Bug 1828190 (CVE-2020-12430) - CVE-2020-12430 libvirt: memory leak in domstats may allow read-only user to perform DoS attack
Summary: CVE-2020-12430 libvirt: memory leak in domstats may allow read-only user to p...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12430
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1804548 1828216 1828403
Blocks: 1823456
TreeView+ depends on / blocked
 
Reported: 2020-04-27 09:32 UTC by Mauro Matteo Cascella
Modified: 2024-03-20 10:30 UTC (History)
15 users (show)

Fixed In Version: libvirt 6.1.0
Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in the libvirt API that is responsible for retrieving domain stats when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the `domstats` command, resulting in a potential denial of service.
Clone Of:
Environment:
Last Closed: 2021-10-28 10:59:40 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-04-27 09:32:41 UTC
A libvirt flaw affecting the domstats command was reported internally. This bug may allow a user on a read-only connection to cause a memory leak in domstats, resulting in a potential denial of service.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1804548

Upstream fix:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581

Comment 1 Mauro Matteo Cascella 2020-04-27 15:11:11 UTC
The affected function qemuDomainGetStatsIOThread() in qemu_driver.c is called by the libvirt API virDomainListGetStats when managing QEMU guests. A NULL-terminated list is returned even when no iothreads are present. As neither qemuDomainGetStatsIOThread() nor the caller did perform any cleanup, the list was returned without being properly free'd, thus resulting in a memory leak. The patch adds a `goto cleanup` statement in case there are no iothreads, to make sure the NULL-terminated list is free'd appropriately.

Comment 2 Mauro Matteo Cascella 2020-04-27 15:31:17 UTC
Function qemuDomainGetStatsIOThread() was introduced in libvirt upstream version 4.10.0 via commit:
  -> https://libvirt.org/git/?p=libvirt.git;a=commit;h=d1eac92784573559b6fd56836e33b215c89308e3

$ git tag --contains d1eac9278
v4.10.0
v4.10.0-rc1
v4.10.0-rc2
v5.0.0
[...]

Whilst libvirt API virDomainListGetStats was introduced in version 1.2.10 via commit:
  -> https://libvirt.org/git/?p=libvirt.git;a=commit;h=76a5bc4eef9f60ef73f5e0b272f4e0a5270e31de

Comment 4 Mauro Matteo Cascella 2020-04-27 16:44:40 UTC
Statement:

Versions of `libvirt` as shipped with Red Hat Enterprise Linux are marked as "notaffected" because they do not include the vulnerable code, which was introduced in a later version of the package. Specifically, the affected function `qemuDomainGetStatsIOThread()` was introduced in `libvirt` upstream version 4.10.0.

RHEL Advanced Virtualization is affected by this flaw as it ships a more recent version of the package.


Note You need to log in before you can comment on or make changes to this bug.