libpthread.so.0(+0x3cd6207c53)[0x7f0426449c53]
/lib64/libc.so.6(clone+0x6d)[0x7f0425d6fecd]

Looking at the code, we have a double-free of the 'struct netcf_if'
object when any of the filtering flags are set. Hence this only
happens if you pass  '--inactive' to virsh."

Upstream fix:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=244e0b8cf15ca2ef48d82058e728656e6c4bad11

Acknowledgements:

This issue was discovered by Daniel P. Berrange of Red Hat.

Comment 1 Petr Matousek 2013-07-01 13:08:11 UTC
Statement:

Not vulnerable.

This issue did not affect the versions of libvirt package as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 2 Petr Matousek 2013-07-01 13:08:58 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 980118]


Note You need to log in before you can comment on or make changes to this bug.