- CVE-2013-4399: Fix crash in libvirtd when events are registered

and ACLs active 8294aa0c-CVE-2013-4399.patch bnc#844052 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=307
2013-10-15 02:35:05 +00:00 · 2013-10-15 02:35:05 +00:00 · 4f9e403a41
commit 4f9e403a41
parent 2b3f0e1499
3 changed files with 58 additions and 0 deletions
--- a/8294aa0c-CVE-2013-4399.patch
+++ b/8294aa0c-CVE-2013-4399.patch
@ -0,0 +1,48 @@
+commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Fri Sep 27 15:46:07 2013 +0100
+
+    Fix crash in libvirtd when events are registered & ACLs active
+    
+    When a client disconnects from libvirtd, all event callbacks
+    must be removed. This involves running the public API
+    
+      virConnectDomainEventDeregisterAny
+    
+    This code does not run in normal API dispatch context, so no
+    identity was set. The result was that the access control drivers
+    denied the attempt to deregister callbacks. The callbacks thus
+    continued to trigger after the client was free'd causing fairly
+    predictable use of free memory & a crash.
+    
+    This can be triggered by any client with readonly access when
+    the ACL drivers are active.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/daemon/remote.c
+===================================================================
+--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
+@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)
+ 
+     /* Deregister event delivery callback */
+     if (priv->conn) {
+        virIdentityPtr sysident = virIdentityGetSystem();
+         size_t i;
+ 
+        virIdentitySetCurrent(sysident);
+
+         for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {
+             if (priv->domainEventCallbackID[i] != -1) {
+                 VIR_DEBUG("Deregistering to relay remote events %zu", i);
+@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)
+         }
+ 
+         virConnectClose(priv->conn);
+
+        virIdentitySetCurrent(NULL);
+        virObjectUnref(sysident);
+     }
+ 
+     VIR_FREE(priv);
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Oct 14 20:33:43 MDT 2013 - jfehlig@suse.com
+
+- CVE-2013-4399: Fix crash in libvirtd when events are registered
+  and ACLs active
+  8294aa0c-CVE-2013-4399.patch
+  bnc#844052
+
 -------------------------------------------------------------------
 Mon Oct 14 16:40:25 MDT 2013 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -409,6 +409,7 @@ Patch2:         db7a5688-CVE-2013-4311.patch
 Patch3:         e65667c0-CVE-2013-4311.patch
 Patch4:         922b7fda-CVE-2013-4311.patch
 Patch5:         e4697b92-CVE-2013-4311.patch
+Patch6:         8294aa0c-CVE-2013-4399.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
@ -913,6 +914,7 @@ of recent versions of Linux (and other OSes).
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1