March 2024 - Devel - libvirt List Archives

[PATCH] cpu: x86: Check for invalid CPU data from hypervisor
by Jiri Denemark 05 Mar '24

05 Mar '24

Recently a kernel bug caused QEMU to report a CPU feature as enabled while listing it in the "unavailable-features" list of features that were requested, but could not be enabled. The feature was actually enabled, but we marked it as disabled when starting a domain. Later when the domain is migrated, the destination requests the feature to be disabled, which breaks the guest ABI or if we are lucky QEMU just fails to load the migration stream. Let's make similar bugs more visible in the future by refusing to even start the domain. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> --- src/cpu/cpu_x86.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c index 6b2531b360..e8409ce616 100644 --- a/src/cpu/cpu_x86.c +++ b/src/cpu/cpu_x86.c @@ -3019,6 +3019,14 @@ virCPUx86UpdateLive(virCPUDef *cpu, x86DataIsSubset(&modelDisabled->data, &feature->data)) expected = VIR_CPU_FEATURE_DISABLE; + if (x86DataIsSubset(&enabled, &feature->data) && + x86DataIsSubset(&disabled, &feature->data)) { + virReportError(VIR_ERR_OPERATION_FAILED, + _("hypervisor provided conflicting CPU data: feature '%1$s' is both enabled and disabled at the same time"), + feature->name); + return -1; + } + if (expected == VIR_CPU_FEATURE_DISABLE && x86DataIsSubset(&enabled, &feature->data)) { VIR_DEBUG("Feature '%s' enabled by the hypervisor", feature->name); -- 2.44.0

2 1

RE: join running core dump job
by Thanos Makatos 04 Mar '24

04 Mar '24

> -----Original Message----- > From: Thanos Makatos <thanos.makatos(a)nutanix.com> > Sent: Monday, March 4, 2024 5:24 PM > To: devel(a)lists.libvirt.org > Subject: join running core dump job > > Is there a way to programmatically wait for a previously initiated > virDomainCoreDumpWithFormat() where the process that started it died? I'm > looking at the API and don't seem to find anything relevant. I suppose I could > poll via virDomainGetJobStats(), but, ideally, I'd like a function that would join > the dump job and return when the dump job finishes. > _______________________________________________ > Devel mailing list -- devel(a)lists.libvirt.org > To unsubscribe send an email to devel-leave(a)lists.libvirt.org I see there's qemuDumpWaitForCompletion(), looks promising.

1 0

[PATCH] ci: refresh with lcitool manifest
by Daniel P. Berrangé 04 Mar '24

04 Mar '24

Picks up the switch from FreeBSD 13.2 to 13.3 Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- ci/gitlab/builds.yml | 2 +- ci/lcitool/targets/freebsd-13.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 ci/lcitool/targets/freebsd-13.yml diff --git a/ci/gitlab/builds.yml b/ci/gitlab/builds.yml index 49a0b27029..b23a3989b9 100644 --- a/ci/gitlab/builds.yml +++ b/ci/gitlab/builds.yml @@ -619,7 +619,7 @@ x86_64-freebsd-13: needs: [] allow_failure: false variables: - CIRRUS_VM_IMAGE_NAME: freebsd-13-2 + CIRRUS_VM_IMAGE_NAME: freebsd-13-3 CIRRUS_VM_IMAGE_SELECTOR: image_family CIRRUS_VM_INSTANCE_TYPE: freebsd_instance INSTALL_COMMAND: pkg install -y diff --git a/ci/lcitool/targets/freebsd-13.yml b/ci/lcitool/targets/freebsd-13.yml deleted file mode 100644 index 0337926479..0000000000 --- a/ci/lcitool/targets/freebsd-13.yml +++ /dev/null @@ -1,2 +0,0 @@ -cirrus: - image_name: freebsd-13-2 -- 2.43.0

2 1

join running core dump job
by Thanos Makatos 04 Mar '24

04 Mar '24

Is there a way to programmatically wait for a previously initiated virDomainCoreDumpWithFormat() where the process that started it died? I'm looking at the API and don't seem to find anything relevant. I suppose I could poll via virDomainGetJobStats(), but, ideally, I'd like a function that would join the dump job and return when the dump job finishes.

1 0

[PATCH 0/5] qemu: Make firmware parsing failures non-fatal
by Andrea Bolognani 01 Mar '24

01 Mar '24

See 3/5 for information. Andrea Bolognani (5): qemu: Add missing early returns qemu: Rewrite qemuFirmwareFetchParsedConfigs() qemu: Make firmware parsing failures non-fatal tests: Add firmware descriptor for edk2 on loongarch64 tests: Add invalid firmware descriptor src/qemu/qemu_firmware.c | 120 +++++++----------- .../qemu/firmware/50-edk2-loongarch64.json | 29 +++++ .../usr/share/qemu/firmware/93-invalid.json | 5 + tests/qemufirmwaretest.c | 28 ++++ 4 files changed, 107 insertions(+), 75 deletions(-) create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/50-edk2-loongarch64.json create mode 100644 tests/qemufirmwaredata/usr/share/qemu/firmware/93-invalid.json -- 2.43.2

2 6

[PATCH PUSHED] Fix off-by-one error in udevListInterfacesByStatus
by Martin Kletzander 01 Mar '24

01 Mar '24

Ever since this function was introduced in 2012 it could've tried filling in an extra interface name. That was made worse in 2019 when the caller functions started accepting NULL arrays of size 0. This is assigned CVE-2024-1441. Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> Reported-by: Alexander Kuznetsov <kuznetsovam(a)altlinux.org> Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 Reviewed-by: Ján Tomko <jtomko(a)redhat.com> --- Pushed after review in libvirt-security since this has a CVE. Unfortunately I forgot to split the NEWS update and the actual fix, so sorry to all back-porters. NEWS.rst | 15 +++++++++++++++ src/interface/interface_backend_udev.c | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/NEWS.rst b/NEWS.rst index ac64cf697435..69258880d2d3 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,21 @@ v10.1.0 (unreleased) * **Security** + * ``CVE-2024-1441``: Fix off-by-one error leading to a crash + + In **libvirt-1.0.0** there were couple of interface listing APIs + introduced which had an off-by-one error. That error could lead to a + very rare crash if an array was passed to those functions which did + not fit all the interfaces. + + In **libvirt-5.10** a check for non-NULL arrays has been adjusted to + allow for NULL arrays with size 0 instead of rejecting all NULL + arrays. However that made the above issue significantly worse since + that off-by-one error now did not write beyond an array, but + dereferenced said NULL pointer making the crash certain in a + specific scenario in which a NULL array of size 0 was passed to the + aforementioned functions. + * **Removed features** * **New features** diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c index fb6799ed9406..40914830604e 100644 --- a/src/interface/interface_backend_udev.c +++ b/src/interface/interface_backend_udev.c @@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn, g_autoptr(virInterfaceDef) def = NULL; /* Ensure we won't exceed the size of our array */ - if (count > names_len) + if (count >= names_len) break; path = udev_list_entry_get_name(dev_entry); -- 2.44.0

1 0

Release of libvirt-10.1.0
by Jiri Denemark 01 Mar '24

01 Mar '24

The 10.1.0 release of both libvirt and libvirt-python is tagged and signed tarballs are available at https://download.libvirt.org/ https://download.libvirt.org/python/ Thanks everybody who helped with this release by sending patches, reviewing, testing, or providing feedback. Your work is greatly appreciated. * Security * ``CVE-2024-1441``: Fix off-by-one error leading to a crash In libvirt-1.0.0 there were couple of interface listing APIs introduced which had an off-by-one error. That error could lead to a very rare crash if an array was passed to those functions which did not fit all the interfaces. In libvirt-5.10 a check for non-NULL arrays has been adjusted to allow for NULL arrays with size 0 instead of rejecting all NULL arrays. However that made the above issue significantly worse since that off-by-one error now did not write beyond an array, but dereferenced said NULL pointer making the crash certain in a specific scenario in which a NULL array of size 0 was passed to the aforementioned functions. * New features * nodedev: Support updating mdevs The node device driver has been extended to allow updating mediated node devices. Options are available to target the update against the persistent, active or both configurations of a mediated device. Note: The support is only available with at least mdevctl v1.3.0 installed. * qemu: Add support for /dev/userfaultfd On hosts with new enough kernel which supports /dev/userfaultfd libvirt will now automatically grant QEMU access to this device. It's no longer needed to set vm.unprivileged_userfaultfd sysctl. * qemu: Support clusters in CPU topology It is now possible to configure the guest CPU topology to use clusters. Additionally, if CPU clusters are present in the host topology, they will be reported as part of the capabilities XML. * network: Make virtual domains resolvable from the host When starting a virtual network with a new ``register='yes'`` attribute in the ``<domain>`` element, libvirt will configure ``systemd-resolved`` to resolve names of the connected guests using the name server started for this network. * qemu: Introduce dynamicMemslots attribute for virtio-mem QEMU now allows setting ``.dynamic-memslots`` attribute for virtio-mem-pci devices. When turned on, it allows memory exposed to guest to be split into multiple memory slots and thus smaller memory footprint (see the original commit for detailed explanation). * Improvements * nodedev: Add ability to update persistent mediated devices by defining them Existing persistent mediated devices can now also be updated by ``virNodeDeviceDefineXML()`` as long as parent and UUID remain unchanged. * ch: Enable ``ethernet`` interface mode support ``<interface type='ethernet'/>`` can now be used for CH domains. * viraccessdriverpolkit: Add missing vtpm case Secrets with ``<usage type='vtpm'>`` were left unable to be checked for in the access driver, i.e. in ACL rules. Missing code was provided. * virt-admin: Notify users to use explicit URI if connection fails ``virt-admin`` doesn't try to guess the URI of the daemon to manage so a failure to connect may be confusing for users if modular daemons are used. Add a hint to use the URI of the dameon to manage. * Bug fixes * qemu_process: Skip over non-virtio non-TAP NIC models when refreshing rx-filter If ``trustGuestRxFilters`` is enabled for a vNIC that doesn't support it, libvirt may throw an error when such domain is being started, loaded from a saved state, migrated, etc. These errors are now silenced, but make sure to fix such configurations (after previous release it is even possible to change ``trustGuestRxFilters`` value on live domains via ``virDomainUpdateDeviceFlags()`` or ``virsh device-update``). * domain: Fix check for overlapping ``<memory/>`` devices A bug was identified which caused libvirt to report two NVDIMMs as overlapping even though they weren't. This now fixed. * vmx: Accept empty fileName for cdrom-image Turns out, ``fileName`` attribute (which contains path to CDROM image) can be set to an empty string (``""``) to denote a state in which the CDROM has no medium in it. Libvirt used to reject such configuration file, but not anymore. * qemu_hotplug: Don't lose 'created' flag in qemuDomainChangeNet() When starting a domain, libvirt tracks what resources it created for it and which were pre-existing and uses this information to preserve pre-existing resources when cleaning up after said domain is shut off. But for macvtaps this information was lost after the macvtap device was changed (e.g. via ``virsh update-device``). * Fix virStream hole handling When a client sent multiple holes into a virStream it may have caused daemon hangup as the daemon stopped processing RPC from the client temporarily. This is now fixed. * nodedev: Don't generate broken XML with certain hardware A broken node device XML would be generated in a rare case when a hardware device had certain characters in the VPD fields. * qemu: Fix reservation of manually specified port for disk migration A manually specified port would not be relased after disk migration making it impossible to use it again. Enjoy. Jirka

1 0

[PATCH] NEWS: Update for release
by Peter Krempa 01 Mar '24

01 Mar '24

Mention improvement of virt-admin, and fixes for the VPD xml and disk migration port bug. Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- NEWS.rst | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/NEWS.rst b/NEWS.rst index d270b2397d..4a71c7d3f0 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -52,7 +52,7 @@ v10.1.0 (unreleased) * **Improvements** -* nodedev: Add ability to update persistent mediated devices by defining them + * nodedev: Add ability to update persistent mediated devices by defining them Existing persistent mediated devices can now also be updated by ``virNodeDeviceDefineXML()`` as long as parent and UUID remain unchanged. @@ -66,6 +66,12 @@ v10.1.0 (unreleased) Secrets with ``<usage type='vtpm'>`` were left unable to be checked for in the access driver, i.e. in ACL rules. Missing code was provided. + * virt-admin: Notify users to use explicit URI if connection fails + + ``virt-admin`` doesn't try to guess the URI of the daemon to manage so a + failure to connect may be confusing for users if modular daemons are used. + Add a hint to use the URI of te dameon to manage. + * **Bug fixes** * qemu_process: Skip over non-virtio non-TAP NIC models when refreshing rx-filter @@ -103,6 +109,16 @@ v10.1.0 (unreleased) daemon hangup as the daemon stopped processing RPC from the client temporarily. This is now fixed. + * nodedev: Don't generate broken XML with certain hardware + + A broken node device XML would be generated in a rare case when a hardware + device had certain characters in the VPD fields. + + * qemu: Fix reservation of manually specified port for disk migration + + A manually specified port would not be relased after disk migration making + it impossible to use it again. + v10.0.0 (2024-01-15) ==================== -- 2.43.0

3 2

[PATCH 0/9] Fix broken HTML in API docs
by Peter Krempa 01 Mar '24

01 Mar '24

While checking API docs after recent migration to gitlab-pages I've noticed that the footer is not properly rendered. A deeper dig showed that the issue is that empty <div> elements, while formatted by the XML output version of XSLT conversion is turned into the non-pair empty variant. This contradicts the HTML standard which we declare to use for our pages and thus is mis-parsed into dom, where every empty div is treated as a start of a div, thus nesting everything. This series fixes the above and also many other errors pointed out by the HTML validator at: https://validator.w3.org/ Compare: https://libvirt.org/html/libvirt-libvirt-domain.html vs https://pipo.sk.gitlab.io/-/libvirt/-/jobs/6288946946/artifacts/website/htm… and the validation: https://validator.w3.org/nu/?doc=https%3A%2F%2Flibvirt.org%2Fhtml%2Flibvirt… vs https://validator.w3.org/nu/?doc=https%3A%2F%2Fpipo.sk.gitlab.io%2F-%2Flibv… Also non-API pages validation: https://validator.w3.org/nu/?doc=https%3A%2F%2Flibvirt.org%2Fdocs.html vs https://validator.w3.org/nu/?doc=https%3A%2F%2Fpipo.sk.gitlab.io%2F-%2Flibv… Peter Krempa (9): docs: site: Don't generate '<?xml' header for HTML documents docs: page: Add 'lang="en"' for all HTML output documents docs: page: Fix declaration of main javascript source docs: index: Fix import of blog planet javascript docs: newapi: Don't generate empty <div> in template for ACL permissions docs: newapi: Avoid empty <div>s when there is no description docs: newapi: Avoid table where every row has an cell with 'colspan' docs: newapi: Properly skip ACL entries if empty docs: newapi: Fix generation of type definition tables docs/index.rst | 2 +- docs/newapi.xsl | 158 ++++++++++++++++++++++++++---------------------- docs/page.xsl | 7 ++- docs/site.xsl | 5 +- 4 files changed, 93 insertions(+), 79 deletions(-) -- 2.43.0

2 10