[libvirt] [PATCH] util: Correct the NUMA node range checking
by Osier Yang
There are 2 issues here: First we shouldn't add "1" to the return
value of numa_max_node(), since the semanteme of the error message
was changed, it's not saying about the number of total NUMA nodes
anymore. Second, the value of "bit" is the position of the first
bit which exceeds either numa_max_node() or NUMA_NUM_NODES, it can
be any number in the range, so saying "bigger than $bit" is quite
confused now. For example, assuming there is a NUMA machine which
has 10 NUMA nodes, and one specifies the "nodeset" as "0,5,88",
the error message will be like:
Nodeset is out of range, host cannot support NUMA node bigger than 88
It sounds like all NUMA node number less than 88 is fine, but
actually the maximum NUMA node number the machine supports is 9.
This patch fixes the issues by removing the addition with "1" and
simplifies the error message as "NUMA node $bit is out of range".
---
src/util/virnuma.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/src/util/virnuma.c b/src/util/virnuma.c
index ab46591..500dca7 100644
--- a/src/util/virnuma.c
+++ b/src/util/virnuma.c
@@ -99,7 +99,6 @@ virNumaSetupMemoryPolicy(virNumaTuneDef numatune,
int ret = -1;
int bit = 0;
size_t i;
- int maxnode = 0;
virBitmapPtr tmp_nodemask = NULL;
if (numatune.memory.placement_mode ==
@@ -122,16 +121,13 @@ virNumaSetupMemoryPolicy(virNumaTuneDef numatune,
return -1;
}
- maxnode = numa_max_node() + 1;
-
/* Convert nodemask to NUMA bitmask. */
nodemask_zero(&mask);
bit = -1;
while ((bit = virBitmapNextSetBit(tmp_nodemask, bit)) >= 0) {
- if (bit > maxnode || bit > NUMA_NUM_NODES) {
+ if (bit > numa_max_node() || bit > NUMA_NUM_NODES) {
virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Nodeset is out of range, host cannot support "
- "NUMA node bigger than %d"), bit);
+ _("NUMA node %d is out of range"), bit);
return -1;
}
nodemask_set(&mask, bit);
--
1.8.1.4
10 years, 11 months
[libvirt] mingw64 + gnulib time.h / pthread.h / gmtime_r incompatibility
by Daniel P. Berrange
I'm attempting to make libvirt capable of building with mingw64 toolchain's
pthread.h, instead of directly using Windows thread primitives.
As a quick hack I just changed libvirt logic to force use of pthreads,
since configure is already doing the neccessary pthread.h probes for us
even on win32 eg
diff --git a/src/util/virthread.c b/src/util/virthread.c
index dd1768e..8849d7d 100644
--- a/src/util/virthread.c
+++ b/src/util/virthread.c
@@ -25,7 +25,7 @@
/* On mingw, we prefer native threading over the sometimes-broken
* pthreads-win32 library wrapper. */
-#ifdef WIN32
+#ifdef WINx32
# include "virthreadwin32.c"
#elif defined HAVE_PTHREAD_MUTEXATTR_INIT
# include "virthreadpthread.c"
diff --git a/src/util/virthread.h b/src/util/virthread.h
index 84d3bdc..649285e 100644
--- a/src/util/virthread.h
+++ b/src/util/virthread.h
@@ -111,7 +111,7 @@ int virThreadLocalInit(virThreadLocalPtr l,
void *virThreadLocalGet(virThreadLocalPtr l);
int virThreadLocalSet(virThreadLocalPtr l, void*) ATTRIBUTE_RETURN_CHECK;
-# ifdef WIN32
+# ifdef WINx32
# include "virthreadwin32.h"
# elif defined HAVE_PTHREAD_MUTEXATTR_INIT
# include "virthreadpthread.h"
When attempting to build though I see failures
CC util/libvirt_util_la-virerror.lo
In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/sys/time.h:10:0,
from ../gnulib/lib/sys/time.h:39,
from ../gnulib/lib/sys/select.h:117,
from util/virutil.h:31,
from util/virerror.c:35:
../gnulib/lib/time.h:468:21: error: expected identifier or '(' before '{' token
_GL_FUNCDECL_SYS (localtime_r, struct tm *, (time_t const *restrict __timer,
^
In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/sys/time.h:10:0,
from ../gnulib/lib/sys/time.h:39,
from ../gnulib/lib/sys/select.h:117,
from util/virutil.h:31,
from util/virerror.c:35:
../gnulib/lib/time.h:490:21: error: expected identifier or '(' before '{' token
_GL_FUNCDECL_SYS (gmtime_r, struct tm *, (time_t const *restrict __timer,
^
The problem appears to be that mingw64's pthread.h has the following
craziness:
/* Recursive API emulation. */
#undef localtime_r
#define localtime_r(_Time, _Tm) ({ struct tm *___tmp_tm; \
pthread_testcancel(); \
___tmp_tm = localtime((_Time));\
if (___tmp_tm) { \
*(_Tm) = *___tmp_tm; \
___tmp_tm = (_Tm); \
} \
___tmp_tm; })
#undef gmtime_r
#define gmtime_r(_Time,_Tm) ({ struct tm *___tmp_tm; \
pthread_testcancel(); \
___tmp_tm = gmtime((_Time)); \
if (___tmp_tm) { \
*(_Tm) = *___tmp_tm; \
___tmp_tm = (_Tm); \
} \
___tmp_tm; })
which clashes with the gnulib provided declarations for gmtime_r/localtime_r
gnulib appears to be trying to workaround this problem already - the
generated gnulib/lib/time.h file shows this though, which indicates
its workaround hasn't been activated by 'configure':
/* Some systems don't define struct timespec (e.g., AIX 4.1, Ultrix 4.3).
Or they define it with the wrong member names or define it in <sys/time.h>
(e.g., FreeBSD circa 1997). Stock Mingw does not define it, but the
pthreads-win32 library defines it in <pthread.h>. */
# if ! 1
# if 0
# include <sys/time.h>
# elif 0
# include <pthread.h>
/* The pthreads-win32 <pthread.h> also defines a couple of broken macros. */
# undef asctime_r
# undef ctime_r
# undef gmtime_r
# undef localtime_r
# undef rand_r
# undef strtok_r
# else
ie I would have expected that 'elif' to be 1 instead of 0.
It seems the logic in gnulib/m4/time_h.m4 is incorrect. The configure
check shows
checking for struct timespec in <time.h>... yes
and so time_h.m4 never gets as far as trying to detect the broken
pthreads.h - its hidden in an unreachable else block.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10 years, 11 months
[libvirt] [PATCH] api: require write permission for guest agent interaction
by Eric Blake
I noticed that we allow virDomainGetVcpusFlags even for read-only
connections, but that with a flag, it can require guest agent
interaction. It is feasible that a malicious guest could
intentionally abuse the replies it sends over the guest agent
connection to possibly trigger a bug in libvirt's JSON parser,
or withhold an answer so as to prevent the use of the agent
in a later command such as a shutdown request. Although we
don't know of any such exploits now (and therefore don't mind
posting this patch publicly without trying to get a CVE assigned),
it is better to err on the side of caution and explicitly require
full access to any domain where the API requires guest interaction
to operate correctly.
I audited all commands that are marked as conditionally using a
guest agent. Note that at least virDomainFSTrim is documented
as needing a guest agent, but that such use is unconditional
depending on the hypervisor (so the existing domain:fs_trim ACL
should be sufficient there, rather than also requirng domain:write).
But when designing future APIs, such as the plans for obtaining
a domain's IP addresses, we should copy the approach of this patch
in making interaction with the guest be specified via a flag, and
use that flag to also require stricter access checks.
* src/libvirt.c (virDomainGetVcpusFlags): Forbid guest interaction
on read-only connection.
(virDomainShutdownFlags, virDomainReboot): Improve docs on agent
interaction.
* src/remote/remote_protocol.x
(REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML)
(REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS)
(REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS, REMOTE_PROC_DOMAIN_REBOOT)
(REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS): Require domain:write for any
conditional use of a guest agent.
* src/xen/xen_driver.c: Fix clients.
* src/libxl/libxl_driver.c: Likewise.
* src/uml/uml_driver.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/lxc/lxc_driver.c: Likewise.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
src/libvirt.c | 12 +++++++++---
src/libxl/libxl_driver.c | 6 +++---
src/lxc/lxc_driver.c | 4 ++--
src/qemu/qemu_driver.c | 8 ++++----
src/remote/remote_protocol.x | 5 +++++
src/uml/uml_driver.c | 2 +-
src/xen/xen_driver.c | 6 +++---
7 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c
index 6a41fd7..c15e29a 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -3134,6 +3134,9 @@ error:
* in which the hypervisor tries each shutdown method is undefined,
* and a hypervisor is not required to support all methods.
*
+ * To use guest agent (VIR_DOMAIN_SHUTDOWN_GUEST_AGENT) the domain XML
+ * must have <channel> configured.
+ *
* Returns 0 in case of success and -1 in case of failure.
*/
int
@@ -3180,7 +3183,7 @@ error:
*
* If @flags is set to zero, then the hypervisor will choose the
* method of shutdown it considers best. To have greater control
- * pass one or more of the virDomainShutdownFlagValues. The order
+ * pass one or more of the virDomainRebootFlagValues. The order
* in which the hypervisor tries each shutdown method is undefined,
* and a hypervisor is not required to support all methods.
*
@@ -9347,7 +9350,7 @@ error:
* current virtual CPU count.
*
* If @flags includes VIR_DOMAIN_VCPU_GUEST, then the state of the processors
- * is modified in the guest instead of the hypervisor. This flag is only usable
+ * is queried in the guest instead of the hypervisor. This flag is only usable
* on live domains. Guest agent may be needed for this flag to be available.
*
* Returns the number of vCPUs in case of success, -1 in case of failure.
@@ -9362,6 +9365,10 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags)
virResetLastError();
virCheckDomainReturn(domain, -1);
+ conn = domain->conn;
+
+ if (flags & VIR_DOMAIN_VCPU_GUEST)
+ virCheckReadOnlyGoto(conn->flags, error);
/* At most one of these two flags should be set. */
if ((flags & VIR_DOMAIN_AFFECT_LIVE) &&
@@ -9372,7 +9379,6 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags)
__FUNCTION__);
goto error;
}
- conn = domain->conn;
if (conn->driver->domainGetVcpusFlags) {
int ret;
diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index 4115fff..fc0efa2 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -1409,7 +1409,7 @@ libxlDomainShutdownFlags(virDomainPtr dom, unsigned int flags)
if (!(vm = libxlDomObjFromDomain(dom)))
goto cleanup;
- if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (!virDomainObjIsActive(vm)) {
@@ -1456,7 +1456,7 @@ libxlDomainReboot(virDomainPtr dom, unsigned int flags)
if (!(vm = libxlDomObjFromDomain(dom)))
goto cleanup;
- if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (!virDomainObjIsActive(vm)) {
@@ -2316,7 +2316,7 @@ libxlDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags)
if (!(vm = libxlDomObjFromDomain(dom)))
goto cleanup;
- if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
active = virDomainObjIsActive(vm);
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 4c2744d..4c716ef 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -2721,7 +2721,7 @@ lxcDomainShutdownFlags(virDomainPtr dom,
priv = vm->privateData;
- if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (!virDomainObjIsActive(vm)) {
@@ -2798,7 +2798,7 @@ lxcDomainReboot(virDomainPtr dom,
priv = vm->privateData;
- if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (!virDomainObjIsActive(vm)) {
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 7059f7a..8006882 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1835,7 +1835,7 @@ static int qemuDomainShutdownFlags(virDomainPtr dom, unsigned int flags) {
if (agentRequested || (!flags && priv->agent))
useAgent = true;
- if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (priv->agentError) {
@@ -1936,7 +1936,7 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags)
priv = vm->privateData;
- if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if ((flags & VIR_DOMAIN_REBOOT_GUEST_AGENT) ||
@@ -4898,7 +4898,7 @@ qemuDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags)
priv = vm->privateData;
- if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
@@ -13070,7 +13070,7 @@ qemuDomainSnapshotCreateXML(virDomainPtr domain,
cfg = virQEMUDriverGetConfig(driver);
- if (virDomainSnapshotCreateXMLEnsureACL(domain->conn, vm->def) < 0)
+ if (virDomainSnapshotCreateXMLEnsureACL(domain->conn, vm->def, flags) < 0)
goto cleanup;
if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 5a82395..8238405 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3185,6 +3185,7 @@ enum remote_procedure {
/**
* @generate: both
* @acl: domain:init_control
+ * @acl: domain:write:VIR_DOMAIN_REBOOT_GUEST_AGENT
*/
REMOTE_PROC_DOMAIN_REBOOT = 27,
@@ -4278,6 +4279,7 @@ enum remote_procedure {
/**
* @generate: both
* @acl: domain:snapshot
+ * @acl: domain:write:VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE
*/
REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML = 185,
@@ -4370,12 +4372,14 @@ enum remote_procedure {
* @acl: domain:write
* @acl: domain:save:!VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE
* @acl: domain:save:VIR_DOMAIN_AFFECT_CONFIG
+ * @acl: domain:write:VIR_DOMAIN_VCPU_GUEST
*/
REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS = 199,
/**
* @generate: both
* @acl: domain:read
+ * @acl: domain:write:VIR_DOMAIN_VCPU_GUEST
*/
REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS = 200,
@@ -4762,6 +4766,7 @@ enum remote_procedure {
/**
* @generate: both
* @acl: domain:init_control
+ * @acl: domain:write:VIR_DOMAIN_SHUTDOWN_GUEST_AGENT
*/
REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS = 258,
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index f286f41..89afefe 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -1635,7 +1635,7 @@ static int umlDomainShutdownFlags(virDomainPtr dom,
goto cleanup;
}
- if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0)
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0)
goto cleanup;
#if 0
diff --git a/src/xen/xen_driver.c b/src/xen/xen_driver.c
index 65c3a5c..c45d980 100644
--- a/src/xen/xen_driver.c
+++ b/src/xen/xen_driver.c
@@ -952,7 +952,7 @@ xenUnifiedDomainShutdownFlags(virDomainPtr dom,
if (!(def = xenGetDomainDefForDom(dom)))
goto cleanup;
- if (virDomainShutdownFlagsEnsureACL(dom->conn, def) < 0)
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, def, flags) < 0)
goto cleanup;
ret = xenDaemonDomainShutdown(dom->conn, def);
@@ -979,7 +979,7 @@ xenUnifiedDomainReboot(virDomainPtr dom, unsigned int flags)
if (!(def = xenGetDomainDefForDom(dom)))
goto cleanup;
- if (virDomainRebootEnsureACL(dom->conn, def) < 0)
+ if (virDomainRebootEnsureACL(dom->conn, def, flags) < 0)
goto cleanup;
ret = xenDaemonDomainReboot(dom->conn, def);
@@ -1526,7 +1526,7 @@ xenUnifiedDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags)
if (!(def = xenGetDomainDefForDom(dom)))
goto cleanup;
- if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def) < 0)
+ if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def, flags) < 0)
goto cleanup;
ret = xenUnifiedDomainGetVcpusFlagsInternal(dom, def, flags);
--
1.8.4.2
10 years, 11 months
[libvirt] LSN-2013-0020: libvirtd crash when hot-plugging disks for qemu domains
by Eric Blake
Libvirt Security Notice: LSN-2013-0020
======================================
Summary: libvirtd crash when hot-plugging disks for qemu
domains
Reported on: 20131220
Published on: 20131213
Fixed on: 20140107
Reported by: Alexandre M <alexandre.mclean(a)ubisoft.com>
Patched by: Jiri Denemark <jdenemar(a)redhat.com>
See also: CVE-2013-6458, redhat bug #1043069
Description
-----------
Several methods in the qemu block driver were accessing details
about disks associated with a domain outside of a job lock. If
another connection is adding or removing disks, the details in use
by the first connection could become stale and lead to a libvirtd
crash. Among the methods impacted, it is possible to trigger the
race from four APIs accessible from read-only clients:
virDomainBlockStats, virDomainGetBlockInfo,
virDomainGetBlockJobInfo, and virDomainGetBlockIoTune.
Impact
------
Each of the four affected APIs could be used by any user that can
connect through the read-only libvirtd UNIX domain socket. Also, if
ACLs are active, access to the affected APIs is granted to any user
with the 'read' permission on the 'domain' object, which is granted
by default to all users. As a result an unprivileged user will be
able to inflict a denial of service attack on other users of the
libvirtd daemon with higher privilege.
Workaround
----------
The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.
Additionally, avoiding disk hot-plug actions is sufficient to avoid
the problem.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v0.8.2
Broken in: v0.8.3
Broken in: v0.8.4
Broken in: v0.8.5
Broken in: v0.8.6
Broken in: v0.8.7
Broken in: v0.8.8
Broken in: v0.9.0
Broken in: v0.9.1
Broken in: v0.9.2
Broken in: v0.9.3
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Fixed in: v1.2.1
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: db86da5ca2109e4006c286a09b6c75bfe10676ad
Fixed by: b799259583bd65c0b2f5042e6c3ff19637ade881
Fixed by: f93d2caa070f6197ab50d372d286018b0ba6bbd8
Fixed by: 3b56425938e2f97208d5918263efa0d6439e4ecd
Branch: v0.8.3-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Branch: v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Broken in: v0.9.6.3
Broken in: v0.9.6.4
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Branch: v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Branch: v0.9.12-maint
Broken in: v0.9.12.1
Broken in: v0.9.12.2
Fixed in: v0.9.12.3
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: c430c002dd8287c5d7b834993ddfbd61435248c4
Fixed by: 4dd29d3bdf4bf3a4c4b1077ddf4355bcf548ca2f
Fixed by: 3e7d9e54e9ce286fe1bee5d32089cd58d63e5cee
Fixed by: 2786686eb5855e0046817d47055cd784881ca8cb
Branch: v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken in: v0.10.2.8
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 5f5e9eb23dead857b1858da8b97a6cb0442fabed
Fixed by: 7a9bcfa1ccc190e33e6fa931df8143cc9623cf24
Fixed by: 95836cb26b1d91b8e9eba0c4764bc24cccc78684
Fixed by: f59d02c487659e9d9f8e152673a0fe4d612172b2
Branch: v1.0.2-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 561b03f9165a860139edd3c03bb3e35a2c2f85ca
Fixed by: 324279f2c867f404712c659adc4f399f8d343eda
Fixed by: c973eb035ee0d8863d0f2ed25f0523e3e7fee433
Fixed by: d0a4e2498d7d3b1cf1683b0720b9bc6edabcd364
Branch: v1.0.3-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 59d46c6cd5cb892ce68e83c99c14023f29e073a7
Fixed by: 12ca0aaf2fc32647d3a570780a2c7467a26b0ecd
Fixed by: da2d96d12521a20305d0ea3190539e1c4b367d75
Fixed by: c51986ba820dde30e48b4f1694862c3cf4d8b7ec
Branch: v1.0.4-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: d003b8f294801adfc655096cfc80480e7f2e17ae
Fixed by: e966f1155ccb1c4e3ddc41a02b1107af2d98f98d
Fixed by: fa5c087aef266e27a0641c720bbbf95cd5ace6b1
Fixed by: 473b751d895d248f37766bab32e20ee00ac3913a
Branch: v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Fixed in: v1.0.5.9
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: c67b0de046b16dca352537e8f39ff935a5fded76
Fixed by: 923319189022c5806da01b963dddd8dff0d6c747
Fixed by: 6cd879829aaf02f56182feb16b4284d5b3fdcfd7
Fixed by: dee5fc756648e62062da3366583fc343413e1ba7
Branch: v1.0.6-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 938ef6e611b39630b00b368b8b8d7db7e619ed99
Fixed by: 6eae1538c1d5b7aaee34f3ca81389906d8af0626
Fixed by: 8bdc22d281105fe32c85da58faf817ab9b2da369
Fixed by: ac8feea58029fea294c3c60c220592ca7c9734c8
Branch: v1.1.0-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 5efb996317f1f8a57fea625526075be9ef84e69c
Fixed by: c1f8276a81de8d31578f16cc6bfdafc5e807427d
Fixed by: 1478ebf2bcadbaf3b66d9e91086bcca39a41bb65
Fixed by: 8cc2474f0645fab308090f477e98317b0dff485f
Branch: v1.1.1-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 84c251faec7a0003863fe1c9b1abc7960f395faa
Fixed by: 3451828a28a333e570af621eceb93245763fa044
Fixed by: 571629b2dfd2eeb8001efddac2569b12621d1db3
Fixed by: c5b379e17daa2f641363712212a18b3b31cacdea
Branch: v1.1.2-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 17db7e28a1ec77382bb8fa96205ef2cf6deefa88
Fixed by: 54cb7f05ec5c822bb786833367dc80327648f2c0
Fixed by: bcb9a035a99cf8389069c401c94605aedccdc4df
Fixed by: 82daa87f6a020ba2d1274b300f8e95f903fbe0f8
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Fixed in: v1.1.3.3
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 1bfc35e3f837ab7b399fe664281b7db06db96a05
Fixed by: 0e98442e3bcbf832f49a6d36f94558bb026e3f3a
Fixed by: 7354aaf4607beaa9f4a6d68e3b26a28c97494e58
Fixed by: a7844b9ec2718dad9f5e5316cc0673e95098d812
Branch: v1.1.4-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: c8fa19d9e385d8bae368385aece1c3f493be4e71
Fixed by: 4ee6ed6f50a71868fbb8a5f28edbcfd7170f5bf5
Fixed by: 36c1691c6d61aa5a0d9a65d64bc3af3e15692d62
Fixed by: 8fcc0f0237f728361065caf6fac0fce1965230a0
Branch: v1.2.0-maint
Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85
Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda
Broken by: b976165ca4d82788be77d14843a4d079139539ba
Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a
Fixed by: 13051a86cb093d4c421a8669ccd7591578d004aa
Fixed by: 3a0286f978c19ecc7b2ef2242b33688239428f85
Fixed by: 4d8c603ca2cb1fb70c0e0d2e0d51d1fe3261c7b9
Fixed by: c6fbbe85aa496d178d5e4188bee166a5abb97029
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10 years, 11 months
[libvirt] LSN-2013-0019: libvirtd crash when reading numa tunables for libxl guest in shutoff status
by Eric Blake
Libvirt Security Notice: LSN-2013-0019
======================================
Summary: libvirtd crash when reading numa tunables for
libxl guest in shutoff status
Reported on: 20131220
Published on: 20131220
Fixed on: 20131220
Reported by: Dario Faggioli <dario.faggioli(a)citrix.com>
Patched by: Dario Faggioli <dario.faggioli(a)citrix.com>
See also: CVE-2013-6457
Description
-----------
The libxlDomainGetNumaParameters method in the libxl driver did not
check whether the guest being accessed was running or not. When
shutoff, the code attempts to clean up an uninitialized bitmap,
causing malloc corruption most commonly observed as a crash.
Impact
------
A user who has permission to invoke the virDomainGetNumaParameters
API against the libxl driver will be able to crash the libvirtd
daemon. Access to this API is granted to any user who connects to
the read-only libvirtd UNIX domain socket. If ACLs are active,
access is granted to any user with the 'read' permission on the
'domain' object, which is granted by default to all users. As a
result an unprivileged user will be able to inflict a denial of
service attack on other users of the libvirtd daemon with higher
privilege.
Workaround
----------
The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Fixed in: v1.2.1
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: f9ee91d35510ccbc6fc42cef8864b291b2d220f4
Branch: v1.1.1-maint
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: d5f89a6dd725baf8bca1f1e28f5b858bf0053a99
Branch: v1.1.2-maint
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: 52c40003805f1702f103095dc5c3d00cf38e7a82
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Fixed in: v1.1.3.3
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: 5904ba60159ce67826f301e78103191600a07600
Branch: v1.1.4-maint
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: 626eb91f964a032af56b448e63fde9f74e592290
Branch: v1.2.0-maint
Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63
Fixed by: 36378d1a41464517d7c31d8854fcfd8f69221409
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10 years, 11 months
[libvirt] [PATCH v3] vbox: add support for v4.2.20+ and v4.3.4+
by Manuel VIVES
Hi,
While working on adding virDomain*Stats support to the vbox driver, we
found bugs in the VirtualBox API C bindings. These bugs have been fixed
in versions 4.2.20 and 4.3.4.
However, the changes in the C bindings are incompatible with the
vbox_CAPI_v4_2.h
and vbox_CAPI_v4_3.h files which are bundled in libvirt source code. This is
why the
following patch adds vbox_CAPI_v4_2_20.h and vbox_CAPI_v4_3_4.h.
As stated by Matthias Bolte, the actual underlying problem here is that
libvirt assumes that VirtualBox API can only change between release versions
(4.2 -> 4.3), but we have a case here where it changed (or got fixed) between
minor versions (4.2.18 -> 4.2.20).
This patch makes the VBOX_API_VERSION represent the full API
version number (i.e 4002 => 4002000) so there are specific version
numbers for Vbox 4.2.20 (4002020) and 4.3.4 (4003004)
As the patch is too big for the mailing list, it is publicly available
at http://git-lab.diateam.net/cots/libvirt.git/ with the branch name
'vbox-4.2.20-4.3.4-support-v3'
Regards,
Manuel VIVES
v3:
- Changed the commit message for being more precise.
- Resend after freeze.
10 years, 11 months
[libvirt] [PATCH 0/6] Coverity cleanups
by John Ferlan
A recent Coverity version update discovered some existing issues (and some
benign cases). This patch set cleans them all up.
John Ferlan (6):
VSMS: Coverity cleanups
libxkutil:pool_parsing: Coverity cleanups
libxkutil:device_parsing: Coverity cleanups
libxkutil/xml_parse_test: Coverity cleanup
RAFP: Coverity cleanup
EAFP: Coverity cleanup
libxkutil/device_parsing.c | 41 +++++++++++++++++--------------
libxkutil/pool_parsing.c | 39 +++++++++++++++--------------
libxkutil/xml_parse_test.c | 1 +
src/Virt_ElementAllocatedFromPool.c | 6 ++++-
src/Virt_ResourceAllocationFromPool.c | 7 ++++--
src/Virt_SettingsDefineCapabilities.c | 2 +-
src/Virt_VirtualSystemManagementService.c | 11 ++++++---
7 files changed, 63 insertions(+), 44 deletions(-)
--
1.8.4.2
10 years, 11 months
[libvirt] [RFC PATCH 0/7] Adding 'config' driver
by Adam Walters
This patchset adds a driver named 'config' that allows access to configuration data, such as secret and storage definitions. This is a pre-requisite for my next patchset which resolves the race condition on libvirtd startup and the circular dependencies between QEMU and the storage driver.
The basic rationale behind this idea is that there exist circumstances under which a driver may need to access things such as secrets during a time at which there is no active connection to a hypervisor. Without a connection, the data can't be accessed currently. I felt that this was a much simpler solution to the problem that building new APIs that do not require a connection to operate.
This driver is technically what one may call a hypervisor driver, but it does not implement any domain operations. It simply exists to handle requests by drivers for access to informatino that would otherwise require a connection. The URI used for this driver is 'config:///' and has been tested working on 4 different machines of mine, running three different distributions of Linux (Archlinux, Gentoo, and CentOS). Being a very simple driver, I would expect it to work pretty much anywhere.
I would love to hear any comments and suggestions you may have about this driver. At the very least this plus my next patchset resolves the startup race condition on my machine. If a more robust setup (likely a new internal API) is in the works, this driver could act as a band-aid to allow access to this type of data in the interim if a better resolution is a ways off.
Adam Walters (7):
config: Adding source for the config driver
config: Adding header for the config driver
virterror: Adding a new VIR_FROM_ define
libvirtd: Add config driver hooks
po: Add config_driver.c to POTFILES.in
configure: Add config driver to configure script
Makefile: Add config driver to src/Makefile.am
configure.ac | 10 ++
daemon/libvirtd.c | 21 ++--
include/libvirt/virterror.h | 2 +
po/POTFILES.in | 1 +
src/Makefile.am | 25 +++++
src/config/config_driver.c | 237 ++++++++++++++++++++++++++++++++++++++++++++
src/config/config_driver.h | 44 ++++++++
src/util/virerror.c | 2 +
8 files changed, 336 insertions(+), 6 deletions(-)
create mode 100644 src/config/config_driver.c
create mode 100644 src/config/config_driver.h
--
1.8.5.2
10 years, 11 months
[libvirt] [PATCH v2]qemu:sheepdog correct OR to AND Permit qemu to access sheepdog volume on sheepdog's pool
by joel SIMOES
From: root <joel.simoes(a)laposte.net>
---
src/qemu/qemu_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 7a0bee2..9cf2767 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1403,7 +1403,7 @@ qemuTranslateDiskSourcePool(virConnectPtr conn,
def->srcpool->pooltype = pooldef->type;
def->srcpool->voltype = info.type;
- if ((def->srcpool->mode && pooldef->type != VIR_STORAGE_POOL_ISCSI) || (def->srcpool->mode != VIR_DOMAIN_DISK_SOURCE_POOL_MODE_DIRECT && pooldef->type == VIR_STORAGE_POOL_SHEEPDOG ) ) {
+ if ((def->srcpool->mode && pooldef->type != VIR_STORAGE_POOL_ISCSI ) && (def->srcpool->mode != VIR_DOMAIN_DISK_SOURCE_POOL_MODE_DIRECT && pooldef->type == VIR_STORAGE_POOL_SHEEPDOG ) ) {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("disk source mode is only valid when "
"storage pool is of iscsi type or only direct for sheepdog "));
--
1.8.3.2
10 years, 11 months
[libvirt] [sec-notice PATCH 1/2] maint: typo fixes
by Eric Blake
Noticed this while working on some additions.
* docs/schema.txt: Typo fixes.
* README: Refer to the schema.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
README | 5 +++--
docs/schema.txt | 6 +++---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/README b/README
index 426d9ca..fa7f103 100644
--- a/README
+++ b/README
@@ -5,11 +5,12 @@ This repository records all Libvirt Security Notices that are
issued.
Notices must only added to this repository once any embargo is
-lifted, since the GIT repository is fully public
+lifted, since the GIT repository is fully public.
Notices are written in XML in a file "notices/$YEAR/$NUM.xml"
eg notices/2014/0001.xml. Assign numbers incrementally as
-new issues are reported.
+new issues are reported. More details on the XML format can
+be found in "docs/schema.txt".
When a new notice is published for the first time, send the
text rendering of the notice to the libvirt-announce(a)redhat.com
diff --git a/docs/schema.txt b/docs/schema.txt
index ca8203a..189abef 100644
--- a/docs/schema.txt
+++ b/docs/schema.txt
@@ -2,7 +2,7 @@
==============================
The top level element of a libvirt security notice has
-a name of "security-notice" and is in a XML namespace
+a name of "security-notice" and is in an XML namespace
of http://security.libvirt.org/xmlns/security-notice/1.0
Basic metadata
@@ -45,7 +45,7 @@ resources. It will have one or more child elements which
can be either "advisory" or "bug". An "advisory" element
includes a "type" and "id" attribute where "type" is
currently allowed to be "CVE" and "id" is the identifier
-of the report. A "bug" elements incudes "tracker" and
+of the report. A "bug" elements includes "tracker" and
"id" attribute where "tracker" is allowed to be "redhat",
"debian" or a short name for another vendors' bug tracker.
@@ -74,7 +74,7 @@ Product data
The "product" element provides information about the codebase
of the affected products. The "name" attribute is the name of
a libvirt product, typically based on the tar.gz archive name
-with the suffice stripped. This contains a child "repository"
+with the suffix stripped. This contains a child "repository"
element which is a URL to the master GIT repository. There is
then one or more "branch" elements which details the state of
affected branches.
--
1.8.4.2
10 years, 11 months