From b67c839e409b4e49b69ffdab947af91791820411 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Tue, 8 Mar 2022 17:28:38 +0000 Subject: [PATCH] nwfilter: fix crash when counting number of network filters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. As such it needs to be protected against concurrent modification of the driver->nwfilters object. This API allows unprivileged users to connect, so users with read-only access to libvirt can cause a denial of service crash if they are able to race with a call of virNWFilterUndefine. Since network filters are usually statically defined, this is considered a low severity problem. This is assigned CVE-2022-0897. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé cherry-picked from a4947e8f63c3e6 Signed-off-by: AlexChen --- src/nwfilter/nwfilter_driver.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 1c407727db..27500d192a 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -514,11 +514,15 @@ nwfilterLookupByName(virConnectPtr conn, static int nwfilterConnectNumOfNWFilters(virConnectPtr conn) { + int ret; if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) return -1; - return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, - virConnectNumOfNWFiltersCheckACL); + nwfilterDriverLock(); + ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, + virConnectNumOfNWFiltersCheckACL); + nwfilterDriverUnlock(); + return ret; } -- 2.27.0