56 lines
2.0 KiB
Diff
56 lines
2.0 KiB
Diff
From dc6ab8b51ff53ba22abfb84f24641aa87320038a Mon Sep 17 00:00:00 2001
|
|
Message-Id: <dc6ab8b51ff53ba22abfb84f24641aa87320038a@dist-git>
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Date: Tue, 8 Mar 2022 17:28:38 +0000
|
|
Subject: [PATCH] nwfilter: fix crash when counting number of network filters
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The virNWFilterObjListNumOfNWFilters method iterates over the
|
|
driver->nwfilters, accessing virNWFilterObj instances. As such
|
|
it needs to be protected against concurrent modification of
|
|
the driver->nwfilters object.
|
|
|
|
This API allows unprivileged users to connect, so users with
|
|
read-only access to libvirt can cause a denial of service
|
|
crash if they are able to race with a call of virNWFilterUndefine.
|
|
Since network filters are usually statically defined, this is
|
|
considered a low severity problem.
|
|
|
|
This is assigned CVE-2022-0897.
|
|
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36)
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2063902
|
|
---
|
|
src/nwfilter/nwfilter_driver.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
|
|
index 200451d6b1..956aca6421 100644
|
|
--- a/src/nwfilter/nwfilter_driver.c
|
|
+++ b/src/nwfilter/nwfilter_driver.c
|
|
@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn,
|
|
static int
|
|
nwfilterConnectNumOfNWFilters(virConnectPtr conn)
|
|
{
|
|
+ int ret;
|
|
if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
|
|
return -1;
|
|
|
|
- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
|
|
- virConnectNumOfNWFiltersCheckACL);
|
|
+ nwfilterDriverLock();
|
|
+ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
|
|
+ virConnectNumOfNWFiltersCheckACL);
|
|
+ nwfilterDriverUnlock();
|
|
+ return ret;
|
|
}
|
|
|
|
|
|
--
|
|
2.35.1
|
|
|