libvirt: CVE-2021-3975 segmentation fault during VM shutdown can lead to vdsm hang

Source: https://gitlab.com/libvirt/libvirt MR: 121161 Type: Security Fix Disposition: Backport from https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7 ChangeID: 747f58e69ce4b1dc4b77277a6acf4e5742d19fad Description: CVE-2021-3975 libvirt: segmentation fault during VM shutdown can lead to vdsm hang. Affects libvirt < 7.1 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-09-13 12:51:15 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2022-09-13 21:46:58 -0400
commit: cb95344976dd44081078abd83d8821e01b10c211 (patch)
tree: 90b31584d58bdaccb316079b54d0042ef83ea896
parent: a63a54df3170fed387f810f23cdc2f483ad587df (diff)
download: meta-virtualization-cb95344976dd44081078abd83d8821e01b10c211.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
new file mode 100644
index 00000000..1d69d526
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
@@ -0,0 +1,44 @@
+From ffeb79e085a63f9917fc52a809a69e31e5cfd9b6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 13 Sep 2022 10:35:43 +0530
+Subject: [PATCH] CVE-2021-3975
+Upstream-Status: Backport [https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7]
+CVE: CVE-2021-3975
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+qemu: Add missing lock in qemuProcessHandleMonitorEOF
+qemuMonitorUnregister will be called in multiple threads (e.g. threads
+in rpc worker pool and the vm event thread).  In some cases, it isn't
+protected by the monitor lock, which may lead to call g_source_unref
+more than one time and a use-after-free problem eventually.
+Add the missing lock in qemuProcessHandleMonitorEOF (which is the only
+position missing lock of monitor I found).
+Suggested-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Peng Liang <liangpeng10@huawei.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index d903505..0d6f14c 100644
+--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
+@@ -313,7 +313,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon,
+     /* We don't want this EOF handler to be called over and over while the
+      * thread is waiting for a job.
+      */
+    virObjectLock(mon);
+     qemuMonitorUnregister(mon);
+    virObjectUnlock(mon);
+ 
+     /* We don't want any cleanup from EOF handler (or any other
+      * thread) to enter qemu namespace. */
+-- 
+2.25.1
diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb
index 97c1019c..803f7878 100644
--- a/recipes-extended/libvirt/libvirt_6.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -48,6 +48,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://CVE-2021-3631.patch \
           file://CVE-2021-3667.patch \
           file://CVE-2022-0897.patch \
+           file://CVE-2021-3975.patch \
          "
 SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"
 SRC_URI[libvirt.sha256sum] = "167c185be45560e73dd3e14ed375778b555c01455192de2dafc4d0f74fabebc0"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-09-13 12:51:15 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2022-09-13 21:46:58 -0400
commit	cb95344976dd44081078abd83d8821e01b10c211 (patch)
tree	90b31584d58bdaccb316079b54d0042ef83ea896
parent	a63a54df3170fed387f810f23cdc2f483ad587df (diff)
download	meta-virtualization-cb95344976dd44081078abd83d8821e01b10c211.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch new file mode 100644 index 00000000..1d69d526 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3975.patch
@@ -0,0 +1,44 @@
		1	From ffeb79e085a63f9917fc52a809a69e31e5cfd9b6 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Tue, 13 Sep 2022 10:35:43 +0530
		4	Subject: [PATCH] CVE-2021-3975
		5
		6	Upstream-Status: Backport [https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7]
		7	CVE: CVE-2021-3975
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	qemu: Add missing lock in qemuProcessHandleMonitorEOF
		11
		12	qemuMonitorUnregister will be called in multiple threads (e.g. threads
		13	in rpc worker pool and the vm event thread). In some cases, it isn't
		14	protected by the monitor lock, which may lead to call g_source_unref
		15	more than one time and a use-after-free problem eventually.
		16
		17	Add the missing lock in qemuProcessHandleMonitorEOF (which is the only
		18	position missing lock of monitor I found).
		19
		20	Suggested-by: Michal Privoznik <mprivozn@redhat.com>
		21	Signed-off-by: Peng Liang <liangpeng10@huawei.com>
		22	Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
		23	Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
		24	---
		25	src/qemu/qemu_process.c \| 2 ++
		26	1 file changed, 2 insertions(+)
		27
		28	diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
		29	index d903505..0d6f14c 100644
		30	--- a/src/qemu/qemu_process.c
		31	+++ b/src/qemu/qemu_process.c
		32	@@ -313,7 +313,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon,
		33	/* We don't want this EOF handler to be called over and over while the
		34	* thread is waiting for a job.
		35	*/
		36	+ virObjectLock(mon);
		37	qemuMonitorUnregister(mon);
		38	+ virObjectUnlock(mon);
		39
		40	/* We don't want any cleanup from EOF handler (or any other
		41	* thread) to enter qemu namespace. */
		42	--
		43	2.25.1
		44


diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb index 97c1019c..803f7878 100644 --- a/recipes-extended/libvirt/libvirt_6.1.0.bb +++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -48,6 +48,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
48	file://CVE-2021-3631.patch \	48	file://CVE-2021-3631.patch \
49	file://CVE-2021-3667.patch \	49	file://CVE-2021-3667.patch \
50	file://CVE-2022-0897.patch \	50	file://CVE-2022-0897.patch \
		51	file://CVE-2021-3975.patch \
51	"	52	"
52	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"	53	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"
53	SRC_URI[libvirt.sha256sum] = "167c185be45560e73dd3e14ed375778b555c01455192de2dafc4d0f74fabebc0"	54	SRC_URI[libvirt.sha256sum] = "167c185be45560e73dd3e14ed375778b555c01455192de2dafc4d0f74fabebc0"