997367 – CVE-2013-5651 Running numatune with invalid nodeset parameter crash libvirtd [rhel-6.5]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 997367 - CVE-2013-5651 Running numatune with invalid nodeset parameter crash libvirtd [rhel-6.5]

Summary: CVE-2013-5651 Running numatune with invalid nodeset parameter crash libvirtd ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.5
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	997906 CVE-2013-5651
TreeView+	depends on / blocked

Reported:	2013-08-15 09:54 UTC by Hao Liu
Modified:	2013-11-21 09:08 UTC (History)
CC List:	13 users (show)
Fixed In Version:	libvirt-0.10.2-23.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	997906 (view as bug list)
Environment:
Last Closed:	2013-11-21 09:08:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1581	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2013-11-21 01:11:35 UTC

Description Hao Liu 2013-08-15 09:54:53 UTC

Description of problem:
Running numatune with invalid nodeset parameter crash libvirtd.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 6.5 Beta
libvirt-0.10.2-21.el6.x86_64
kernel-2.6.32-410.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.386.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. make sure a domain 'foo' is shut off.

2. change nodeset to a very large number.
# virsh numatune foo --nodeset 1000000000
Actual result:
error: Unable to change numa parameters
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor

Expected result:
An error message or empty line without crashing libvirtd

3. check if libvirtd is crashed.
# ps aux | grep libvirtd

Additional Info:

# virsh nodeinfo
CPU model:           x86_64
CPU(s):              24
CPU frequency:       1596 MHz
CPU socket(s):       1
Core(s) per socket:  6
Thread(s) per core:  2
NUMA cell(s):        2
Memory size:         32834484 KiB

libvirtd backtrace:
Thread 11 (Thread 0x7f5244dac700 (LWP 10403)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f5244dac700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 10 (Thread 0x7f52425a8700 (LWP 10407)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52425a8700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 9 (Thread 0x7f52411a6700 (LWP 10409)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52411a6700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 8 (Thread 0x7f52407a5700 (LWP 10410)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52407a5700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 7 (Thread 0x7f52443ab700 (LWP 10404)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52443ab700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 6 (Thread 0x7f52439aa700 (LWP 10405)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52439aa700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 5 (Thread 0x7f5242fa9700 (LWP 10406)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f5242fa9700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 4 (Thread 0x7f5241ba7700 (LWP 10408)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f5241ba7700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 3 (Thread 0x7f5251a5d860 (LWP 10400)):
#0  0x00007f524fdbd6fd in write () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f52512914ae in safewrite (fd=4, buf=0x1965c20, count=112) at util/util.c:130
#2  0x00007f525127f930 in virLogOutputToFd (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, 
    timestamp=<value optimized out>, flags=0, str=0x1965050 "10400: debug : virEventPollRunOnce:614 : EVENT_POLL_RUN: nhandles=11 timeout=5000\n", data=0x4) at util/logging.c:846
#3  0x00007f52512802cf in virLogVMessage (category=0x7f52513d000f "trace.util/event_poll.c", priority=<value optimized out>, funcname=0x7f52513d05a0 "virEventPollRunOnce", linenr=614, 
    flags=0, fmt=<value optimized out>, vargs=0x7fffd4511000) at util/logging.c:781
#4  0x00007f525128047c in virLogMessage (category=<value optimized out>, priority=<value optimized out>, funcname=<value optimized out>, linenr=<value optimized out>, 
    flags=<value optimized out>, fmt=<value optimized out>) at util/logging.c:688
#5  0x00007f5251279591 in virEventPollRunOnce () at util/event_poll.c:612
#6  0x00007f52512787e7 in virEventRunDefaultImpl () at util/event.c:247
#7  0x00007f5251366acd in virNetServerRun (srv=0x1960180) at rpc/virnetserver.c:748
#8  0x0000000000423cc7 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1228

Thread 2 (Thread 0x7f52457ad700 (LWP 10402)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f525128bb46 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f525128c113 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x00007f524fdb69d1 in start_thread (arg=0x7f52457ad700) at pthread_create.c:301
#5  0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7f52461ae700 (LWP 10401)):
#0  0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:153
#1  virBitmapParse (str=<value optimized out>, sep=0 '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335
#2  0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized out>, params=<value optimized out>, nparams=1, flags=2) at qemu/qemu_driver.c:8190
#3  0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0, params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975
#4  0x000000000042ad7e in remoteDispatchDomainSetNumaParameters (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, 
    args=<value optimized out>, ret=<value optimized out>) at remote_dispatch.h:5505
#5  remoteDispatchDomainSetNumaParametersHelper (server=<value optimized out>, client=<value optimized out>, msg=<value optimized out>, rerr=0x7f52461adb80, args=<value optimized out>, 
    ret=<value optimized out>) at remote_dispatch.h:5475
#6  0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:431
#7  virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180, client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304
#8  0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>, client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at rpc/virnetserver.c:170
#9  0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0x1960180) at rpc/virnetserver.c:191
#10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144
#11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at pthread_create.c:301
#13 0x00007f524f6fca8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Comment 1 Alex Jia 2013-08-15 10:32:54 UTC

(In reply to Hao Liu from comment #0)
> Steps to Reproduce:
> 1. make sure a domain 'foo' is shut off.

It's not necessary.

> libvirtd backtrace:
 
> Thread 1 (Thread 0x7f52461ae700 (LWP 10401)):
> #0  0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0
> '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at
> util/bitmap.c:153
> #1  virBitmapParse (str=<value optimized out>, sep=0 '\000',
> bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at util/bitmap.c:335
> #2  0x0000000000466d95 in qemuDomainSetNumaParameters (dom=<value optimized
> out>, params=<value optimized out>, nparams=1, flags=2) at
> qemu/qemu_driver.c:8190
> #3  0x00007f525132c3fd in virDomainSetNumaParameters (domain=0x7f52300025a0,
> params=0x7f5230002de0, nparams=1, flags=0) at libvirt.c:3975
> #4  0x000000000042ad7e in remoteDispatchDomainSetNumaParameters
> (server=<value optimized out>, client=<value optimized out>, msg=<value
> optimized out>, rerr=0x7f52461adb80, 
>     args=<value optimized out>, ret=<value optimized out>) at
> remote_dispatch.h:5505
> #5  remoteDispatchDomainSetNumaParametersHelper (server=<value optimized
> out>, client=<value optimized out>, msg=<value optimized out>,
> rerr=0x7f52461adb80, args=<value optimized out>, 
>     ret=<value optimized out>) at remote_dispatch.h:5475
> #6  0x00007f5251368a42 in virNetServerProgramDispatchCall (prog=0x1968a70,
> server=0x1960180, client=0x1965700, msg=0x195cc10) at
> rpc/virnetserverprogram.c:431
> #7  virNetServerProgramDispatch (prog=0x1968a70, server=0x1960180,
> client=0x1965700, msg=0x195cc10) at rpc/virnetserverprogram.c:304
> #8  0x00007f525136728e in virNetServerProcessMsg (srv=<value optimized out>,
> client=0x1965700, prog=<value optimized out>, msg=0x195cc10) at
> rpc/virnetserver.c:170
> #9  0x00007f525136792c in virNetServerHandleJob (jobOpaque=<value optimized
> out>, opaque=0x1960180) at rpc/virnetserver.c:191
> #10 0x00007f525128c07c in virThreadPoolWorker (opaque=<value optimized out>)
> at util/threadpool.c:144
> #11 0x00007f525128b969 in virThreadHelper (data=<value optimized out>) at
> util/threads-pthread.c:161
> #12 0x00007f524fdb69d1 in start_thread (arg=0x7f52461ae700) at
> pthread_create.c:301
> #13 0x00007f524f6fca8d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

This should be enough to debug.

Comment 2 Alex Jia 2013-08-15 11:05:43 UTC

(In reply to Alex Jia from comment #1)
> > libvirtd backtrace:
>  
> > Thread 1 (Thread 0x7f52461ae700 (LWP 10401)):
> > #0  0x00007f525126e316 in virBitmapIsSet (str=<value optimized out>, sep=0
> > '\000', bitmap=0x7f52461ad9c8, bitmapSize=<value optimized out>) at
> > util/bitmap.c:153

Eric, need we fix this on gnulib library? or fix this on caller? thanks.

Comment 8 Alex Jia 2013-08-16 07:54:28 UTC

Patch on upstream:
https://www.redhat.com/archives/libvir-list/2013-August/msg00723.html

Comment 9 Peter Krempa 2013-08-16 10:32:48 UTC

A more thorough version posted for review:
https://www.redhat.com/archives/libvir-list/2013-August/msg00735.html

Comment 10 Peter Krempa 2013-08-16 12:43:48 UTC

Fixed upstream:

commit 7efd5fd1b0225436cbbae1181ab41c2d3eca43f9
Author: Peter Krempa <pkrempa>
Date:   Fri Aug 16 12:13:27 2013 +0200

    virbitmaptest: Add test for out of bounds condition
    
    Previous patch fixed an issue where, when parsing a bitmap from the
    string, the bounds of the bitmap weren't checked. That flaw resulted into
    crashes. This test tests that case to avoid it in the future.

commit 536d38128e749fa5b149b9e168224280c3ad348c
Author: Peter Krempa <pkrempa>
Date:   Fri Aug 16 12:12:55 2013 +0200

    virbitmaptest: Fix function header formatting

commit 47b9127e883677a0d60d767030a147450e919a25
Author: Peter Krempa <pkrempa>
Date:   Fri Aug 16 12:22:32 2013 +0200

    virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array
    
    The virBitmapParse function was calling virBitmapIsSet() function that
    requires the caller to check the bounds of the bitmap without checking
    them. This resulted into crashes when parsing a bitmap string that was
    exceeding the bounds used as argument.
    
    This patch refactors the function to use virBitmapSetBit without
    checking if the bit is set (this function does the checks internally)
    and then counts the bits in the bitmap afterwards (instead of keeping
    track while parsing the string).
    
    This patch also changes the "parse_error" label to a more common
    "error".
    
    The refactor should also get rid of the need to call sa_assert on the
    returned variable as the callpath should allow coverity to infer the
    possible return values.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367
    
    Thanks to Alex Jia for tracking down the issue. This issue is introduced
    by commit 0fc8909.

Comment 11 Eric Blake 2013-08-16 13:11:38 UTC

This bug is already public knowledge, but it is now being discussed on the closed libvirt-security list for its potential as a CVE.  Please do not discuss the CVE specifics in public comments.

Comment 17 errata-xmlrpc 2013-11-21 09:08:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1581.html

Note You need to log in before you can comment on or make changes to this bug.