From dc6ab8b51ff53ba22abfb84f24641aa87320038a Mon Sep 17 00:00:00 2001 Message-Id: From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 8 Mar 2022 17:28:38 +0000 Subject: [PATCH] nwfilter: fix crash when counting number of network filters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. As such it needs to be protected against concurrent modification of the driver->nwfilters object. This API allows unprivileged users to connect, so users with read-only access to libvirt can cause a denial of service crash if they are able to race with a call of virNWFilterUndefine. Since network filters are usually statically defined, this is considered a low severity problem. This is assigned CVE-2022-0897. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé (cherry picked from commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36) https://bugzilla.redhat.com/show_bug.cgi?id=2063902 --- src/nwfilter/nwfilter_driver.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 200451d6b1..956aca6421 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn, static int nwfilterConnectNumOfNWFilters(virConnectPtr conn) { + int ret; if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) return -1; - return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, - virConnectNumOfNWFiltersCheckACL); + nwfilterDriverLock(); + ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, + virConnectNumOfNWFiltersCheckACL); + nwfilterDriverUnlock(); + return ret; } -- 2.35.1