Bugzilla – Bug 1194041
VUL-0: CVE-2021-4147: libvirt: deadlock and crash in libxl driver
Last modified: 2022-09-20 11:20:27 UTC
rh#2034195 A flaw was found in the libvirt libxl driver. A rouge guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. See https://listman.redhat.com/archives/libvir-list/2021-November/msg00908.html. Upstream patches: https://gitlab.com/libvirt/libvirt/-/commit/23b51d7b8ec885e97a9277cf0a6c2833db4636e8 https://gitlab.com/libvirt/libvirt/-/commit/a4e6fba069c0809b8b5dde5e9db62d2efd91b4a0 https://gitlab.com/libvirt/libvirt/-/commit/e4f7589a3ec285489618ca04c8c0230cc31f3d99 https://gitlab.com/libvirt/libvirt/-/commit/b9a5faea49b7412e26d7389af4c32fc2b3ee80e5 https://gitlab.com/libvirt/libvirt/-/commit/5c5df5310f72be4878a71ace47074c54e0d1a27d https://gitlab.com/libvirt/libvirt/-/commit/a7a03324d86e111f81687b5315b8f296dde84340 References: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4147
I guess that the bug is is present since the addition of the libxlLogger component. If this assumption is true, the following codestreams would be affected: - SUSE:SLE-12-SP2:Update 2.0.0-27.67.2 - SUSE:SLE-12-SP3:Update 3.3.0-5.43.1 - SUSE:SLE-12-SP4:Update 4.0.0-8.23.1 - SUSE:SLE-12-SP5:Update 5.1.0-13.22.1 - SUSE:SLE-15:Update n/a - SUSE:SLE-15-SP1:Update 5.1.0-8.19.1 - SUSE:SLE-15-SP2:Update 6.0.0-13.13.1 - SUSE:SLE-15-SP3:Update - openSUSE:Backports:SLE-15-SP2:Update
(In reply to Thomas Leroy from comment #1) > I guess that the bug is is present since the addition of the libxlLogger > component. If this assumption is true, the following codestreams would be > affected: > - SUSE:SLE-12-SP2:Update 2.0.0-27.67.2 > - SUSE:SLE-12-SP3:Update 3.3.0-5.43.1 > - SUSE:SLE-12-SP4:Update 4.0.0-8.23.1 IMO we should not fix the bug in these older distros. The newer distros are fine and I've already done the backports.
(In reply to James Fehlig from comment #2) > IMO we should not fix the bug in these older distros. The newer distros are > fine and I've already done the backports. Thank you very much James for handling this. How hard would it be to backport on these older distros? Unfortunately this bug seems quite easy to exploit, with a significant impact.
(In reply to Thomas Leroy from comment #4) > Thank you very much James for handling this. How hard would it be to > backport on these older distros? Fixing the segfault caused by unprotected access to the logger is easy. Fixing the deadlock caused by racy handling of libxl events is hard. The event handling machinery has changed quite a bit over libvirt releases and IMO backporting those patches to SLE12 SP4 and older can cause more harm than good. How about a compromise? I'll add a7a03324-libxl-protect-logger-access.patch to SLE12 SP{3,4} to fix the segfault, but will leave out the others that fix the deadlock. Also note the deadlock has not been shown to exist in the old event handling code. > Unfortunately this bug seems quite easy to exploit, with a significant impact. Impact is a rouge guest could cause DoS of libvirtd on the host.
(In reply to Thomas Leroy from comment #1) > I guess that the bug is is present since the addition of the libxlLogger > component. If this assumption is true, the following codestreams would be > affected: > - SUSE:SLE-12-SP2:Update 2.0.0-27.67.2 This one is not affected. The per-domain logger did not appear in libvirt until 3.0.0, with commit a30b08b717.
(In reply to James Fehlig from comment #6) > This one is not affected. The per-domain logger did not appear in libvirt > until 3.0.0, with commit a30b08b717. Indeed, my mistake. (In reply to James Fehlig from comment #5) > Fixing the segfault caused by unprotected access to the logger is easy. > Fixing the deadlock caused by racy handling of libxl events is hard. The > event handling machinery has changed quite a bit over libvirt releases and > IMO backporting those patches to SLE12 SP4 and older can cause more harm > than good. > > How about a compromise? I'll add a7a03324-libxl-protect-logger-access.patch > to SLE12 SP{3,4} to fix the segfault, but will leave out the others that fix > the deadlock. Also note the deadlock has not been shown to exist in the old > event handling code. Alright, that's great, thank you very much for your efforts James.
Thanks for agreeing to the compromise! An updated libvirt package has been to all the affected distros. Passing the bug to the security team now.
SUSE-SU-2022:0021-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (important) Bug References: 1191668,1192017,1193623,1193719,1193981,1194041 CVE References: CVE-2021-4147 JIRA References: Sources used: SUSE MicroOS 5.1 (src): libvirt-7.1.0-6.11.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): libvirt-7.1.0-6.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libvirt-7.1.0-6.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0021-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (important) Bug References: 1191668,1192017,1193623,1193719,1193981,1194041 CVE References: CVE-2021-4147 JIRA References: Sources used: openSUSE Leap 15.3 (src): libvirt-7.1.0-6.11.1
SUSE-SU-2022:0031-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): libvirt-4.0.0-9.40.1 SUSE Linux Enterprise Server 15-LTSS (src): libvirt-4.0.0-9.40.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libvirt-4.0.0-9.40.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libvirt-4.0.0-9.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0032-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1190420,1191668,1192017,1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libvirt-5.1.0-13.28.2 SUSE Linux Enterprise Server 12-SP5 (src): libvirt-5.1.0-13.28.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0042-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libvirt-4.0.0-8.26.1 SUSE OpenStack Cloud 9 (src): libvirt-4.0.0-8.26.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libvirt-4.0.0-8.26.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libvirt-4.0.0-8.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0041-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): libvirt-3.3.0-5.49.1 SUSE OpenStack Cloud 8 (src): libvirt-3.3.0-5.49.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): libvirt-3.3.0-5.49.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): libvirt-3.3.0-5.49.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): libvirt-3.3.0-5.49.1 HPE Helion Openstack 8 (src): libvirt-3.3.0-5.49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0045-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1183411,1191668,1192017,1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE MicroOS 5.0 (src): libvirt-6.0.0-13.24.1 SUSE Manager Server 4.1 (src): libvirt-6.0.0-13.24.1 SUSE Manager Retail Branch Server 4.1 (src): libvirt-6.0.0-13.24.1 SUSE Manager Proxy 4.1 (src): libvirt-6.0.0-13.24.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libvirt-6.0.0-13.24.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libvirt-6.0.0-13.24.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): libvirt-6.0.0-13.24.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libvirt-6.0.0-13.24.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): libvirt-6.0.0-13.24.1 SUSE Enterprise Storage 7 (src): libvirt-6.0.0-13.24.1 SUSE CaaS Platform 4.5 (src): libvirt-6.0.0-13.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0128-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1191668,1192017,1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): libvirt-5.1.0-17.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libvirt-5.1.0-17.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): libvirt-5.1.0-17.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libvirt-5.1.0-17.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libvirt-5.1.0-17.1 SUSE Enterprise Storage 6 (src): libvirt-5.1.0-17.1 SUSE CaaS Platform 4.0 (src): libvirt-5.1.0-17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0045-2: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1183411,1191668,1192017,1192876,1193981,1194041 CVE References: CVE-2021-3975,CVE-2021-4147 JIRA References: Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): libvirt-6.0.0-13.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.