1. 30 11月, 2012 11 次提交
    • L
      network: use dnsmasq --bind-dynamic when available · 753ff83a
      Laine Stump 提交于
      This bug resolves CVE-2012-3411, which is described in the following
      bugzilla report:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=833033
      
      The following report is specifically for libvirt on Fedora:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=874702
      
      In short, a dnsmasq instance run with the intention of listening for
      DHCP/DNS requests only on a libvirt virtual network (which is
      constructed using a Linux host bridge) would also answer queries sent
      from outside the virtualization host.
      
      This patch takes advantage of a new dnsmasq option "--bind-dynamic",
      which will cause the listening socket to be setup such that it will
      only receive those requests that actually come in via the bridge
      interface. In order for this behavior to actually occur, not only must
      "--bind-interfaces" be replaced with "--bind-dynamic", but also all
      "--listen-address" options must be replaced with a single
      "--interface" option. Fully:
      
         --bind-interfaces --except-interface lo --listen-address x.x.x.x ...
      
      (with --listen-address possibly repeated) is replaced with:
      
         --bind-dynamic --interface virbrX
      
      Of course libvirt can't use this new option if the host's dnsmasq
      doesn't have it, but we still want libvirt to function (because the
      great majority of libvirt installations, which only have mode='nat'
      networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
      are immune to this vulnerability from anywhere beyond the local subnet
      of the host), so we use the new dnsmasqCaps API to check if dnsmasq
      supports the new option and, if not, we use the "old" option style
      instead. In order to assure that this permissiveness doesn't lead to a
      vulnerable system, we do check for non-private addresses in this case,
      and refuse to start the network if both a) we are using the old-style
      options, and b) the network has a publicly routable IP
      address. Hopefully this will provide the proper balance of not being
      disruptive to those not practically affected, and making sure that
      those who *are* affected get their dnsmasq upgraded.
      
      (--bind-dynamic was added to dnsmasq in upstream commit
      54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
      dnsmasq-2.63)
      753ff83a
    • L
      util: new virSocketAddrIsPrivate function · bf402e77
      Laine Stump 提交于
      This new function returns true if the given address is in the range of
      any "private" or "local" networks as defined in RFC1918 (IPv4) or
      RFC3484/RFC4193 (IPv6), otherwise they return false.
      
      These ranges are:
      
         192.168.0.0/16
         172.16.0.0/16
         10.0.0.0/24
         FC00::/7
         FEC0::/10
      bf402e77
    • L
      util: capabilities detection for dnsmasq · 719c2c76
      Laine Stump 提交于
      In order to optionally take advantage of new features in dnsmasq when
      the host's version of dnsmasq supports them, but still be able to run
      on hosts that don't support the new features, we need to be able to
      detect the version of dnsmasq running on the host, and possibly
      determine from the help output what options are in this dnsmasq.
      
      This patch implements a greatly simplified version of the capabilities
      code we already have for qemu. A dnsmasqCaps device can be created and
      populated either from running a program on disk, reading a file with
      the concatenated output of "dnsmasq --version; dnsmasq --help", or
      examining a buffer in memory that contains the concatenated output of
      those two commands. Simple functions to retrieve capabilities flags,
      the version number, and the path of the binary are also included.
      
      bridge_driver.c creates a single dnsmasqCaps object at driver startup,
      and disposes of it at driver shutdown. Any time it must be used, the
      dnsmasqCapsRefresh method is called - it checks the mtime of the
      binary, and re-runs the checks if the binary has changed.
      
      networkxml2argvtest.c creates 2 "artificial" dnsmasqCaps objects at
      startup - one "restricted" (doesn't support --bind-dynamic) and one
      "full" (does support --bind-dynamic). Some of the test cases use one
      and some the other, to make sure both code pathes are tested.
      719c2c76
    • J
      conf: fix uninitialized variable in virDomainListSnapshots · 892582f9
      Ján Tomko 提交于
      If allocation of names fails, list is uninitialized.
      892582f9
    • J
      rpc: don't destroy xdr before creating it in virNetMessageEncodeHeader · 6e1fc355
      Ján Tomko 提交于
      On OOM, xdr_destroy got called even though it wasn't created yet.
      
      Found by coverity:
      Error: UNINIT (CWE-457):
          libvirt-0.10.2/src/rpc/virnetmessage.c:214: var_decl: Declaring
          variable "xdr" without initializer.
          libvirt-0.10.2/src/rpc/virnetmessage.c:219: cond_true: Condition
          "virReallocN(&msg->buffer, 1UL /* sizeof (*msg->buffer) */,
          msg->bufferLength) < 0", taking true branch
          libvirt-0.10.2/src/rpc/virnetmessage.c:221: goto: Jumping to label
          "cleanup"
          libvirt-0.10.2/src/rpc/virnetmessage.c:257: label: Reached label
          "cleanup"
          libvirt-0.10.2/src/rpc/virnetmessage.c:258: uninit_use: Using
          uninitialized value "xdr.x_ops".
      6e1fc355
    • J
      virsh: do timing even for unusable connections · 8b235d40
      Ján Tomko 提交于
      Time values were uninitialized if the connection wasn't usable.
      8b235d40
    • J
      virsh: use correct sizeof when allocating cpumap · dc04b2a7
      Ján Tomko 提交于
      Found by coverity:
      Error: SIZEOF_MISMATCH (CWE-569):
          libvirt-0.10.2/tools/virsh-domain.c:4754: suspicious_sizeof: Passing
          argument "8UL /* sizeof (cpumap) */" to function
          "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
          then casting the return value to "unsigned char *" is suspicious.
      
      Error: SIZEOF_MISMATCH (CWE-569):
          libvirt-0.10.2/tools/virsh-domain.c:4942: suspicious_sizeof: Passing
          argument "8UL /* sizeof (cpumap) */" to function
          "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
          then casting the return value to "unsigned char *" is suspicious.
      dc04b2a7
    • J
      util: fix virBitmap allocation in virProcessInfoGetAffinity · 7730257d
      Ján Tomko 提交于
      Found by coverity:
      Error: REVERSE_INULL (CWE-476):
          libvirt-0.10.2/src/util/processinfo.c:141: deref_ptr: Directly
          dereferencing pointer "map".
          libvirt-0.10.2/src/util/processinfo.c:142: check_after_deref:
          Null-checking "map" suggests that it may be null, but it has already
          been dereferenced on all paths leading to the check.
      7730257d
    • J
      conf: fix NULL check in virNetDevBandwidthParse · d5e88425
      Ján Tomko 提交于
      Found by coverity:
      Error: REVERSE_INULL (CWE-476):
          libvirt-0.10.2/src/conf/netdev_bandwidth_conf.c:99: deref_ptr:
          Directly dereferencing pointer "node".
          libvirt-0.10.2/src/conf/netdev_bandwidth_conf.c:107:
          check_after_deref: Null-checking "node" suggests that it may be
          null, but it has already been dereferenced on all paths leading to
          the check.
      d5e88425
    • D
      Turn some dual-state int parameters into booleans · f4ea67f5
      Daniel P. Berrange 提交于
      The virStateInitialize method and several cgroups methods were
      using an 'int privileged' parameter or similar for dual-state
      values. These are better represented with the bool type.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      f4ea67f5
    • D
      Introduce a 'stop' method to virDriverState · d442ee23
      Daniel P. Berrange 提交于
      To allow actions to be performed in libvirtd when the host
      shuts down, or user session exits, introduce a 'stop'
      method to virDriverState. This will do things like saving
      the VM state to a file.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d442ee23
  2. 29 11月, 2012 22 次提交
  3. 28 11月, 2012 7 次提交