From a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 8 Mar 2022 17:28:38 +0000 Subject: [PATCH] nwfilter: fix crash when counting number of network filters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. As such it needs to be protected against concurrent modification of the driver->nwfilters object. This API allows unprivileged users to connect, so users with read-only access to libvirt can cause a denial of service crash if they are able to race with a call of virNWFilterUndefine. Since network filters are usually statically defined, this is considered a low severity problem. This is assigned CVE-2022-0897. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé --- src/nwfilter/nwfilter_driver.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 3ce8fce7f9..a493205c80 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn, static int nwfilterConnectNumOfNWFilters(virConnectPtr conn) { + int ret; if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) return -1; - return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, - virConnectNumOfNWFiltersCheckACL); + nwfilterDriverLock(); + ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, + virConnectNumOfNWFiltersCheckACL); + nwfilterDriverUnlock(); + return ret; }