!91 fix cve-2021-3667 cve-2021-3631

From: @imxcc Reviewed-by: @kevinzhu1 Signed-off-by: @kevinzhu1
2021-09-26 09:08:05 +00:00 · 2021-09-26 09:08:05 +00:00 · 60d4c4a423
commit 60d4c4a423
parent eb8f60125d 389e114ac8
3 changed files with 96 additions and 1 deletions
--- a/libvirt.spec
+++ b/libvirt.spec
@ -105,7 +105,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 6.2.0
-Release: 25
+Release: 26
 License: LGPLv2+
 URL: https://libvirt.org/

@ -188,6 +188,8 @@ Patch0071: Don-t-cache-device-mapper-major.patch
 Patch0072: Handle-kernel-without-device-mapper-support.patch
 Patch0073: virDevMapperGetTargets-Don-t-ignore-EBADF.patch
 Patch0074: conf-domain_conf-pin-the-retry_interval-and-retry_ti.patch
+Patch0075: storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+Patch0076: security-fix-SELinux-label-generation-logic.patch

 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -1921,6 +1923,9 @@ exit 0


 %changelog
+* Sun Sep 26 2021 imxcc <xingchaochao@huawei.com>
+- fix cve-2021-3667 cve-2021-3631
+
 * Fri Sep 24 2021 Euler Robot <euler.robot@huawei.com>
 - conf/domain_conf: pin the retry_interval and retry_timeout parameters to xml

--- a/security-fix-SELinux-label-generation-logic.patch
+++ b/security-fix-SELinux-label-generation-logic.patch
@ -0,0 +1,54 @@
+From 1335976926666ba8fd3ef363e7b7cd46a09007fc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH 2/2] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 78ea618e63..c91c7ca484 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
+-- 
+2.27.0
+
--- a/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+++ b/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@ -0,0 +1,36 @@
+From 726ae2686cc74889671adf57d3e2b4560e62892a Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH 1/2] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 2db763caa5..d52d537152 100644
+--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
+@@ -1740,8 +1740,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+                                            storagePoolLookupByTargetPathCallback,
+                                            cleanpath))) {
+         def = virStoragePoolObjGetDef(obj);
+-        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
+        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
+            virStoragePoolObjEndAPI(&obj);
+             return NULL;
+        }
+ 
+         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+         virStoragePoolObjEndAPI(&obj);
+-- 
+2.27.0
+