10:13 a.m.
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_migration.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index d7b89fc..3a1aab7 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1595,7 +1595,10 @@ qemuMigrationWaitForSpice(virQEMUDriverPtr driver,
/* Poll every 50ms for progress & to allow cancellation */
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull };
- qemuDomainObjEnterMonitor(driver, vm);
+ if (qemuDomainObjEnterMonitorAsync(driver, vm,
+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0)
+ return -1;
+
if (qemuMonitorGetSpiceMigrationStatus(priv->mon,
&spice_migrated) < 0) {
qemuDomainObjExitMonitor(driver, vm);
--
1.8.3.2
10:37 a.m.
On 09/20/2013 05:13 PM, Martin Kletzander wrote:
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_migration.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
ACK
11:02 a.m.
On Fri, Sep 20, 2013 at 05:37:58PM +0200, Ján Tomko wrote:
On 09/20/2013 05:13 PM, Martin Kletzander wrote:
> Since the wait is done during migration (still inside
> QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
> in order to prohibit all other jobs from interfering in the meantime.
> This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
> waiting on the monitor condition and after GetSpiceMigrationStatus
> mangled its internal data, the daemon crashed.
>
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
> Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
> ---
> src/qemu/qemu_migration.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
ACK
Thanks, pushed.
Martin
2:56 p.m.
New subject: [libvirt] LSN-2013-0021: libvirtd crash during seamless SPICE migration
[this is an older issue, but it was just barely assigned a CVE this week]
Libvirt Security Notice: LSN-2013-0021
======================================
Summary: libvirtd crash during seamless SPICE migration
Reported on: 20130919
Published on: 20130919
Fixed on: 20130920
Reported by: Marian Krcmarik <mkrcmari(a)redhat.com>
Patched by: Martin Kletzander <mkletzan(a)redhat.com>
See also: CVE-2013-7336
Description
-----------
When migrating a guest with a live SPICE connection, the source
libvirtd did not properly track that the migration job was still
waiting for status from the handshakes involved in seamless
migration.
Impact
------
If another client was querying domain status at the same time as the
ongoing seamless SPICE migration, the incorrect job status could
lead to memory corruption and a crash of libvirtd on the source side
of the migration. As queries can be performed by an unprivileged
user, this can be used to inflict a denial of service attack on
other users of the libvirtd daemon with higher privilege.
Workaround
----------
The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.
Additionally, avoiding SPICE seamless migration is sufficient to
avoid the problem.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Fixed in: v1.1.3
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: 484cc3217b73b865f00bf42a9c12187b37200699
Branch: v1.1.0-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: 476d0e38af11f3ff50d85e3f7aecad4cd8208c76
Branch: v1.1.1-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: fea2550974137918c2bc9e01f3eb00421585450c
Branch: v1.1.2-maint
Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
Fixed by: b6ea7abcf72d7d0aaf90e17aa8e8e88db8f778ea
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3900
days inactive
4080
days old
3 comments
3 participants
participants (3)
-
Eric Blake -
Ján Tomko -
Martin Kletzander