From: Changqing Li <[email protected]> Signed-off-by: Changqing Li <[email protected]> --- .../libvirt/libvirt/CVE-2022-0897.patch | 57 +++++++++++++++++++ recipes-extended/libvirt/libvirt_6.3.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/CVE-2022-0897.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch b/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch new file mode 100644 index 0000000..e98f40b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2022-0897.patch @@ -0,0 +1,57 @@ +From d470667167fa585d2bc3b996fb3bf2786d44be9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> +Date: Tue, 8 Mar 2022 17:28:38 +0000 +Subject: [PATCH] nwfilter: fix crash when counting number of network filters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virNWFilterObjListNumOfNWFilters method iterates over the +driver->nwfilters, accessing virNWFilterObj instances. As such +it needs to be protected against concurrent modification of +the driver->nwfilters object. + +This API allows unprivileged users to connect, so users with +read-only access to libvirt can cause a denial of service +crash if they are able to race with a call of virNWFilterUndefine. +Since network filters are usually statically defined, this is +considered a low severity problem. + +This is assigned CVE-2022-0897. + +Reviewed-by: Eric Blake <[email protected]> +Signed-off-by: Daniel P. Berrangé <[email protected]> + +Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36] +CVE: CVE-2022-0897 + +Signed-off-by: Changqing Li <[email protected]> +--- + src/nwfilter/nwfilter_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c +index 1c40772..27500d1 100644 +--- a/src/nwfilter/nwfilter_driver.c ++++ b/src/nwfilter/nwfilter_driver.c +@@ -514,11 +514,15 @@ nwfilterLookupByName(virConnectPtr conn, + static int + nwfilterConnectNumOfNWFilters(virConnectPtr conn) + { ++ int ret; + if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) + return -1; + +- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, +- virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverLock(); ++ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, ++ virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverUnlock(); ++ return ret; + } + + +-- +2.25.1 + diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb index 8e95ad6..48e5b58 100644 --- a/recipes-extended/libvirt/libvirt_6.3.0.bb +++ b/recipes-extended/libvirt/libvirt_6.3.0.bb @@ -47,6 +47,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://CVE-2021-3631.patch \ file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \ file://CVE-2021-3975.patch \ + file://CVE-2022-0897.patch \ " SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7164): https://lists.yoctoproject.org/g/meta-virtualization/message/7164 Mute This Topic: https://lists.yoctoproject.org/mt/90433217/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
