Ask Your Question
0

What is the correct way to restart dnsmasq when it is in the libvirtd cgroup

asked 2017-10-02 16:29:09 -0600

MettaCrawler gravatar image

Hi,

How that dnsmasq has the following new disclosures:

  • CVE-2017-14491 DNS heap buffer overflow.
  • CVE-2017-14492, DHCPv6 RA heap overflow.
  • CVE-2017-14493, DHCPv6 - Stack buffer overflow.
  • CVE-2017-14494, Infoleak handling DHCPv6 forwarded requests.
  • CVE-2017-14495, OOM in DNS response creation.
  • CVE-2017-14496, Integer underflow in DNS response creation.

How should I restart dnsmasq when it is in the libvirtd cgroup, please?

When I run: sudo systemctl restart libvirtd dnsmasq does not call execve(2), instead it only re-reads configuration files.

That leaves the vulnerable version of dnsmasq still running after a patched copy is installed on disk.

Thanks, MC

edit retag flag offensive close merge delete

Comments

1

How about restarting libvirtd?

villykruse gravatar imagevillykruse ( 2017-10-03 06:26:30 -0600 )edit

Didn't work, please see below. Thanks for the suggestion, anyway.

MettaCrawler gravatar imageMettaCrawler ( 2017-10-05 13:44:41 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-10-05 13:43:29 -0600

MettaCrawler gravatar image

updated 2017-10-05 13:50:49 -0600

I gave up on systemd. Sorry. I simply had to restart the security-patched dnsmasq, anything else would not have been safe. I had to use killall dnsmasq and then systemctl restart libvirtd or dnsmasq would not restart.

Mostly I gave up on systemd when I found this bug report. https://bugzilla.redhat.com/show_bug....

Here's a transcript of the work-around I used in action:

[metta@crawler ~]$ rpm -q dnsmasq
dnsmasq-2.76-3.fc26.x86_64
[metta@crawler ~]$ ps -O lstart ax | grep dnsm
 1304 Fri Sep 29 20:41:33 2017 S ?        00:00:54 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1305 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1343 Fri Sep 29 20:41:33 2017 S ?        00:00:53 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1344 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
25660 Thu Oct  5 14:28:59 2017 S pts/11   00:00:00 grep --color=auto dnsm
[metta@crawler ~]$ sudo systemctl restart dnsmasq
[metta@crawler ~]$ ps -O lstart ax | grep dnsm
 1304 Fri Sep 29 20:41:33 2017 S ?        00:00:54 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1305 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1343 Fri Sep 29 20:41:33 2017 S ?        00:00:53 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1344 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
25693 Thu Oct  5 14:29:15 2017 S pts/11   00:00:00 grep --color=auto dnsm

Start time of dnsmasq did not change when sudo systemctl restart libvirtd was used. Trying killall:

[metta@crawler ~]$ ps -O lstart ax | grep dnsm
 1304 Fri Sep 29 20:41:33 2017 S ?        00:00:54 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1305 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1343 Fri Sep 29 20:41:33 2017 S ?        00:00:53 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
 1344 Fri Sep 29 20:41:33 2017 S ?        00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/heartbeat.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
25928 Thu Oct  5 14:29:52 2017 S pts/11   00:00:00 grep --color=auto dnsm
[metta@crawler ...
(more)
edit flag offensive delete link more

Comments

One thing to remember is that the dnsmasq instance you can start from systemd runs in a different mode from the instance of dnsmasq that is started by libvirtd. You can have a still different instance of dnsmasq started by NetworkManager, and that runs in a third kind of mode different from the other two modes.

villykruse gravatar imagevillykruse ( 2017-10-06 03:19:23 -0600 )edit

In Virtual Machine Manager gui application, you can open Edit -> Connection Details -> Virtual Networks. When you hit the red Stop Network button, the dnsmasq processes are terminated, and will be restarted when hitting the Start Network button.

villykruse gravatar imagevillykruse ( 2017-10-07 08:15:52 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2017-10-02 16:29:09 -0600

Seen: 2,353 times

Last updated: Oct 05 '17