A NULL pointer dereference flaw was discovered in libvirt in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service.
A flaw was found in libvirtd. A null pointer in virJSONValueObjectHasKey function in util/virjson.c triggers a crash, resulting in remote denial of service via guest agent.
Created libvirt tracking bugs for this issue:
Affects: fedora-all [bug 1665229]
Created mingw-libvirt tracking bugs for this issue:
Affects: fedora-all [bug 1665230]
The NULL pointer dereference is caused by the execution of qemuAgentGetInterfaces() in qemu/qemu_agent.c. A "guest-network-get-interfaces" command is sent to the guest agent through the qemuAgentCommand() function and although a reply is expected, the `needReply` parameter of qemuAgentCommand() is not set. Thus if for some reasons the qemu agent does not reply, the reply variable may be NULL, thus causing an error in virJSONValueObjectGet(), which is called immediately after the qemuAgentCommand() function.
An attacker who has an account on a Guest VM could use this flaw to crash libvirtd on the host, thus causing a Denial of Service for other VMs as well. An attacker would need high privileges to control qemu-ga and make it fail to reply to the "guest-network-get-interfaces" command sent by libvirtd, however we do not exclude other ways to prevent the guest agent from correctly replying.
For the flaw to be exploited, User Interaction is required as a user on the host needs to request a "guest-network-get-interfaces" agent command.