'virStoragePoolObjListSearch' returns a locked and refed object, thus we
must release it on ACL permission failure.
Fixes: 7aa0e8c0cb8
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
Technically a security issue since it DoS-es the objects a user doesn't
have access to for users which do have access.
Posting to standard devel list since the bugzilla above is public.
src/storage/storage_driver.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index c2ff4b8d06..6aa10d89f6 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -1738,8 +1738,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
storagePoolLookupByTargetPathCallback,
cleanpath))) {
def = virStoragePoolObjGetDef(obj);
- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
+ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
+ virStoragePoolObjEndAPI(&obj);
return NULL;
+ }
pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
virStoragePoolObjEndAPI(&obj);
--
2.31.1
Adding libvirt-security since I forgot when sending the patch.
On Wed, Jul 21, 2021 at 11:27:41 +0200, Peter Krempa wrote:
> 'virStoragePoolObjListSearch' returns a locked and refed object, thus we
> must release it on ACL permission failure.
>
> Fixes: 7aa0e8c0cb8
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
> Technically a security issue since it DoS-es the objects a user doesn't
> have access to for users which do have access.
>
> Posting to standard devel list since the bugzilla above is public.
>
> src/storage/storage_driver.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
> index c2ff4b8d06..6aa10d89f6 100644
> --- a/src/storage/storage_driver.c
> +++ b/src/storage/storage_driver.c
> @@ -1738,8 +1738,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
> storagePoolLookupByTargetPathCallback,
> cleanpath))) {
> def = virStoragePoolObjGetDef(obj);
> - if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
> + if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
> + virStoragePoolObjEndAPI(&obj);
> return NULL;
> + }
>
> pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
> virStoragePoolObjEndAPI(&obj);
> --
> 2.31.1
>
Hi Peter,
I'm going to allocate a new (low impact) CVE for this bug.
Thanks.
On Wed, Jul 21, 2021 at 11:34 AM Peter Krempa <pkrempa@redhat.com> wrote:
>
> Adding libvirt-security since I forgot when sending the patch.
>
> On Wed, Jul 21, 2021 at 11:27:41 +0200, Peter Krempa wrote:
> > 'virStoragePoolObjListSearch' returns a locked and refed object, thus we
> > must release it on ACL permission failure.
> >
> > Fixes: 7aa0e8c0cb8
> > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
> > Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> > ---
> > Technically a security issue since it DoS-es the objects a user doesn't
> > have access to for users which do have access.
> >
> > Posting to standard devel list since the bugzilla above is public.
> >
> > src/storage/storage_driver.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
> > index c2ff4b8d06..6aa10d89f6 100644
> > --- a/src/storage/storage_driver.c
> > +++ b/src/storage/storage_driver.c
> > @@ -1738,8 +1738,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
> > storagePoolLookupByTargetPathCallback,
> > cleanpath))) {
> > def = virStoragePoolObjGetDef(obj);
> > - if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
> > + if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
> > + virStoragePoolObjEndAPI(&obj);
> > return NULL;
> > + }
> >
> > pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
> > virStoragePoolObjEndAPI(&obj);
> > --
> > 2.31.1
> >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Thu, Jul 22, 2021 at 11:14 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote: > > Hi Peter, > > I'm going to allocate a new (low impact) CVE for this bug. This issue was assigned CVE-2021-3667. > Thanks. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
On 7/21/21 11:27 AM, Peter Krempa wrote: > 'virStoragePoolObjListSearch' returns a locked and refed object, thus we > must release it on ACL permission failure. > > Fixes: 7aa0e8c0cb8 > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 > Signed-off-by: Peter Krempa <pkrempa@redhat.com> > --- > Technically a security issue since it DoS-es the objects a user doesn't > have access to for users which do have access. > > Posting to standard devel list since the bugzilla above is public. > > src/storage/storage_driver.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
© 2016 - 2024 Red Hat, Inc.