From: Daniel P. Berrangé <berrange@redhat.com>
Date: Tue, 8 Mar 2022 17:28:38 +0000 (+0000)
Subject: nwfilter: fix crash when counting number of network filters
X-Git-Tag: v8.2.0-rc1~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36;p=thirdparty%2Flibvirt.git

nwfilter: fix crash when counting number of network filters

The virNWFilterObjListNumOfNWFilters method iterates over the
driver->nwfilters, accessing virNWFilterObj instances. As such
it needs to be protected against concurrent modification of
the driver->nwfilters object.

This API allows unprivileged users to connect, so users with
read-only access to libvirt can cause a denial of service
crash if they are able to race with a call of virNWFilterUndefine.
Since network filters are usually statically defined, this is
considered a low severity problem.

This is assigned CVE-2022-0897.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index 3ce8fce7f9..a493205c80 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn,
 static int
 nwfilterConnectNumOfNWFilters(virConnectPtr conn)
 {
+    int ret;
     if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
         return -1;
 
-    return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
-                                        virConnectNumOfNWFiltersCheckACL);
+    nwfilterDriverLock();
+    ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn,
+                                           virConnectNumOfNWFiltersCheckACL);
+    nwfilterDriverUnlock();
+    return ret;
 }