Bug 2063883 (CVE-2022-0897) - CVE-2022-0897 libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service
Summary: CVE-2022-0897 libvirt: missing locking in nwfilterConnectNumOfNWFilters can l...
Keywords:
Status: NEW
Alias: CVE-2022-0897
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2068431 2063901 2063902 2063903 2063904
Blocks: 2062200 2063859
TreeView+ depends on / blocked
 
Reported: 2022-03-14 15:03 UTC by Mauro Matteo Cascella
Modified: 2022-11-15 09:56 UTC (History)
16 users (show)

Fixed In Version: libvirt 8.0.0-8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7472 0 None None None 2022-11-08 09:13:56 UTC
Red Hat Product Errata RHSA-2022:8003 0 None None None 2022-11-15 09:56:00 UTC

Description Mauro Matteo Cascella 2022-03-14 15:03:03 UTC
The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. However, it fails to acquire the driver mutex, thus there is no protection to stop another thread from concurrently modifying the driver->nwfilters object. An unprivileged user could exploit this issue via libvirt API virConnectNumOfNWFilters to crash the libvirtd/virtnwfilterd daemon.

Comment 2 Daniel Berrangé 2022-03-17 14:30:38 UTC
The upstream patch is now public, merged as https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36

commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36
Author: Daniel P. Berrangé <berrange>
Date:   Tue Mar 8 17:28:38 2022 +0000

    nwfilter: fix crash when counting number of network filters
    
    The virNWFilterObjListNumOfNWFilters method iterates over the
    driver->nwfilters, accessing virNWFilterObj instances. As such
    it needs to be protected against concurrent modification of
    the driver->nwfilters object.
    
    This API allows unprivileged users to connect, so users with
    read-only access to libvirt can cause a denial of service
    crash if they are able to race with a call of virNWFilterUndefine.
    Since network filters are usually statically defined, this is
    considered a low severity problem.
    
    This is assigned CVE-2022-0897.
    
    Reviewed-by: Eric Blake <eblake>
    Signed-off-by: Daniel P. Berrangé <berrange>

Comment 3 Mauro Matteo Cascella 2022-03-25 09:55:37 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2068431]

Comment 4 errata-xmlrpc 2022-11-08 09:13:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472

Comment 5 errata-xmlrpc 2022-11-15 09:55:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8003 https://access.redhat.com/errata/RHSA-2022:8003


Note You need to log in before you can comment on or make changes to this bug.