The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. However, it fails to acquire the driver mutex, thus there is no protection to stop another thread from concurrently modifying the driver->nwfilters object. An unprivileged user could exploit this issue via libvirt API virConnectNumOfNWFilters to crash the libvirtd/virtnwfilterd daemon.
The upstream patch is now public, merged as https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 Author: Daniel P. Berrangé <berrange> Date: Tue Mar 8 17:28:38 2022 +0000 nwfilter: fix crash when counting number of network filters The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. As such it needs to be protected against concurrent modification of the driver->nwfilters object. This API allows unprivileged users to connect, so users with read-only access to libvirt can cause a denial of service crash if they are able to race with a call of virNWFilterUndefine. Since network filters are usually statically defined, this is considered a low severity problem. This is assigned CVE-2022-0897. Reviewed-by: Eric Blake <eblake> Signed-off-by: Daniel P. Berrangé <berrange>
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 2068431]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8003 https://access.redhat.com/errata/RHSA-2022:8003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0897