| 2009-10-19 21:34:11 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2009-10-19 21:34:20 |
Jamie Strandboge |
visibility |
private |
public |
|
| 2009-10-19 21:34:20 |
Jamie Strandboge |
security vulnerability |
yes |
no |
|
| 2009-10-19 21:34:29 |
Jamie Strandboge |
libvirt (Ubuntu): importance |
Undecided |
High |
|
| 2009-10-19 21:34:42 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Karmic |
|
| 2009-10-19 21:34:42 |
Jamie Strandboge |
bug task added |
|
libvirt (Ubuntu Karmic) |
|
| 2009-10-19 21:35:01 |
Jamie Strandboge |
libvirt (Ubuntu Karmic): milestone |
|
ubuntu-9.10 |
|
| 2009-10-19 23:33:53 |
Kees Cook |
removed subscriber Ubuntu Security Team |
|
|
|
| 2009-10-20 15:18:01 |
Thierry Carrez |
libvirt (Ubuntu Karmic): status |
New |
Won't Fix |
|
| 2009-10-20 15:18:01 |
Thierry Carrez |
libvirt (Ubuntu Karmic): milestone |
ubuntu-9.10 |
|
|
| 2009-10-20 17:20:21 |
Jamie Strandboge |
tags |
|
regression-release |
|
| 2010-04-01 23:01:45 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Lucid |
|
| 2010-04-01 23:01:45 |
Jamie Strandboge |
bug task added |
|
libvirt (Ubuntu Lucid) |
|
| 2010-04-01 23:01:54 |
Jamie Strandboge |
libvirt (Ubuntu Lucid): status |
New |
Incomplete |
|
| 2010-04-01 23:02:02 |
Jamie Strandboge |
libvirt (Ubuntu Lucid): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2010-04-20 21:31:43 |
Jamie Strandboge |
libvirt (Ubuntu Lucid): status |
Incomplete |
Confirmed |
|
| 2010-04-20 21:32:00 |
Jamie Strandboge |
libvirt (Ubuntu Lucid): assignee |
Jamie Strandboge (jdstrand) |
|
|
| 2010-05-25 03:12:15 |
Nigel Jones |
attachment added |
|
Patch to not run virCgroupDenyDevicePath if cgroup pointer is NULL http://launchpadlibrarian.net/49053293/9025-do-not-deny-cgroup-if-null.patch |
|
| 2010-05-25 11:04:49 |
Nigel Jones |
tags |
regression-release |
patch regression-release |
|
| 2010-08-26 12:38:54 |
Thierry Carrez |
nominated for series |
|
Ubuntu Maverick |
|
| 2010-08-26 12:38:54 |
Thierry Carrez |
bug task added |
|
libvirt (Ubuntu Maverick) |
|
| 2010-08-26 12:39:33 |
Thierry Carrez |
libvirt (Ubuntu Maverick): assignee |
|
Serge Hallyn (serge-hallyn) |
|
| 2010-08-26 12:39:59 |
Thierry Carrez |
bug |
|
|
added subscriber Thierry Carrez |
| 2010-08-26 12:58:56 |
Nigel Jones |
libvirt (Ubuntu Maverick): status |
Confirmed |
Invalid |
|
| 2010-08-26 15:26:30 |
Nigel Jones |
description |
I was testing attaching and detaching an AoE block device and all was going fine until I tried to attach a device twice in a row without changing the target device. Doing so resulted in a segfault. My example uses AoE but I bet any disk type='block' would work. This is easily a local DoS for libvirtd for anyone one in the libvirtd group or more than likely a remote user who has access to qemu+ssh://<vuln host>/system.
This happens with the apparmor security driver disabled too (ie, edit /etc/libvirt/qemu.conf to have 'security = "none"' and restart /etc/init.d/libvirt-bin).
Eg:
$ cat > /tmp/aoe.xml << EOM
<disk type='block'>
<driver name='virtio'/>
<source dev='/dev/etherd/e2.2'/>
<target dev='vda' bus='virtio'/>
</disk>
EOM
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device detached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
error: Failed to attach device from /tmp/aoe.xml
error: server closed connection
$ dmesg| tail -1
[ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[400000+77000]
If you start libvirtd in another window under gdb, you can see the issue:
$ sudo gdb libvirtd
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/libvirtd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/sbin/libvirtd
[Thread debugging using libthread_db enabled]
16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
[New Thread 0x7f8fb8346910 (LWP 4645)]
[New Thread 0x7f8fb7b45910 (LWP 4646)]
[New Thread 0x7f8fb7344910 (LWP 4647)]
[New Thread 0x7f8fb6b43910 (LWP 4648)]
[New Thread 0x7f8fb6342910 (LWP 4649)]
WARNING: Unhandled message: interface=org.freedesktop.DBus.Introspectable, path=/, member=Introspect
16:26:11.730: error : qemudDomainAttachPciDiskDevice:4857 : operation failed: target vda already exists
libvir: QEMU error : operation failed: target vda already exists
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8fb7344910 (LWP 4647)]
0x00000000004345f2 in ?? ()
(gdb) bt
#0 0x00000000004345f2 in ?? ()
#1 0x000000000043489c in ?? ()
#2 0x0000000000434b94 in ?? ()
#3 0x0000000000434d91 in ?? ()
#4 0x000000000042cc2a in ?? ()
#5 0x00007f8fbcc53b01 in virDomainAttachDevice () from /usr/lib/libvirt.so.0
#6 0x000000000041dddf in ?? ()
#7 0x000000000041f5c6 in ?? ()
#8 0x000000000041f884 in ?? ()
#9 0x0000000000413a5c in ?? ()
#10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>)
at pthread_create.c:300
#11 0x00007f8fbaa657bd in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? () |
I was testing attaching and detaching an AoE block device and all was going fine until I tried to attach a device twice in a row without changing the target device. Doing so resulted in a segfault. My example uses AoE but I bet any disk type='block' would work. This is easily a local DoS for libvirtd for anyone one in the libvirtd group or more than likely a remote user who has access to qemu+ssh://<vuln host>/system.
This happens with the apparmor security driver disabled too (ie, edit /etc/libvirt/qemu.conf to have 'security = "none"' and restart /etc/init.d/libvirt-bin).
Eg:
$ cat > /tmp/aoe.xml << EOM
<disk type='block'>
<driver name='virtio'/>
<source dev='/dev/etherd/e2.2'/>
<target dev='vda' bus='virtio'/>
</disk>
EOM
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh detach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device detached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
Device attached successfully
$ virsh attach-device sec-karmic-amd64 /tmp/aoe.xml
Connecting to uri: qemu:///system
error: Failed to attach device from /tmp/aoe.xml
error: server closed connection
$ dmesg| tail -1
[ 1006.485494] libvirtd[2909]: segfault at 70 ip 00000000004345f2 sp 00007f1f75c73b70 error 4 in libvirtd[400000+77000]
If you start libvirtd in another window under gdb, you can see the issue:
$ sudo gdb libvirtd
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/libvirtd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/sbin/libvirtd
[Thread debugging using libthread_db enabled]
16:26:02.316: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
16:26:02.572: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
[New Thread 0x7f8fb8346910 (LWP 4645)]
[New Thread 0x7f8fb7b45910 (LWP 4646)]
[New Thread 0x7f8fb7344910 (LWP 4647)]
[New Thread 0x7f8fb6b43910 (LWP 4648)]
[New Thread 0x7f8fb6342910 (LWP 4649)]
WARNING: Unhandled message: interface=org.freedesktop.DBus.Introspectable, path=/, member=Introspect
16:26:11.730: error : qemudDomainAttachPciDiskDevice:4857 : operation failed: target vda already exists
libvir: QEMU error : operation failed: target vda already exists
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8fb7344910 (LWP 4647)]
0x00000000004345f2 in ?? ()
(gdb) bt
#0 0x00000000004345f2 in ?? ()
#1 0x000000000043489c in ?? ()
#2 0x0000000000434b94 in ?? ()
#3 0x0000000000434d91 in ?? ()
#4 0x000000000042cc2a in ?? ()
#5 0x00007f8fbcc53b01 in virDomainAttachDevice () from /usr/lib/libvirt.so.0
#6 0x000000000041dddf in ?? ()
#7 0x000000000041f5c6 in ?? ()
#8 0x000000000041f884 in ?? ()
#9 0x0000000000413a5c in ?? ()
#10 0x00007f8fbacfba04 in start_thread (arg=<value optimized out>)
at pthread_create.c:300
#11 0x00007f8fbaa657bd in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()
====
SRU:
* IMPACT: If affected, libvirtd will crash unexpectedly when attempting to attach a disk device to a running Virtual Machine when it is already attached.
* ADDRESSED: The patch prevents libvirt from entering a code path when cgroups are not used, thus preventing a NULL Pointer Exception/Dereference from occuring.
* PATCH: Modification of my attached patch to match upstream patch.
* TEST CASE:
1. Create/use any existing KVM virtual machine
2. Insert the contents below into a file called /tmp/455832-testcase.xml
---
<disk type='block'>
<driver name='virtio'/>
<source dev='/dev/sdd'/>
<target dev='vdc' bus='virtio'/>
</disk>
---
N.B. Change /dev/sdd to a device that exists, such as a blank USB Thumbdrive, ensure it is not mounted on the running system
3. Run "virsh attach-device <vmname> /tmp/455832-testcase.xml" twice
4. libvirt will crash unexpectedly w/o patch applied, will not crash w/ patch.
5. Refer to comment #8 for output details.
* REGRESSION POTENTIAL: Patch is pretty simple, have been in upstream for 8 months+ and is in Maverick at the moment without complaint.
Note, also includes updated patch for Bug #571093.
==== |
|
| 2010-08-26 15:27:52 |
Nigel Jones |
attachment added |
|
0.7.5-5ubuntu27.3 Debdiff https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/455832/+attachment/1520534/+files/455832-SRU.debdiff |
|
| 2010-08-26 15:34:30 |
Nigel Jones |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2010-08-26 15:34:46 |
Nigel Jones |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2010-08-26 17:22:01 |
Dustin Kirkland |
libvirt (Ubuntu Lucid): status |
Confirmed |
In Progress |
|
| 2010-08-26 17:22:07 |
Dustin Kirkland |
libvirt (Ubuntu Lucid): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2010-09-01 08:38:36 |
Martin Pitt |
libvirt (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
| 2010-09-01 08:38:41 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
| 2010-09-01 08:38:47 |
Martin Pitt |
tags |
patch regression-release |
patch regression-release verification-needed |
|
| 2010-09-01 09:19:19 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-proposed/libvirt |
|
| 2010-09-03 11:25:29 |
Benjamin Drung |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2010-09-19 04:18:51 |
Nigel Jones |
tags |
patch regression-release verification-needed |
patch regression-release verification-done |
|
| 2010-09-20 07:27:29 |
Launchpad Janitor |
libvirt (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
| 2010-10-23 14:15:40 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/libvirt |
|
| 2010-10-23 15:05:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-updates/libvirt |
|
