Bug 1223849 (CVE-2024-4418)

Summary: VUL-0: CVE-2024-4418: libvirt: stack use-after-free in virNetClientIOEventLoop()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, jfehlig
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403989/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4418:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-03 11:45:10 UTC 
A race condition leading to a stack use-after-free bug was found in libvirt in the virNetClientIOEventLoop() function. Due to a wrong assumption, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop().

Quoting libvirt maintainer Daniel P. Berrangé: The 'virtproxyd' daemon can be used to trigger requests which could potentially exercise the bug. If libvirt is configured with fine grained access control, this could in theory let a user escape their otherwise limited access. A local unprivileged user can access virtproxyd without authenticating. Remote users would need to authenticate before they could exercise it.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4418
https://bugzilla.redhat.com/show_bug.cgi?id=2278616
Comment 2 OBSbugzilla Bot 2024-05-08 23:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223849) was mentioned in
https://build.opensuse.org/request/show/1172820 Factory / libvirt
Comment 3 James Fehlig 2024-05-09 17:55:46 UTC 
AFAICT, this bug was introduced by commit 7cb03e6a28e

https://gitlab.com/libvirt/libvirt/-/commit/7cb03e6a28e465c49f0cabe8fe2e7d21edb5aadf

git describe --contains 7cb03e6a28e
v10.0.0-rc2~10

So it only affects Factory, SLE15 SP6, and SL Micro 6.0. I've already submitted an updated libvirt package containing the fix to Factory. The fix has been queued in Devel:Virt:SLE-15-SP6/libvirt for SP6 and SL Micro maintenance.
Comment 4 James Fehlig 2024-05-29 17:36:26 UTC 
(In reply to James Fehlig from comment #3)
> AFAICT, this bug was introduced by commit 7cb03e6a28e
> 
> https://gitlab.com/libvirt/libvirt/-/commit/
> 7cb03e6a28e465c49f0cabe8fe2e7d21edb5aadf
> 
> git describe --contains 7cb03e6a28e
> v10.0.0-rc2~10
> 
> So it only affects Factory, SLE15 SP6, and SL Micro 6.0. I've already
> submitted an updated libvirt package containing the fix to Factory. The fix
> has been queued in Devel:Virt:SLE-15-SP6/libvirt for SP6 and SL Micro
> maintenance.

I've submitted requests for both SLE15 SP6 and SL Micro 6.0. Passing the bug to security team...
Comment 6 Maintenance Automation 2024-06-10 12:30:05 UTC 
SUSE-SU-2024:1962-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1222584, 1223849
CVE References: CVE-2024-4418
Maintenance Incident: [SUSE:Maintenance:34107](https://smelt.suse.de/incident/34107/)
Sources used:
openSUSE Leap 15.6 (src):
 libvirt-10.0.0-150600.8.3.1
Basesystem Module 15-SP6 (src):
 libvirt-10.0.0-150600.8.3.1
Server Applications Module 15-SP6 (src):
 libvirt-10.0.0-150600.8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.