Bug 1194041 (CVE-2021-4147) - VUL-0: CVE-2021-4147: libvirt: deadlock and crash in libxl driver
Summary: VUL-0: CVE-2021-4147: libvirt: deadlock and crash in libxl driver
Status: RESOLVED FIXED
Alias: CVE-2021-4147
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/318504/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-4147:7.1:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-23 10:20 UTC by Thomas Leroy
Modified: 2022-09-20 11:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2021-12-23 14:04:26 UTC
I guess that the bug is is present since the addition of the libxlLogger component. If this assumption is true, the following codestreams would be affected:
- SUSE:SLE-12-SP2:Update 	2.0.0-27.67.2	
- SUSE:SLE-12-SP3:Update 	3.3.0-5.43.1	
- SUSE:SLE-12-SP4:Update 	4.0.0-8.23.1	
- SUSE:SLE-12-SP5:Update	5.1.0-13.22.1	
- SUSE:SLE-15:Update 	n/a	
- SUSE:SLE-15-SP1:Update 	5.1.0-8.19.1	
- SUSE:SLE-15-SP2:Update 	6.0.0-13.13.1	
- SUSE:SLE-15-SP3:Update
- openSUSE:Backports:SLE-15-SP2:Update
Comment 2 James Fehlig 2021-12-27 23:28:34 UTC
(In reply to Thomas Leroy from comment #1)
> I guess that the bug is is present since the addition of the libxlLogger
> component. If this assumption is true, the following codestreams would be
> affected:
> - SUSE:SLE-12-SP2:Update 	2.0.0-27.67.2	
> - SUSE:SLE-12-SP3:Update 	3.3.0-5.43.1	
> - SUSE:SLE-12-SP4:Update 	4.0.0-8.23.1	

IMO we should not fix the bug in these older distros. The newer distros are fine and I've already done the backports.
Comment 4 Thomas Leroy 2021-12-28 08:42:21 UTC
(In reply to James Fehlig from comment #2)
> IMO we should not fix the bug in these older distros. The newer distros are
> fine and I've already done the backports.

Thank you very much James for handling this. How hard would it be to backport on these older distros? Unfortunately this bug seems quite easy to exploit, with a significant impact.
Comment 5 James Fehlig 2021-12-28 17:58:25 UTC
(In reply to Thomas Leroy from comment #4)
> Thank you very much James for handling this. How hard would it be to
> backport on these older distros?

Fixing the segfault caused by unprotected access to the logger is easy. Fixing the deadlock caused by racy handling of libxl events is hard. The event handling machinery has changed quite a bit over libvirt releases and IMO backporting those patches to SLE12 SP4 and older can cause more harm than good.

How about a compromise? I'll add a7a03324-libxl-protect-logger-access.patch to SLE12 SP{3,4} to fix the segfault, but will leave out the others that fix the deadlock. Also note the deadlock has not been shown to exist in the old event handling code.

> Unfortunately this bug seems quite easy to exploit, with a significant impact.

Impact is a rouge guest could cause DoS of libvirtd on the host.
Comment 6 James Fehlig 2021-12-28 18:02:50 UTC
(In reply to Thomas Leroy from comment #1)
> I guess that the bug is is present since the addition of the libxlLogger
> component. If this assumption is true, the following codestreams would be
> affected:
> - SUSE:SLE-12-SP2:Update 	2.0.0-27.67.2	

This one is not affected. The per-domain logger did not appear in libvirt until 3.0.0, with commit a30b08b717.
Comment 8 Thomas Leroy 2021-12-29 08:25:57 UTC
(In reply to James Fehlig from comment #6)
> This one is not affected. The per-domain logger did not appear in libvirt
> until 3.0.0, with commit a30b08b717.

Indeed, my mistake.

(In reply to James Fehlig from comment #5)
> Fixing the segfault caused by unprotected access to the logger is easy.
> Fixing the deadlock caused by racy handling of libxl events is hard. The
> event handling machinery has changed quite a bit over libvirt releases and
> IMO backporting those patches to SLE12 SP4 and older can cause more harm
> than good.
> 
> How about a compromise? I'll add a7a03324-libxl-protect-logger-access.patch
> to SLE12 SP{3,4} to fix the segfault, but will leave out the others that fix
> the deadlock. Also note the deadlock has not been shown to exist in the old
> event handling code.

Alright, that's great, thank you very much for your efforts James.
Comment 9 James Fehlig 2021-12-29 15:19:40 UTC
Thanks for agreeing to the compromise! An updated libvirt package has been to all the affected distros. Passing the bug to the security team now.
Comment 10 Swamp Workflow Management 2022-01-04 20:19:03 UTC
SUSE-SU-2022:0021-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1191668,1192017,1193623,1193719,1193981,1194041
CVE References: CVE-2021-4147
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    libvirt-7.1.0-6.11.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    libvirt-7.1.0-6.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libvirt-7.1.0-6.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-01-04 20:20:39 UTC
openSUSE-SU-2022:0021-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1191668,1192017,1193623,1193719,1193981,1194041
CVE References: CVE-2021-4147
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libvirt-7.1.0-6.11.1
Comment 12 Swamp Workflow Management 2022-01-05 20:21:43 UTC
SUSE-SU-2022:0031-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libvirt-4.0.0-9.40.1
SUSE Linux Enterprise Server 15-LTSS (src):    libvirt-4.0.0-9.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libvirt-4.0.0-9.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libvirt-4.0.0-9.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-01-05 20:26:00 UTC
SUSE-SU-2022:0032-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1190420,1191668,1192017,1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libvirt-5.1.0-13.28.2
SUSE Linux Enterprise Server 12-SP5 (src):    libvirt-5.1.0-13.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-01-10 14:19:48 UTC
SUSE-SU-2022:0042-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libvirt-4.0.0-8.26.1
SUSE OpenStack Cloud 9 (src):    libvirt-4.0.0-8.26.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libvirt-4.0.0-8.26.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libvirt-4.0.0-8.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-01-10 14:22:30 UTC
SUSE-SU-2022:0041-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libvirt-3.3.0-5.49.1
SUSE OpenStack Cloud 8 (src):    libvirt-3.3.0-5.49.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libvirt-3.3.0-5.49.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.49.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libvirt-3.3.0-5.49.1
HPE Helion Openstack 8 (src):    libvirt-3.3.0-5.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-01-11 11:19:40 UTC
SUSE-SU-2022:0045-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1183411,1191668,1192017,1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libvirt-6.0.0-13.24.1
SUSE Manager Server 4.1 (src):    libvirt-6.0.0-13.24.1
SUSE Manager Retail Branch Server 4.1 (src):    libvirt-6.0.0-13.24.1
SUSE Manager Proxy 4.1 (src):    libvirt-6.0.0-13.24.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libvirt-6.0.0-13.24.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libvirt-6.0.0-13.24.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libvirt-6.0.0-13.24.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libvirt-6.0.0-13.24.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libvirt-6.0.0-13.24.1
SUSE Enterprise Storage 7 (src):    libvirt-6.0.0-13.24.1
SUSE CaaS Platform 4.5 (src):    libvirt-6.0.0-13.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-01-19 14:22:08 UTC
SUSE-SU-2022:0128-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1191668,1192017,1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libvirt-5.1.0-17.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libvirt-5.1.0-17.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libvirt-5.1.0-17.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libvirt-5.1.0-17.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libvirt-5.1.0-17.1
SUSE Enterprise Storage 6 (src):    libvirt-5.1.0-17.1
SUSE CaaS Platform 4.0 (src):    libvirt-5.1.0-17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-02-17 11:22:59 UTC
SUSE-SU-2022:0045-2: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1183411,1191668,1192017,1192876,1193981,1194041
CVE References: CVE-2021-3975,CVE-2021-4147
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    libvirt-6.0.0-13.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Carlos López 2022-09-20 11:20:27 UTC
Done, closing.