January 2014 - Devel - libvirt List Archives

[libvirt] [PATCH 0/2 v2] Fixes on shareable SCSI host device
by Osier Yang 23 Jan '14

23 Jan '14

*** BLURB HERE *** Osier Yang (2): util: Add "shareable" field for virSCSIDevice struct qemu: Don't fail if the SCSI host device is shareable between domains src/libvirt_private.syms | 3 +- src/qemu/qemu_cgroup.c | 3 +- src/qemu/qemu_hostdev.c | 84 ++++++++++++++++++++++------------------ src/security/security_apparmor.c | 3 +- src/security/security_dac.c | 6 ++- src/security/security_selinux.c | 6 ++- src/util/virscsi.c | 59 +++++++++++++++++++++++----- src/util/virscsi.h | 11 ++++-- 8 files changed, 116 insertions(+), 59 deletions(-) -- 1.8.1.4

2 12

[libvirt] [PATCH v3] virsh nodecpustats returns incorrect stats of cpu on Linux when the number of online cpu exceed 9.
by mars＠linux.vnet.ibm.com 23 Jan '14

23 Jan '14

From: Bing Bu Cao <mars(a)linux.vnet.ibm.com> To retrieve node cpu statistics on Linux system, the linuxNodeGetCPUstats function simply uses STRPREFIX() to match the cpuid with the cpuid read from /proc/stat, it will cause obvious error. For example: 'virsh nodecpustats 1' will display stats of cpu1* if the latter is online and cpu1 is offline. This patch fixes this bug. Signed-off-by: Bing Bu Cao <mars(a)linux.vnet.ibm.com> --- src/nodeinfo.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/nodeinfo.c b/src/nodeinfo.c index 05bc038..cf6d29b 100644 --- a/src/nodeinfo.c +++ b/src/nodeinfo.c @@ -691,7 +691,7 @@ linuxNodeGetCPUStats(FILE *procstat, char line[1024]; unsigned long long usr, ni, sys, idle, iowait; unsigned long long irq, softirq, steal, guest, guest_nice; - char cpu_header[3 + INT_BUFSIZE_BOUND(cpuNum)]; + char cpu_header[4 + INT_BUFSIZE_BOUND(cpuNum)]; if ((*nparams) == 0) { /* Current number of cpu stats supported by linux */ @@ -708,9 +708,9 @@ linuxNodeGetCPUStats(FILE *procstat, } if (cpuNum == VIR_NODE_CPU_STATS_ALL_CPUS) { - strcpy(cpu_header, "cpu"); + strcpy(cpu_header, "cpu "); } else { - snprintf(cpu_header, sizeof(cpu_header), "cpu%d", cpuNum); + snprintf(cpu_header, sizeof(cpu_header), "cpu%d ", cpuNum); } while (fgets(line, sizeof(line), procstat) != NULL) { -- 1.7.7.6

2 1

[libvirt] [PATCH] util: Correct the NUMA node range checking
by Osier Yang 23 Jan '14

23 Jan '14

There are 2 issues here: First we shouldn't add "1" to the return value of numa_max_node(), since the semanteme of the error message was changed, it's not saying about the number of total NUMA nodes anymore. Second, the value of "bit" is the position of the first bit which exceeds either numa_max_node() or NUMA_NUM_NODES, it can be any number in the range, so saying "bigger than $bit" is quite confused now. For example, assuming there is a NUMA machine which has 10 NUMA nodes, and one specifies the "nodeset" as "0,5,88", the error message will be like: Nodeset is out of range, host cannot support NUMA node bigger than 88 It sounds like all NUMA node number less than 88 is fine, but actually the maximum NUMA node number the machine supports is 9. This patch fixes the issues by removing the addition with "1" and simplifies the error message as "NUMA node $bit is out of range". --- src/util/virnuma.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/util/virnuma.c b/src/util/virnuma.c index ab46591..500dca7 100644 --- a/src/util/virnuma.c +++ b/src/util/virnuma.c @@ -99,7 +99,6 @@ virNumaSetupMemoryPolicy(virNumaTuneDef numatune, int ret = -1; int bit = 0; size_t i; - int maxnode = 0; virBitmapPtr tmp_nodemask = NULL; if (numatune.memory.placement_mode == @@ -122,16 +121,13 @@ virNumaSetupMemoryPolicy(virNumaTuneDef numatune, return -1; } - maxnode = numa_max_node() + 1; - /* Convert nodemask to NUMA bitmask. */ nodemask_zero(&mask); bit = -1; while ((bit = virBitmapNextSetBit(tmp_nodemask, bit)) >= 0) { - if (bit > maxnode || bit > NUMA_NUM_NODES) { + if (bit > numa_max_node() || bit > NUMA_NUM_NODES) { virReportError(VIR_ERR_INTERNAL_ERROR, - _("Nodeset is out of range, host cannot support " - "NUMA node bigger than %d"), bit); + _("NUMA node %d is out of range"), bit); return -1; } nodemask_set(&mask, bit); -- 1.8.1.4

2 2

[libvirt] mingw64 + gnulib time.h / pthread.h / gmtime_r incompatibility
by Daniel P. Berrange 23 Jan '14

23 Jan '14

I'm attempting to make libvirt capable of building with mingw64 toolchain's pthread.h, instead of directly using Windows thread primitives. As a quick hack I just changed libvirt logic to force use of pthreads, since configure is already doing the neccessary pthread.h probes for us even on win32 eg diff --git a/src/util/virthread.c b/src/util/virthread.c index dd1768e..8849d7d 100644 --- a/src/util/virthread.c +++ b/src/util/virthread.c @@ -25,7 +25,7 @@ /* On mingw, we prefer native threading over the sometimes-broken * pthreads-win32 library wrapper. */ -#ifdef WIN32 +#ifdef WINx32 # include "virthreadwin32.c" #elif defined HAVE_PTHREAD_MUTEXATTR_INIT # include "virthreadpthread.c" diff --git a/src/util/virthread.h b/src/util/virthread.h index 84d3bdc..649285e 100644 --- a/src/util/virthread.h +++ b/src/util/virthread.h @@ -111,7 +111,7 @@ int virThreadLocalInit(virThreadLocalPtr l, void *virThreadLocalGet(virThreadLocalPtr l); int virThreadLocalSet(virThreadLocalPtr l, void*) ATTRIBUTE_RETURN_CHECK; -# ifdef WIN32 +# ifdef WINx32 # include "virthreadwin32.h" # elif defined HAVE_PTHREAD_MUTEXATTR_INIT # include "virthreadpthread.h" When attempting to build though I see failures CC util/libvirt_util_la-virerror.lo In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/sys/time.h:10:0, from ../gnulib/lib/sys/time.h:39, from ../gnulib/lib/sys/select.h:117, from util/virutil.h:31, from util/virerror.c:35: ../gnulib/lib/time.h:468:21: error: expected identifier or '(' before '{' token _GL_FUNCDECL_SYS (localtime_r, struct tm *, (time_t const *restrict __timer, ^ In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/sys/time.h:10:0, from ../gnulib/lib/sys/time.h:39, from ../gnulib/lib/sys/select.h:117, from util/virutil.h:31, from util/virerror.c:35: ../gnulib/lib/time.h:490:21: error: expected identifier or '(' before '{' token _GL_FUNCDECL_SYS (gmtime_r, struct tm *, (time_t const *restrict __timer, ^ The problem appears to be that mingw64's pthread.h has the following craziness: /* Recursive API emulation. */ #undef localtime_r #define localtime_r(_Time, _Tm) ({ struct tm *___tmp_tm; \ pthread_testcancel(); \ ___tmp_tm = localtime((_Time));\ if (___tmp_tm) { \ *(_Tm) = *___tmp_tm; \ ___tmp_tm = (_Tm); \ } \ ___tmp_tm; }) #undef gmtime_r #define gmtime_r(_Time,_Tm) ({ struct tm *___tmp_tm; \ pthread_testcancel(); \ ___tmp_tm = gmtime((_Time)); \ if (___tmp_tm) { \ *(_Tm) = *___tmp_tm; \ ___tmp_tm = (_Tm); \ } \ ___tmp_tm; }) which clashes with the gnulib provided declarations for gmtime_r/localtime_r gnulib appears to be trying to workaround this problem already - the generated gnulib/lib/time.h file shows this though, which indicates its workaround hasn't been activated by 'configure': /* Some systems don't define struct timespec (e.g., AIX 4.1, Ultrix 4.3). Or they define it with the wrong member names or define it in <sys/time.h> (e.g., FreeBSD circa 1997). Stock Mingw does not define it, but the pthreads-win32 library defines it in <pthread.h>. */ # if ! 1 # if 0 # include <sys/time.h> # elif 0 # include <pthread.h> /* The pthreads-win32 <pthread.h> also defines a couple of broken macros. */ # undef asctime_r # undef ctime_r # undef gmtime_r # undef localtime_r # undef rand_r # undef strtok_r # else ie I would have expected that 'elif' to be 1 instead of 0. It seems the logic in gnulib/m4/time_h.m4 is incorrect. The configure check shows checking for struct timespec in <time.h>... yes and so time_h.m4 never gets as far as trying to detect the broken pthreads.h - its hidden in an unreachable else block. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

2 2

[libvirt] [PATCH] api: require write permission for guest agent interaction
by Eric Blake 22 Jan '14

22 Jan '14

I noticed that we allow virDomainGetVcpusFlags even for read-only connections, but that with a flag, it can require guest agent interaction. It is feasible that a malicious guest could intentionally abuse the replies it sends over the guest agent connection to possibly trigger a bug in libvirt's JSON parser, or withhold an answer so as to prevent the use of the agent in a later command such as a shutdown request. Although we don't know of any such exploits now (and therefore don't mind posting this patch publicly without trying to get a CVE assigned), it is better to err on the side of caution and explicitly require full access to any domain where the API requires guest interaction to operate correctly. I audited all commands that are marked as conditionally using a guest agent. Note that at least virDomainFSTrim is documented as needing a guest agent, but that such use is unconditional depending on the hypervisor (so the existing domain:fs_trim ACL should be sufficient there, rather than also requirng domain:write). But when designing future APIs, such as the plans for obtaining a domain's IP addresses, we should copy the approach of this patch in making interaction with the guest be specified via a flag, and use that flag to also require stricter access checks. * src/libvirt.c (virDomainGetVcpusFlags): Forbid guest interaction on read-only connection. (virDomainShutdownFlags, virDomainReboot): Improve docs on agent interaction. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML) (REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS) (REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS, REMOTE_PROC_DOMAIN_REBOOT) (REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS): Require domain:write for any conditional use of a guest agent. * src/xen/xen_driver.c: Fix clients. * src/libxl/libxl_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/lxc/lxc_driver.c: Likewise. Signed-off-by: Eric Blake <eblake(a)redhat.com> --- src/libvirt.c | 12 +++++++++--- src/libxl/libxl_driver.c | 6 +++--- src/lxc/lxc_driver.c | 4 ++-- src/qemu/qemu_driver.c | 8 ++++---- src/remote/remote_protocol.x | 5 +++++ src/uml/uml_driver.c | 2 +- src/xen/xen_driver.c | 6 +++--- 7 files changed, 27 insertions(+), 16 deletions(-) diff --git a/src/libvirt.c b/src/libvirt.c index 6a41fd7..c15e29a 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -3134,6 +3134,9 @@ error: * in which the hypervisor tries each shutdown method is undefined, * and a hypervisor is not required to support all methods. * + * To use guest agent (VIR_DOMAIN_SHUTDOWN_GUEST_AGENT) the domain XML + * must have <channel> configured. + * * Returns 0 in case of success and -1 in case of failure. */ int @@ -3180,7 +3183,7 @@ error: * * If @flags is set to zero, then the hypervisor will choose the * method of shutdown it considers best. To have greater control - * pass one or more of the virDomainShutdownFlagValues. The order + * pass one or more of the virDomainRebootFlagValues. The order * in which the hypervisor tries each shutdown method is undefined, * and a hypervisor is not required to support all methods. * @@ -9347,7 +9350,7 @@ error: * current virtual CPU count. * * If @flags includes VIR_DOMAIN_VCPU_GUEST, then the state of the processors - * is modified in the guest instead of the hypervisor. This flag is only usable + * is queried in the guest instead of the hypervisor. This flag is only usable * on live domains. Guest agent may be needed for this flag to be available. * * Returns the number of vCPUs in case of success, -1 in case of failure. @@ -9362,6 +9365,10 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags) virResetLastError(); virCheckDomainReturn(domain, -1); + conn = domain->conn; + + if (flags & VIR_DOMAIN_VCPU_GUEST) + virCheckReadOnlyGoto(conn->flags, error); /* At most one of these two flags should be set. */ if ((flags & VIR_DOMAIN_AFFECT_LIVE) && @@ -9372,7 +9379,6 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags) __FUNCTION__); goto error; } - conn = domain->conn; if (conn->driver->domainGetVcpusFlags) { int ret; diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c index 4115fff..fc0efa2 100644 --- a/src/libxl/libxl_driver.c +++ b/src/libxl/libxl_driver.c @@ -1409,7 +1409,7 @@ libxlDomainShutdownFlags(virDomainPtr dom, unsigned int flags) if (!(vm = libxlDomObjFromDomain(dom))) goto cleanup; - if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (!virDomainObjIsActive(vm)) { @@ -1456,7 +1456,7 @@ libxlDomainReboot(virDomainPtr dom, unsigned int flags) if (!(vm = libxlDomObjFromDomain(dom))) goto cleanup; - if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0) + if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (!virDomainObjIsActive(vm)) { @@ -2316,7 +2316,7 @@ libxlDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) if (!(vm = libxlDomObjFromDomain(dom))) goto cleanup; - if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; active = virDomainObjIsActive(vm); diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 4c2744d..4c716ef 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -2721,7 +2721,7 @@ lxcDomainShutdownFlags(virDomainPtr dom, priv = vm->privateData; - if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (!virDomainObjIsActive(vm)) { @@ -2798,7 +2798,7 @@ lxcDomainReboot(virDomainPtr dom, priv = vm->privateData; - if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0) + if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (!virDomainObjIsActive(vm)) { diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 7059f7a..8006882 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1835,7 +1835,7 @@ static int qemuDomainShutdownFlags(virDomainPtr dom, unsigned int flags) { if (agentRequested || (!flags && priv->agent)) useAgent = true; - if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (priv->agentError) { @@ -1936,7 +1936,7 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags) priv = vm->privateData; - if (virDomainRebootEnsureACL(dom->conn, vm->def) < 0) + if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if ((flags & VIR_DOMAIN_REBOOT_GUEST_AGENT) || @@ -4898,7 +4898,7 @@ qemuDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) priv = vm->privateData; - if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainGetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; if (!(caps = virQEMUDriverGetCapabilities(driver, false))) @@ -13070,7 +13070,7 @@ qemuDomainSnapshotCreateXML(virDomainPtr domain, cfg = virQEMUDriverGetConfig(driver); - if (virDomainSnapshotCreateXMLEnsureACL(domain->conn, vm->def) < 0) + if (virDomainSnapshotCreateXMLEnsureACL(domain->conn, vm->def, flags) < 0) goto cleanup; if (!(caps = virQEMUDriverGetCapabilities(driver, false))) diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 5a82395..8238405 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -3185,6 +3185,7 @@ enum remote_procedure { /** * @generate: both * @acl: domain:init_control + * @acl: domain:write:VIR_DOMAIN_REBOOT_GUEST_AGENT */ REMOTE_PROC_DOMAIN_REBOOT = 27, @@ -4278,6 +4279,7 @@ enum remote_procedure { /** * @generate: both * @acl: domain:snapshot + * @acl: domain:write:VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE */ REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML = 185, @@ -4370,12 +4372,14 @@ enum remote_procedure { * @acl: domain:write * @acl: domain:save:!VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE * @acl: domain:save:VIR_DOMAIN_AFFECT_CONFIG + * @acl: domain:write:VIR_DOMAIN_VCPU_GUEST */ REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS = 199, /** * @generate: both * @acl: domain:read + * @acl: domain:write:VIR_DOMAIN_VCPU_GUEST */ REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS = 200, @@ -4762,6 +4766,7 @@ enum remote_procedure { /** * @generate: both * @acl: domain:init_control + * @acl: domain:write:VIR_DOMAIN_SHUTDOWN_GUEST_AGENT */ REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS = 258, diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c index f286f41..89afefe 100644 --- a/src/uml/uml_driver.c +++ b/src/uml/uml_driver.c @@ -1635,7 +1635,7 @@ static int umlDomainShutdownFlags(virDomainPtr dom, goto cleanup; } - if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0) + if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; #if 0 diff --git a/src/xen/xen_driver.c b/src/xen/xen_driver.c index 65c3a5c..c45d980 100644 --- a/src/xen/xen_driver.c +++ b/src/xen/xen_driver.c @@ -952,7 +952,7 @@ xenUnifiedDomainShutdownFlags(virDomainPtr dom, if (!(def = xenGetDomainDefForDom(dom))) goto cleanup; - if (virDomainShutdownFlagsEnsureACL(dom->conn, def) < 0) + if (virDomainShutdownFlagsEnsureACL(dom->conn, def, flags) < 0) goto cleanup; ret = xenDaemonDomainShutdown(dom->conn, def); @@ -979,7 +979,7 @@ xenUnifiedDomainReboot(virDomainPtr dom, unsigned int flags) if (!(def = xenGetDomainDefForDom(dom))) goto cleanup; - if (virDomainRebootEnsureACL(dom->conn, def) < 0) + if (virDomainRebootEnsureACL(dom->conn, def, flags) < 0) goto cleanup; ret = xenDaemonDomainReboot(dom->conn, def); @@ -1526,7 +1526,7 @@ xenUnifiedDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) if (!(def = xenGetDomainDefForDom(dom))) goto cleanup; - if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def) < 0) + if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def, flags) < 0) goto cleanup; ret = xenUnifiedDomainGetVcpusFlagsInternal(dom, def, flags); -- 1.8.4.2

2 2

[libvirt] LSN-2013-0020: libvirtd crash when hot-plugging disks for qemu domains
by Eric Blake 22 Jan '14

22 Jan '14

Libvirt Security Notice: LSN-2013-0020 ====================================== Summary: libvirtd crash when hot-plugging disks for qemu domains Reported on: 20131220 Published on: 20131213 Fixed on: 20140107 Reported by: Alexandre M <alexandre.mclean(a)ubisoft.com> Patched by: Jiri Denemark <jdenemar(a)redhat.com> See also: CVE-2013-6458, redhat bug #1043069 Description ----------- Several methods in the qemu block driver were accessing details about disks associated with a domain outside of a job lock. If another connection is adding or removing disks, the details in use by the first connection could become stale and lead to a libvirtd crash. Among the methods impacted, it is possible to trigger the race from four APIs accessible from read-only clients: virDomainBlockStats, virDomainGetBlockInfo, virDomainGetBlockJobInfo, and virDomainGetBlockIoTune. Impact ------ Each of the four affected APIs could be used by any user that can connect through the read-only libvirtd UNIX domain socket. Also, if ACLs are active, access to the affected APIs is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Additionally, avoiding disk hot-plug actions is sufficient to avoid the problem. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v0.8.2 Broken in: v0.8.3 Broken in: v0.8.4 Broken in: v0.8.5 Broken in: v0.8.6 Broken in: v0.8.7 Broken in: v0.8.8 Broken in: v0.9.0 Broken in: v0.9.1 Broken in: v0.9.2 Broken in: v0.9.3 Broken in: v0.9.4 Broken in: v0.9.5 Broken in: v0.9.6 Broken in: v0.9.7 Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v0.10.0 Broken in: v0.10.1 Broken in: v0.10.2 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Fixed in: v1.2.1 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: db86da5ca2109e4006c286a09b6c75bfe10676ad Fixed by: b799259583bd65c0b2f5042e6c3ff19637ade881 Fixed by: f93d2caa070f6197ab50d372d286018b0ba6bbd8 Fixed by: 3b56425938e2f97208d5918263efa0d6439e4ecd Branch: v0.8.3-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Branch: v0.9.6-maint Broken in: v0.9.6.1 Broken in: v0.9.6.2 Broken in: v0.9.6.3 Broken in: v0.9.6.4 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Fixed in: v0.9.12.3 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c430c002dd8287c5d7b834993ddfbd61435248c4 Fixed by: 4dd29d3bdf4bf3a4c4b1077ddf4355bcf548ca2f Fixed by: 3e7d9e54e9ce286fe1bee5d32089cd58d63e5cee Fixed by: 2786686eb5855e0046817d47055cd784881ca8cb Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 5f5e9eb23dead857b1858da8b97a6cb0442fabed Fixed by: 7a9bcfa1ccc190e33e6fa931df8143cc9623cf24 Fixed by: 95836cb26b1d91b8e9eba0c4764bc24cccc78684 Fixed by: f59d02c487659e9d9f8e152673a0fe4d612172b2 Branch: v1.0.2-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 561b03f9165a860139edd3c03bb3e35a2c2f85ca Fixed by: 324279f2c867f404712c659adc4f399f8d343eda Fixed by: c973eb035ee0d8863d0f2ed25f0523e3e7fee433 Fixed by: d0a4e2498d7d3b1cf1683b0720b9bc6edabcd364 Branch: v1.0.3-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 59d46c6cd5cb892ce68e83c99c14023f29e073a7 Fixed by: 12ca0aaf2fc32647d3a570780a2c7467a26b0ecd Fixed by: da2d96d12521a20305d0ea3190539e1c4b367d75 Fixed by: c51986ba820dde30e48b4f1694862c3cf4d8b7ec Branch: v1.0.4-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: d003b8f294801adfc655096cfc80480e7f2e17ae Fixed by: e966f1155ccb1c4e3ddc41a02b1107af2d98f98d Fixed by: fa5c087aef266e27a0641c720bbbf95cd5ace6b1 Fixed by: 473b751d895d248f37766bab32e20ee00ac3913a Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Fixed in: v1.0.5.9 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c67b0de046b16dca352537e8f39ff935a5fded76 Fixed by: 923319189022c5806da01b963dddd8dff0d6c747 Fixed by: 6cd879829aaf02f56182feb16b4284d5b3fdcfd7 Fixed by: dee5fc756648e62062da3366583fc343413e1ba7 Branch: v1.0.6-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 938ef6e611b39630b00b368b8b8d7db7e619ed99 Fixed by: 6eae1538c1d5b7aaee34f3ca81389906d8af0626 Fixed by: 8bdc22d281105fe32c85da58faf817ab9b2da369 Fixed by: ac8feea58029fea294c3c60c220592ca7c9734c8 Branch: v1.1.0-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 5efb996317f1f8a57fea625526075be9ef84e69c Fixed by: c1f8276a81de8d31578f16cc6bfdafc5e807427d Fixed by: 1478ebf2bcadbaf3b66d9e91086bcca39a41bb65 Fixed by: 8cc2474f0645fab308090f477e98317b0dff485f Branch: v1.1.1-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 84c251faec7a0003863fe1c9b1abc7960f395faa Fixed by: 3451828a28a333e570af621eceb93245763fa044 Fixed by: 571629b2dfd2eeb8001efddac2569b12621d1db3 Fixed by: c5b379e17daa2f641363712212a18b3b31cacdea Branch: v1.1.2-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 17db7e28a1ec77382bb8fa96205ef2cf6deefa88 Fixed by: 54cb7f05ec5c822bb786833367dc80327648f2c0 Fixed by: bcb9a035a99cf8389069c401c94605aedccdc4df Fixed by: 82daa87f6a020ba2d1274b300f8e95f903fbe0f8 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Fixed in: v1.1.3.3 Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 1bfc35e3f837ab7b399fe664281b7db06db96a05 Fixed by: 0e98442e3bcbf832f49a6d36f94558bb026e3f3a Fixed by: 7354aaf4607beaa9f4a6d68e3b26a28c97494e58 Fixed by: a7844b9ec2718dad9f5e5316cc0673e95098d812 Branch: v1.1.4-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: c8fa19d9e385d8bae368385aece1c3f493be4e71 Fixed by: 4ee6ed6f50a71868fbb8a5f28edbcfd7170f5bf5 Fixed by: 36c1691c6d61aa5a0d9a65d64bc3af3e15692d62 Fixed by: 8fcc0f0237f728361065caf6fac0fce1965230a0 Branch: v1.2.0-maint Broken by: ebb0c19c48690f0598de954f8e0e9d4d29d48b85 Broken by: 18c2a592064d69499f70428e498f4a3cb5161cda Broken by: b976165ca4d82788be77d14843a4d079139539ba Broken by: eca96694a7f992be633d48d5ca03cedc9bbc3c9a Fixed by: 13051a86cb093d4c421a8669ccd7591578d004aa Fixed by: 3a0286f978c19ecc7b2ef2242b33688239428f85 Fixed by: 4d8c603ca2cb1fb70c0e0d2e0d51d1fe3261c7b9 Fixed by: c6fbbe85aa496d178d5e4188bee166a5abb97029 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

1 0

[libvirt] LSN-2013-0019: libvirtd crash when reading numa tunables for libxl guest in shutoff status
by Eric Blake 22 Jan '14

22 Jan '14

Libvirt Security Notice: LSN-2013-0019 ====================================== Summary: libvirtd crash when reading numa tunables for libxl guest in shutoff status Reported on: 20131220 Published on: 20131220 Fixed on: 20131220 Reported by: Dario Faggioli <dario.faggioli(a)citrix.com> Patched by: Dario Faggioli <dario.faggioli(a)citrix.com> See also: CVE-2013-6457 Description ----------- The libxlDomainGetNumaParameters method in the libxl driver did not check whether the guest being accessed was running or not. When shutoff, the code attempts to clean up an uninitialized bitmap, causing malloc corruption most commonly observed as a crash. Impact ------ A user who has permission to invoke the virDomainGetNumaParameters API against the libxl driver will be able to crash the libvirtd daemon. Access to this API is granted to any user who connects to the read-only libvirtd UNIX domain socket. If ACLs are active, access is granted to any user with the 'read' permission on the 'domain' object, which is granted by default to all users. As a result an unprivileged user will be able to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Fixed in: v1.2.1 Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: f9ee91d35510ccbc6fc42cef8864b291b2d220f4 Branch: v1.1.1-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: d5f89a6dd725baf8bca1f1e28f5b858bf0053a99 Branch: v1.1.2-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 52c40003805f1702f103095dc5c3d00cf38e7a82 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Fixed in: v1.1.3.3 Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 5904ba60159ce67826f301e78103191600a07600 Branch: v1.1.4-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 626eb91f964a032af56b448e63fde9f74e592290 Branch: v1.2.0-maint Broken by: 261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 Fixed by: 36378d1a41464517d7c31d8854fcfd8f69221409 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

1 0

[libvirt] [PATCH v3] vbox: add support for v4.2.20+ and v4.3.4+
by Manuel VIVES 22 Jan '14

22 Jan '14

Hi, While working on adding virDomain*Stats support to the vbox driver, we found bugs in the VirtualBox API C bindings. These bugs have been fixed in versions 4.2.20 and 4.3.4. However, the changes in the C bindings are incompatible with the vbox_CAPI_v4_2.h and vbox_CAPI_v4_3.h files which are bundled in libvirt source code. This is why the following patch adds vbox_CAPI_v4_2_20.h and vbox_CAPI_v4_3_4.h. As stated by Matthias Bolte, the actual underlying problem here is that libvirt assumes that VirtualBox API can only change between release versions (4.2 -> 4.3), but we have a case here where it changed (or got fixed) between minor versions (4.2.18 -> 4.2.20). This patch makes the VBOX_API_VERSION represent the full API version number (i.e 4002 => 4002000) so there are specific version numbers for Vbox 4.2.20 (4002020) and 4.3.4 (4003004) As the patch is too big for the mailing list, it is publicly available at http://git-lab.diateam.net/cots/libvirt.git/ with the branch name 'vbox-4.2.20-4.3.4-support-v3' Regards, Manuel VIVES v3: - Changed the commit message for being more precise. - Resend after freeze.

2 1

[libvirt] [PATCH 0/6] Coverity cleanups
by John Ferlan 22 Jan '14

22 Jan '14

A recent Coverity version update discovered some existing issues (and some benign cases). This patch set cleans them all up. John Ferlan (6): VSMS: Coverity cleanups libxkutil:pool_parsing: Coverity cleanups libxkutil:device_parsing: Coverity cleanups libxkutil/xml_parse_test: Coverity cleanup RAFP: Coverity cleanup EAFP: Coverity cleanup libxkutil/device_parsing.c | 41 +++++++++++++++++-------------- libxkutil/pool_parsing.c | 39 +++++++++++++++-------------- libxkutil/xml_parse_test.c | 1 + src/Virt_ElementAllocatedFromPool.c | 6 ++++- src/Virt_ResourceAllocationFromPool.c | 7 ++++-- src/Virt_SettingsDefineCapabilities.c | 2 +- src/Virt_VirtualSystemManagementService.c | 11 ++++++--- 7 files changed, 63 insertions(+), 44 deletions(-) -- 1.8.4.2

2 10

[libvirt] [RFC PATCH 0/7] Adding 'config' driver
by Adam Walters 22 Jan '14

22 Jan '14

This patchset adds a driver named 'config' that allows access to configuration data, such as secret and storage definitions. This is a pre-requisite for my next patchset which resolves the race condition on libvirtd startup and the circular dependencies between QEMU and the storage driver. The basic rationale behind this idea is that there exist circumstances under which a driver may need to access things such as secrets during a time at which there is no active connection to a hypervisor. Without a connection, the data can't be accessed currently. I felt that this was a much simpler solution to the problem that building new APIs that do not require a connection to operate. This driver is technically what one may call a hypervisor driver, but it does not implement any domain operations. It simply exists to handle requests by drivers for access to informatino that would otherwise require a connection. The URI used for this driver is 'config:///' and has been tested working on 4 different machines of mine, running three different distributions of Linux (Archlinux, Gentoo, and CentOS). Being a very simple driver, I would expect it to work pretty much anywhere. I would love to hear any comments and suggestions you may have about this driver. At the very least this plus my next patchset resolves the startup race condition on my machine. If a more robust setup (likely a new internal API) is in the works, this driver could act as a band-aid to allow access to this type of data in the interim if a better resolution is a ways off. Adam Walters (7): config: Adding source for the config driver config: Adding header for the config driver virterror: Adding a new VIR_FROM_ define libvirtd: Add config driver hooks po: Add config_driver.c to POTFILES.in configure: Add config driver to configure script Makefile: Add config driver to src/Makefile.am configure.ac | 10 ++ daemon/libvirtd.c | 21 ++-- include/libvirt/virterror.h | 2 + po/POTFILES.in | 1 + src/Makefile.am | 25 +++++ src/config/config_driver.c | 237 ++++++++++++++++++++++++++++++++++++++++++++ src/config/config_driver.h | 44 ++++++++ src/util/virerror.c | 2 + 8 files changed, 336 insertions(+), 6 deletions(-) create mode 100644 src/config/config_driver.c create mode 100644 src/config/config_driver.h -- 1.8.5.2

4 22