Since 76b644c3 when the support for RAM filesystems was introduced,
libvirt accepted the following XML:
<source usage='1024' unit='KiB'/>

This was parsed correctly and internally stored in bytes, but it
was formatted as (with an extra 's'):
<source usage='1024' units='KiB'/>
When read again, this was treated as if the units were missing,
meaning libvirt was unable to parse its own XML correctly.

The usage attribute was documented as being in KiB, but it was not
scaled if the unit was missing. Transient domains still worked,
because this was balanced by an extra 'k' in the mount options.

This patch:
Changes the parser to use 'units' instead of 'unit', as the latter
was never documented (fixing persistent domains) and some programs
(libvirt-glib, libvirt-sandbox) already parse the 'units' attribute.

Removes the extra 'k' from the tmpfs mount options, which is needed
because now we parse our own XML correctly.

Changes the default input unit to KiB to match documentation, fixing:
https://bugzilla.redhat.com/show_bug.cgi?id=1015689
(cherry picked from commit 3f029fb5)

After successful @cmd construction the memory where @keys points to is
part of @cmd. Avoid double freeing it.
(cherry picked from commit 3e8343e1)

After freeing the bitmap pointer, it must set the pointer to NULL.
This will avoid any other use of the freed memory of the bitmap pointer.

https://bugzilla.redhat.com/show_bug.cgi?id=1006710Signed-off-by: NLiuji (Jeremy) <jeremy.liu@huawei.com>
(cherry picked from commit ef5d51d4)

https://bugzilla.redhat.com/show_bug.cgi?id=1008619

1,003 bytes in 1 blocks are definitely lost in loss record 599 of 635
==404== by 0x50728A7: virBufferAddChar (virbuffer.c:185)
==404== by 0x50BC466: virSystemdEscapeName (virsystemd.c:67)
==404== by 0x50BC6B2: virSystemdMakeSliceName (virsystemd.c:108)
==404== by 0x50BC870: virSystemdCreateMachine (virsystemd.c:169)
==404== by 0x5078267: virCgroupNewMachine (vircgroup.c:1498)
(cherry picked from commit 09b48562)

https://bugzilla.redhat.com/show_bug.cgi?id=1006864

Commit 38ab1225 changed the default value of ret from true to false but
forgot to set ret = true when job is NONE. Thus, virsh domjobinfo
returned 1 when there was no job running for a domain but it used to
(and should) return 0 in this case.
(cherry picked from commit f084caae)

Commit 27e81517 set the payload size to 256 KB, which is
actually the max packet size, including the size of the header.

Reduce this by VIR_NET_MESSAGE_HEADER_MAX (24) and set
VIR_NET_MESSAGE_LEGACY_PAYLOAD_MAX to 262120, which was the original
value before increasing the limit in commit eb635de1.

(cherry picked from commit 609eb987)

The libvirtd server pushes data out to clients. It does not
know what protocol version the client might have, so must be
conservative and use the old payload limits. ie send no more
than 256kb of data per packet.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 27e81517)

When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API

  virConnectDomainEventDeregisterAny

This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.

This can be triggered by any client with readonly access when
the ACL drivers are active.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 8294aa0c)

Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
(cherry picked from commit 484cc321)

The fix for CVE-2013-4311 had a pre-requisite enhancement
to the identity code

  commit db7a5688
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Thu Aug 22 16:00:01 2013 +0100

    Also store user & group ID values in virIdentity

This had a typo which caused the group ID to overwrite the
user ID string. This meant any checks using this would have
the wrong ID value. This only affected the ACL code, not the
initial polkit auth. It also leaked memory.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e4697b92)

The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba873
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e7f400a1)

With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.

To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.

This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
Signed-off-by: NColin Walters <walters@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 922b7fda)

The polkit access driver will want to use the process start
time field. This was already set for network identities, but
not for the system identity.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e65667c0)

Future improvements to the polkit code will require access to
the numeric user ID, not merely user name.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit db7a5688)

The @qemunbd variable can be used uninitialized.

(cherry picked from commit 2dba0323)

If the network has not been found, virNetworkFree(NULL)
was called, resulting in an extra error:
error: invalid network pointer in virNetworkFree

https://bugzilla.redhat.com/show_bug.cgi?id=1001094
(cherry picked from commit 784cca89)

Commit 29fe5d74 (released in 1.1.1) introduced a latent problem
for any caller of virSecurityManagerSetProcessLabel and where
the domain already had a uid:gid label to be parsed.  Such a
setup would collect the list of supplementary groups during
virSecurityManagerPreFork, but then ignores that information,
and thus fails to call setgroups() to adjust the supplementary
groups of the process.

Upstream does not use virSecurityManagerSetProcessLabel for
qemu (it uses virSecurityManagerSetChildProcessLabel instead),
so this problem remained latent until backporting the initial
commit into v0.10.2-maint (commit c061ff5e, released in 0.10.2.7),
where virSecurityManagerSetChildProcessLabel has not been
backported.  As a result of using a different code path in the
backport, attempts to start a qemu domain that runs as qemu:qemu
will end up with supplementary groups unchanged from the libvirtd
parent process, rather than the desired supplementary groups of
the qemu user.  This can lead to failure to start a domain
(typical Fedora setup assigns user 107 'qemu' to both group 107
'qemu' and group 36 'kvm', so a disk image that is only readable
under kvm group rights is locked out).  Worse, it is a security
hole (the qemu process will inherit supplemental group rights
from the parent libvirtd process, which means it has access
rights to files owned by group 0 even when such files should
not normally be visible to user qemu).

LXC does not use the DAC security driver, so it is not vulnerable
at this time.  Still, it is better to plug the latent hole on
the master branch first, before cherry-picking it to the only
vulnerable branch v0.10.2-maint.

* src/security/security_dac.c (virSecurityDACGetIds): Always populate
groups and ngroups, rather than only when no label is parsed.
Signed-off-by: NEric Blake <eblake@redhat.com>
(cherry picked from commit 745aa55f)

The parameters for the virDomainMigrate*Params RPC calls were
not bounds checks, meaning a malicious client can cause libvirtd
to consume arbitrary memory

This issue was introduced in the 1.1.0 release of libvirt
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit fd6f6a48)

The virBitmapParse function was calling virBitmapIsSet() function that
requires the caller to check the bounds of the bitmap without checking
them. This resulted into crashes when parsing a bitmap string that was
exceeding the bounds used as argument.

This patch refactors the function to use virBitmapSetBit without
checking if the bit is set (this function does the checks internally)
and then counts the bits in the bitmap afterwards (instead of keeping
track while parsing the string).

This patch also changes the "parse_error" label to a more common
"error".

The refactor should also get rid of the need to call sa_assert on the
returned variable as the callpath should allow coverity to infer the
possible return values.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367

Thanks to Alex Jia for tracking down the issue. This issue is introduced
by commit 0fc89098.
(cherry picked from commit 47b9127e)

https://bugzilla.redhat.com/show_bug.cgi?id=997765

==1349431== 8 bytes in 1 blocks are definitely lost in loss record 11 of 760
==1349431==    at 0x4C2A554: calloc (vg_replace_malloc.c:593)
==1349431==    by 0x4E9AA3E: virAllocN (in /usr/lib64/libvirt.so.0.1001.1)
==1349431==    by 0x4EF28C4: virXPathNodeSet (in /usr/lib64/libvirt.so.0.1001.1)
==1349431==    by 0x130B83: cmdCPUBaseline (in /usr/bin/virsh)
==1349431==    by 0x12C608: vshCommandRun (in /usr/bin/virsh)
==1349431==    by 0x12889A: main (in /usr/bin/virsh)
(cherry picked from commit f4ec8616)

When undefining a domain with storage when the volume isn't managed by
libvirt the name and path strings weren't freed properly.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=996050
(cherry picked from commit 5075248a)

Before, missing attributes were only OK when adding entries;
modification and deletion required all of them.

Now, only deletion works with missing attributes, as long as
the host is uniquely identified.
(cherry picked from commit cf602e7c)

This restores the error message when QMP probing is not used.

https://bugzilla.redhat.com/show_bug.cgi?id=991334
(cherry picked from commit 9ceaaa08)

This is a second attempt at fixing the problem first attempted
in commit 2df8d991; basically undoing the fact that it was
reverted in commit 43cee32f, plus fixing two more issues: the
code in configure.ac has to EXACTLY match virnetdevbridge.c
with regards to declaring in6 types before using if_bridge.h,
and the fact that RHEL 5 has even more conflicts:

In file included from util/virnetdevbridge.c:49:
/usr/include/linux/in6.h:47: error: conflicting types for 'in6addr_any'
/usr/include/netinet/in.h:206: error: previous declaration of 'in6addr_any' was here
/usr/include/linux/in6.h:49: error: conflicting types for 'in6addr_loopback'
/usr/include/netinet/in.h:207: error: previous declaration of 'in6addr_loopback' was here

The rest of this commit message borrows from the original try
of 2df8d991:

A fresh checkout on a RHEL 6 machine with these packages:
kernel-headers-2.6.32-405.el6.x86_64
glibc-2.12-1.128.el6.x86_64
failed to configure with this message:
checking for linux/if_bridge.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support

Digging in config.log, we see that the problem is identical to
what we fixed earlier in commit d12c2811:

configure:98831: checking for linux/if_bridge.h
configure:98853: gcc -std=gnu99 -c -g -O2  conftest.c >&5
In file included from /usr/include/linux/if_bridge.h:17,
                 from conftest.c:559:
/usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq'
configure:98860: $? = 1

I had not hit it earlier because I was using incremental builds,
where config.cache had shielded me from the kernel-headers breakage.

* configure.ac (if_bridge.h): Avoid conflicting type definitions.
* src/util/virnetdevbridge.c (includes): Also sanitize for RHEL 5.
Signed-off-by: NEric Blake <eblake@redhat.com>
(cherry picked from commit 70024dc9)

This reverts commit 2df8d991.

The change breaks configure on any recent Fedora platform
(cherry picked from commit 43cee32f)

Valgrind defects memory error:

==16759== 1 errors in context 1 of 8:
==16759== Invalid free() / delete / delete[] / realloc()
==16759==    at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16759==    by 0x83CD329: xdr_string (in /usr/lib64/libc-2.17.so)
==16759==    by 0x4D93E4D: xdr_remote_nonnull_string (remote_protocol.c:31)
==16759==    by 0x4D94350: xdr_remote_nonnull_domain (remote_protocol.c:58)
==16759==    by 0x4D976C8: xdr_remote_domain_create_with_flags_ret (remote_protocol.c:1762)
==16759==    by 0x83CC734: xdr_free (in /usr/lib64/libc-2.17.so)
==16759==    by 0x4D7F1E0: remoteDomainCreateWithFlags (remote_driver.c:2441)
==16759==    by 0x4D4BF17: virDomainCreateWithFlags (libvirt.c:9499)
==16759==    by 0x13127A: cmdStart (virsh-domain.c:3376)
==16759==    by 0x12BF83: vshCommandRun (virsh.c:1751)
==16759==    by 0x126FFB: main (virsh.c:3205)
==16759==  Address 0xe1394a0 is not stack'd, malloc'd or (recently) free'd

==16759== 1 errors in context 2 of 8:
==16759== Conditional jump or move depends on uninitialised value(s)
==16759==    at 0x4A07477: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16759==    by 0x83CD329: xdr_string (in /usr/lib64/libc-2.17.so)
==16759==    by 0x4D93E4D: xdr_remote_nonnull_string (remote_protocol.c:31)
==16759==    by 0x4D94350: xdr_remote_nonnull_domain (remote_protocol.c:58)
==16759==    by 0x4D976C8: xdr_remote_domain_create_with_flags_ret (remote_protocol.c:1762)
==16759==    by 0x83CC734: xdr_free (in /usr/lib64/libc-2.17.so)
==16759==    by 0x4D7F1E0: remoteDomainCreateWithFlags (remote_driver.c:2441)
==16759==    by 0x4D4BF17: virDomainCreateWithFlags (libvirt.c:9499)
==16759==    by 0x13127A: cmdStart (virsh-domain.c:3376)
==16759==    by 0x12BF83: vshCommandRun (virsh.c:1751)
==16759==    by 0x126FFB: main (virsh.c:3205)
==16759==  Uninitialised value was created by a stack allocation
==16759==    at 0x4D7F120: remoteDomainCreateWithFlags (remote_driver.c:2423)

How to reproduce?

# virsh start <domain> --paused

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=994855Signed-off-by: NAlex Jia <ajia@redhat.com>
(cherry picked from commit be7a89e8)

A fresh checkout on a RHEL 6 machine with these packages:
kernel-headers-2.6.32-405.el6.x86_64
glibc-2.12-1.128.el6.x86_64
failed to configure with this message:
checking for linux/if_bridge.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support

Digging in config.log, we see that the problem is identical to
what we fixed earlier in commit d12c2811:

configure:98831: checking for linux/if_bridge.h
configure:98853: gcc -std=gnu99 -c -g -O2  conftest.c >&5
In file included from /usr/include/linux/if_bridge.h:17,
                 from conftest.c:559:
/usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq'
configure:98860: $? = 1

I had not hit it earlier because I was using incremental builds,
where config.cache had shielded me from the kernel-headers breakage.

* configure.ac (if_bridge.h): Avoid conflicting type definitions.
Signed-off-by: NEric Blake <eblake@redhat.com>
(cherry picked from commit 2df8d991)

https://bugzilla.redhat.com/show_bug.cgi?id=979477

Since 1.0.3 we are using the new way to copy non shared storage during
migration (the NBD way). However, whether the new or old way is used is
not controllable by user but unconditionally turned on if both sides of
migration support it. Moreover, the implementation is not complete: the
combination for VIR_MIGRATE_TUNNELLED flag is missing (as we need to
open new port on the destination) in which case we just error out. This
is a deadly combination: not letting users choose their destiny and
erroring out. We should not do that but VIR_WARN and turn the NBD off
instead.
(cherry picked from commit 5de58d87)

Commit 632180d1 introduced memory corruption in xenDaemonListDefinedDomains
by starting to populate the names array at index -1, causing all sorts
of havoc in libvirtd such as aborts like the following

*** Error in `/usr/sbin/libvirtd': double free or corruption (out): 0x00007fffe00ccf20 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7abf6)[0x7ffff3fa0bf6]
/lib64/libc.so.6(+0x7b973)[0x7ffff3fa1973]
/lib64/libc.so.6(xdr_array+0xde)[0x7ffff403cbae]
/usr/sbin/libvirtd(+0x50251)[0x5555555a4251]
/lib64/libc.so.6(xdr_free+0x15)[0x7ffff403ccd5]
/usr/lib64/libvirt.so.0(+0x1fad34)[0x7ffff76b1d34]
/usr/lib64/libvirt.so.0(virNetServerProgramDispatch+0x1fc)[0x7ffff76b16f1]
/usr/lib64/libvirt.so.0(+0x1f214a)[0x7ffff76a914a]
/usr/lib64/libvirt.so.0(+0x1f222d)[0x7ffff76a922d]
/usr/lib64/libvirt.so.0(+0xbcc4f)[0x7ffff7573c4f]
/usr/lib64/libvirt.so.0(+0xbc5e5)[0x7ffff75735e5]
/lib64/libpthread.so.0(+0x7e0f)[0x7ffff48f7e0f]
/lib64/libc.so.6(clone+0x6d)[0x7ffff400e7dd]

Fix by initializing ret to 0 and only setting to error on failure path.
(cherry picked from commit 0e671a16)

* configure.ac docs/news.html.in: update for the release
* po/*.po*: update localizations and regenerate

Commit 93ec384b was tested on mingw, but broke the build on Linux:

  CCLD     shunloadtest
shunloadtest.o: In function `main':
/home/eblake/libvirt/tests/shunloadtest.c:106: undefined reference to `virFilePrintf'
...
ssh.o: In function `main':
/home/eblake/libvirt/tests/ssh.c:43: undefined reference to `virFilePrintf'
/home/eblake/libvirt/tests/ssh.c:49: undefined reference to `virFilePrintf'

* tests/testutils.h (fprintf): Provide escape hatch.
* tests/shunloadtest.c: Use it.
* tests/ssh.c: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Mingw *printf is a moving target; newer mingw now provides a version
of asprintf() that fails to understand %lld:

  CC       event_test-event-test.o
../../../../examples/domain-events/events-c/event-test.c: In function 'myDomainEventRTCChangeCallback':
../../../../examples/domain-events/events-c/event-test.c:270:18: error: unknown conversion type character 'l' in format [-Werror=format=]
                  virDomainGetID(dom), offset) < 0)
                  ^

But since our examples already admitted that they were hacking around
a mingw deficiency, it is easier to just use printf() directly, coupled
with <inttypes.h> macros, for a more portable work-around.

* examples/domain-events/events-c/event-test.c
(myDomainEventRTCChangeCallback): Use PRIdMAX instead of asprintf.
Signed-off-by: NEric Blake <eblake@redhat.com>

Commit a2619962 introduced virFilePrintf to work around the fact
that gnulib doesn't (yet) provide guarantees about fprintf() vs.
%z, which in turn causes all sorts of mingw compilation errors:

../../tests/testutils.c: In function 'virtTestResult':
../../tests/testutils.c:101:9: error: unknown conversion type character 'z' in format [-Werror=format=]
         fprintf(stderr, "%3zu) %-60s ", testCounter, name);
         ^

Rather than s/fprintf/virFilePrintf/ (and reformatting loads of
lines) across multiple files, it's easier to just hack the entire
testsuite to take advantage of our helper function.

* tests/testutils.c: s/fprintf/virFilePrintf/ for mingw.
Signed-off-by: NEric Blake <eblake@redhat.com>

A cross-compile to mingw failed:

  CC       virsystemdmock_la-virsystemdmock.lo
../../tests/virsystemdmock.c:29:6: error: 'dbus_connection_set_change_sigpipe' redeclared without dllimport attribute: previous dllimport ignored [-Werror=attributes]
 void dbus_connection_set_change_sigpipe(dbus_bool_t will_modify_sigpipe ATTRIBUTE_UNUSED)
      ^

But when you think about it, systemd is Linux-only, and even our
use of LD_PRELOAD to provide mock syscalls is Linux-only.

* tests/virsystemdmock.c: Avoid compilation outside Linux.
Signed-off-by: NEric Blake <eblake@redhat.com>

The VIR_DOMAIN_PAUSED_GUEST_PANICKED constant is badly named,
leaking the QEMU event name. Elsewhere in the API we use
'CRASHED' rather than 'PANICKED', and the addition of 'GUEST'
is redundant since all events are guest related.

Thus rename it to VIR_DOMAIN_PAUSED_CRASHED, which matches
with VIR_DOMAIN_RUNNING_CRASHED and VIR_DOMAIN_EVENT_CRASHED.

It was added in commit 14e7e0ae
which post-dates v1.1.0, so is safe to rename before 1.1.1
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The VIR_DOMAIN_SHUTDOWN_CRASHED state constant does not appear
to be used in the QEMU code anyway. It also doesn't make much
(any) sense, since the 'shutdown' state is a transient state
between 'running' and 'shutoff' and when a guest crashes, it
does not end up in a 'shutdown' state, only 'shutoff'.

It was added in commit 14e7e0ae
which post-dates v1.1.0, so is safe to remove before 1.1.1
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The way we were casting small (<32bit) integers was broken
on big endian hosts, causing stack smashing. This was detected
in the test suite either by test failures due to incorrect
results, or by libc/gcc abort'ing with its stack canary
triggered.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Current automake enables parallel test by default, which means test
details are only logged in test-suite.log and not printed to stderr.
This patch makes test failures directly visible in RPM build logs even
when parallel tests are turned on.

Depending on the set of mingw packages installed, it is possible
that other .c files hit the mingw header pollution from the
virdbus.h file.

In file included from ../../src/rpc/virnetserver.c:39:0:
../../src/util/virdbus.h:41:35: error: expected ';', ',' or ')' before 'struct'
                       const char *interface,
                                   ^

* src/util/virdbus.h (virDBusCallMethod): Match .c file change.
Signed-off-by: NEric Blake <eblake@redhat.com>

On platforms without decent group support, the build failed:

Cannot export virGetGroupList: symbol not defined
./.libs/libvirt_security_manager.a(libvirt_security_manager_la-security_dac.o): In function `virSecurityDACPreFork':
/home/eblake/libvirt-tmp/build/src/../../src/security/security_dac.c:248: undefined reference to `virGetGroupList'
collect2: error: ld returned 1 exit status

* src/util/virutil.c (virGetGroupList): Provide dummy implementation.
Signed-off-by: NEric Blake <eblake@redhat.com>