1. 30 6月, 2016 1 次提交
  2. 13 12月, 2015 1 次提交
    • E
      CVE-2015-5313: storage: don't allow '/' in filesystem volume names · 69548d20
      Eric Blake 提交于
      The libvirt file system storage driver determines what file to
      act on by concatenating the pool location with the volume name.
      If a user is able to pick names like "../../../etc/passwd", then
      they can escape the bounds of the pool.  For that matter,
      virStoragePoolListVolumes() doesn't descend into subdirectories,
      so a user really shouldn't use a name with a slash.
      
      Normally, only privileged users can coerce libvirt into creating
      or opening existing files using the virStorageVol APIs; and such
      users already have full privilege to create any domain XML (so it
      is not an escalation of privilege).  But in the case of
      fine-grained ACLs, it is feasible that a user can be granted
      storage_vol:create but not domain:write, and it violates
      assumptions if such a user can abuse libvirt to access files
      outside of the storage pool.
      
      Therefore, prevent all use of volume names that contain "/",
      whether or not such a name is actually attempting to escape the
      pool.
      
      This changes things from:
      
      $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
      Vol ../../../../../../etc/haha created
      $ rm /etc/haha
      
      to:
      
      $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
      error: Failed to create vol ../../../../../../etc/haha
      error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
      Signed-off-by: NEric Blake <eblake@redhat.com>
      (cherry picked from commit 034e47c3)
      69548d20
  3. 03 9月, 2015 5 次提交
    • M
      remoteClientCloseFunc: Don't mangle connection object refcount · 10d659cc
      Michal Privoznik 提交于
      Well, in 8ad126e6 we tried to fix a memory corruption problem.
      However, the fix was not as good as it could be. I mean, the
      commit has one line more than it should. I've noticed this output
      just recently:
      
        # ./run valgrind --leak-check=full --show-reachable=yes ./tools/virsh domblklist gentoo
        ==17019== Memcheck, a memory error detector
        ==17019== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
        ==17019== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
        ==17019== Command: /home/zippy/work/libvirt/libvirt.git/tools/.libs/virsh domblklist gentoo
        ==17019==
        Target     Source
        ------------------------------------------------
        fda        /var/lib/libvirt/images/fd.img
        vda        /var/lib/libvirt/images/gentoo.qcow2
        hdc        /home/zippy/tmp/install-amd64-minimal-20150402.iso
      
        ==17019== Thread 2:
        ==17019== Invalid read of size 4
        ==17019==    at 0x4EFF5B4: virObjectUnref (virobject.c:258)
        ==17019==    by 0x5038CFF: remoteClientCloseFunc (remote_driver.c:552)
        ==17019==    by 0x5069D57: virNetClientCloseLocked (virnetclient.c:685)
        ==17019==    by 0x506C848: virNetClientIncomingEvent (virnetclient.c:1852)
        ==17019==    by 0x5082136: virNetSocketEventHandle (virnetsocket.c:1913)
        ==17019==    by 0x4ECD64E: virEventPollDispatchHandles (vireventpoll.c:509)
        ==17019==    by 0x4ECDE02: virEventPollRunOnce (vireventpoll.c:658)
        ==17019==    by 0x4ECBF00: virEventRunDefaultImpl (virevent.c:308)
        ==17019==    by 0x130386: vshEventLoop (vsh.c:1864)
        ==17019==    by 0x4F1EB07: virThreadHelper (virthread.c:206)
        ==17019==    by 0xA8462D3: start_thread (in /lib64/libpthread-2.20.so)
        ==17019==    by 0xAB441FC: clone (in /lib64/libc-2.20.so)
        ==17019==  Address 0x139023f4 is 4 bytes inside a block of size 240 free'd
        ==17019==    at 0x4C2B1F0: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
        ==17019==    by 0x4EA8949: virFree (viralloc.c:582)
        ==17019==    by 0x4EFF6D0: virObjectUnref (virobject.c:273)
        ==17019==    by 0x4FE74D6: virConnectClose (libvirt.c:1390)
        ==17019==    by 0x13342A: virshDeinit (virsh.c:406)
        ==17019==    by 0x134A37: main (virsh.c:950)
      
      The problem is, when registering remoteClientCloseFunc(), it's
      conn->closeCallback which is ref'd. But in the function itself
      it's conn->closeCallback->conn what is unref'd. This is causing
      imbalance in reference counting. Moreover, there's no need for
      the remote driver to increase/decrease conn refcount since it's
      not used anywhere. It's just merely passed to client registered
      callback. And for that purpose it's correctly ref'd in
      virConnectRegisterCloseCallback() and then unref'd in
      virConnectUnregisterCloseCallback().
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      (cherry picked from commit e6893007)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      10d659cc
    • M
      vshInit: Don't leak @histsize_env · 3606f62f
      Michal Privoznik 提交于
      Caller is responsible for freeing the result of virStringJoin()
      when no longer needed:
      
      ==10701== 1 bytes in 1 blocks are definitely lost in loss record 1 of 806
      ==10701==    at 0x4C29F80: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==10701==    by 0xAADB679: strdup (in /lib64/libc-2.20.so)
      ==10701==    by 0x4F18655: virStrdup (virstring.c:726)
      ==10701==    by 0x4F175AF: virStringJoin (virstring.c:165)
      ==10701==    by 0x131D4D: vshReadlineInit (vsh.c:2572)
      ==10701==    by 0x1322DF: vshInit (vsh.c:2736)
      ==10701==    by 0x1347C1: main (virsh.c:907)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      (cherry picked from commit 4fdd873f)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      3606f62f
    • J
      storage: Correct the 'mode' check · e0025d29
      John Ferlan 提交于
      Commit id '7c2d65dd' changed the default value of mode to be -1 if not
      supplied in the XML, which should cause creation of the volume using the
      default mode of VIR_STORAGE_DEFAULT_VOL_PERM_MODE; however, the check
      made was whether mode was '0' or not to use default or provided value.
      
      This patch fixes the issue to check if the 'mode' was provided in the XML
      and use that value.
      
      (cherry picked from commit 691dd388)
      e0025d29
    • J
      storage: Handle failure from refreshVol · 8b1d84e6
      John Ferlan 提交于
      Commit id '155ca616' added the 'refreshVol' API. In an NFS root-squash
      environment it was possible that if the just created volume from XML wasn't
      properly created with the right uid/gid and/or mode, then the followup
      refreshVol will fail to open the volume in order to get the allocation/
      capacity values. This would leave the volume still on the server and
      cause a libvirtd crash because 'voldef' would be in the pool list, but
      the cleanup code would free it.
      
      (cherry picked from commit db9277a3)
      8b1d84e6
    • J
      virfile: Introduce virFileUnlink · 3468542f
      John Ferlan 提交于
      In an NFS root-squashed environment the 'vol-delete' command will fail to
      'unlink' the target volume since it was created under a different uid:gid.
      
      This code continues the concepts introduced in virFileOpenForked and
      virDirCreate[NoFork] with respect to running the unlink command under
      the uid/gid of the child. Unlike the other two, don't retry on EACCES
      (that's why we're here doing this now).
      
      (cherry picked from commit 35847860)
      3468542f
  4. 02 9月, 2015 1 次提交
  5. 31 8月, 2015 3 次提交
  6. 30 8月, 2015 1 次提交
  7. 29 8月, 2015 2 次提交
    • L
      util: fallback to ioctl(SIOCBRDELBR) if netlink RTM_DELLINK fails · 97d26e47
      Laine Stump 提交于
      commit 09778e09 switched from using ioctl(SIOCBRDELBR) for bridge
      device deletion to using a netlink RTM_DELLINK message, which is the
      more modern way to delete a bridge (and also doesn't require the
      bridge to be ~IFF_UP to succeed). However, although older kernels
      (e.g. 2.6.32, in RHEL6/CentOS6) support deleting *some* link types
      with RTM_NEWLINK, they don't support deleting bridges, and there is no
      compile-time way to figure this out.
      
      This patch moves the body of the SIOCBRDELBR version of
      virNetDevBridgeDelete() into a static function, calls the new function
      from the original, and also calls the new function from the
      RTM_DELLINK version if the RTM_DELLINK message generates an EOPNOTSUPP
      error. Since RTM_DELLINK is done from the subordinate function
      virNetlinkDelLink, which is also called for other purposes (deleting a
      macvtap interface), a function pointer called "fallback" has been
      added to the arglist of virNetlinkDelLink() - if that arg != NULL, the
      provided function will be called when (and only when) RTM_DELLINK
      fails with EOPNOTSUPP.
      
      Resolves:  https://bugzilla.redhat.com/show_bug.cgi?id=1252780 (part 2)
      97d26e47
    • L
      util: fallback to ioctl(SIOCBRADDBR) if netlink RTM_NEWLINK fails · 66dcb409
      Laine Stump 提交于
      commit fc7b23db switched from using ioctl(SIOCBRADDBR) for bridge
      creation to using a netlink RTM_NEWLINK message with IFLA_INFO_KIND =
      "bridge", which is the more modern way to create a bridge. However,
      although older kernels (e.g. 2.6.32, in RHEL6/CentOS6) support
      creating *some* link types with RTM_NEWLINK, they don't support
      creating bridges, and there is no compile-time way to figure this out
      (since the "type" isn't an enum, but rather a character string).
      
      This patch moves the body of the SIOCBRADDBR version of
      virNetDevBridgeCreate() into a static function, calls the new function
      from the original, and also calls the new function from the
      RTM_NEWLINK version if the RTM_NEWLINK message generates an EOPNOTSUPP
      error.
      
      Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1252780
      66dcb409
  8. 28 8月, 2015 4 次提交
    • J
      Revert "LXC: show used memory as 0 when domain is not active" · 60acb38a
      Jim Fehlig 提交于
      This reverts commit 1ce7c1d2,
      which introduced a significant semantic change to the
      virDomainGetInfo() API. Additionally, the change was only
      made to 2 of the 15 virt drivers.
      
      Conflicts:
      	src/qemu/qemu_driver.c
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      60acb38a
    • J
      libxl: acquire a job when receiving a migrating domain · e80b84a7
      Jim Fehlig 提交于
      Commit f86ae403 moved acquiring a job from libxlDomainStart()
      to its callers. One spot missed was in libxlDoMigrateReceive().
      Acquire a job in libxlDoMigrateReceive() before calling
      libxlDomainStart().
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      e80b84a7
    • J
      libxl: don't attempt to resume domain when suspend fails · 15120b8c
      Jim Fehlig 提交于
      Failure of libxl_domain_suspend() does not leave the domain in
      a suspended state, so no need to call libxl_domain_resume(),
      which btw will fail with "domain not suspended".
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      15120b8c
    • J
      libxl: fix ref counting of libxlMigrationDstArgs · 44a54eb0
      Jim Fehlig 提交于
      This patch fixes some flawed logic around ref counting the
      libxlMigrationDstArgs object.
      
      First, when adding sockets to the event loop with
      virNetSocketAddIOCallback(), the generic virObjectFreeCallback()
      was registered as a free function, with libxlMigrationDstArgs as
      its parameter. A reference was also taken on
      libxlMigrationDstArgs for each successful call to
      virNetSocketAddIOCallback(). The rational behind this logic was
      that the libxlMigrationDstArgs object had to out-live the socket
      objects. But virNetSocketAddIOCallback() already takes a
      reference on socket objects, ensuring their life until removed
      from the event loop and unref'ed in virNetSocketEventFree(). We
      only need to ensure libxlMigrationDstArgs lives until
      libxlDoMigrateReceive() finishes, which can be done by simply
      unref'ing libxlMigrationDstArgs at the end of
      libxlDoMigrateReceive().
      
      The second flaw was unref'ing the sockets in the failure path of
      libxlMigrateReceive() and at the end of libxlDoMigrateReceive().
      As mentioned above, the sockets are already unref'ed by
      virNetSocketEventFree() when removed from the event loop.
      Attempting to unref the socket a second time resulted in a
      libvirtd crash since the socket was previously unref'ed and
      disposed.
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      44a54eb0
  9. 27 8月, 2015 10 次提交
    • M
      Revert "lxc: ensure setns() syscall is defined" · c63b0880
      Michal Privoznik 提交于
      After my previous commit this commit is no longer needed.
      
      This reverts commit eff95ac8.
      c63b0880
    • M
      lxc_container: Turn lxcAttachNS into calling virProcessSetNamespaces · 692e9fac
      Michal Privoznik 提交于
      Now that virProcessSetNamespaces() does accept FD list in the
      correct format, we can simply turn lxcAttachNS into calling
      virProcessSetNamespaces().
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      692e9fac
    • M
      libvirt_lxc: Claim success for --help · fb0ef0d5
      Michal Privoznik 提交于
      So far, if libvirt_lxc binary (usually to be found under
      /usr/libexec/) is run with --help, due to a missing line
      and our usual functions pattern, an 'uknown' error is returned.
      Yeah, the help is printed out, but we should not claim error.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      fb0ef0d5
    • M
      util: Allow virProcessSetNamespaces() to have sparse FD list · ea048687
      Michal Privoznik 提交于
      So far, the virProcessSetNamespaces() takes an array of FDs that
      it tries to set namespace on. However, in the very next commit
      this array may be sparse, having some -1's in it. Teach the
      function to cope with that.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      ea048687
    • M
      virt-aa-helper: Improve valid_path · 52970dec
      Michal Privoznik 提交于
      So, after some movement in virt-aa-helper, I've noticed the
      virt-aa-helper-test failing. I've ran gdb (it took me a while to
      realize how to do that) and this showed up immediately:
      
        Program received signal SIGSEGV, Segmentation fault.
        strlen () at ../sysdeps/x86_64/strlen.S:106
        106     ../sysdeps/x86_64/strlen.S: No such file or directory.
        (gdb) bt
        #0  strlen () at ../sysdeps/x86_64/strlen.S:106
        #1  0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525
        #2  0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617
        #3  0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823
        #4  0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854
        #5  0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931
        #6  0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286
        #7  0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982
        #8  0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277
        #9  0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332
      
      So I've taken look at valid_path() because it is obviously
      calling array_starts_with() with malformed @size. And here's the
      result: there are two variables to hold the size of three arrays
      and their value is recalculated before each call of
      array_starts_with(). What if we just use three variables,
      initialize them and do not touch them afterwards?
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      52970dec
    • J
      lxc: Resolve Coverity RESOURCE_LEAK · dd25b5a7
      John Ferlan 提交于
      Commit id 'c27553b6' added a return -1 in a failure path without
      the necessary VIR_FREE(stack)
      dd25b5a7
    • L
      qemu: Emit correct audit message for memory hot unplug · 8f8031df
      Luyao Huang 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3
      
      If the qemu monitor fails to remove the memory from the guest for
      any reason, the auditlog message will incorrectly use the current
      actual memory (via virDomainDefGetMemoryActual) instead of the
      value we were attempting to reduce to. The result is the 'new-mem'
      and 'old-mem' values for the auditlog message would be identical.
      
      This patch creates a local 'newmem' which accounts for the current
      memory size minus the memory which is being removed. NB, for the
      success case this results in the same value that would be returned
      by virDomainDefGetMemoryActual without the need to do the math. This
      follows the existing code which would subtract the size for cur_balloon.
      Signed-off-by: NLuyao Huang <lhuang@redhat.com>
      8f8031df
    • L
      qemu: Emit correct audit message for memory hot plug · cb1fbda4
      Luyao Huang 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3
      
      Prior to this patch, after successfully hot plugging memory
      the audit log indicated that the update failed, e.g.:
      
      type=VIRT_RESOURCE ... old-mem=1024000 new-mem=1548288 \
      exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=pts/2 res=failed
      
      This patch will adjust where virDomainAuditMemory is called to
      ensure the proper 'ret' value is used based on success or failure.
      
      Additionally, the audit message should include the size of the
      memory we were attempting to change to rather than the current
      actual size. On failure to add, the message showed the same value
      for old-mem and new-mem.
      
      In order to do this, introduce a 'newmem' local which will compute
      the new size based on the oldmem size plus the size of memory we
      are about to add. NB: This would be the same as calling the
      virDomainDefGetMemoryActual again on success, but avoids the
      overhead of recalculating. Plus cur_balloon is already adjusted
      by the same value, so this follows that.
      Signed-off-by: NLuyao Huang <lhuang@redhat.com>
      cb1fbda4
    • M
      utils: Remove the logging of errors from virNetDevSendEthtoolIoctl · 6f2a0198
      Moshe Levi 提交于
      This patch remove the logging of errors of ioctl api and instead
      let the caller to choose what errors to log
      6f2a0198
    • L
      hostdev: skip ACS check when using VFIO for device assignment · 108d591b
      Laine Stump 提交于
      The ACS checks are meaningless when using the more modern VFIO driver
      for device assignment since VFIO has its own more complete and exact
      checks, but I didn't realize that when I added support for VFIO. This
      patch eliminates the ACS check when preparing PCI devices for
      assignment if VFIO is being used.
      
      This resolves:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=1256486
      108d591b
  10. 26 8月, 2015 7 次提交
  11. 25 8月, 2015 2 次提交
  12. 24 8月, 2015 3 次提交