- 13 11月, 2013 2 次提交
-
-
由 Michal Privoznik 提交于
Since 86d90b3a (yes, my patch; again) we are supporting NBD storage migration. However, on error recovery path we got the steps reversed. The correct order is: return NBD port to the virPortAllocator and then either unlock the vm or remove it from the driver. Not vice versa. ==11192== Invalid write of size 4 ==11192== at 0x11488559: qemuMigrationPrepareAny (qemu_migration.c:2459) ==11192== by 0x11488EA6: qemuMigrationPrepareDirect (qemu_migration.c:2652) ==11192== by 0x114D1509: qemuDomainMigratePrepare3Params (qemu_driver.c:10332) ==11192== by 0x519075D: virDomainMigratePrepare3Params (libvirt.c:7290) ==11192== by 0x1502DA: remoteDispatchDomainMigratePrepare3Params (remote.c:4798) ==11192== by 0x12DECA: remoteDispatchDomainMigratePrepare3ParamsHelper (remote_dispatch.h:5741) ==11192== by 0x5212127: virNetServerProgramDispatchCall (virnetserverprogram.c:435) ==11192== by 0x5211C86: virNetServerProgramDispatch (virnetserverprogram.c:305) ==11192== by 0x520A8FD: virNetServerProcessMsg (virnetserver.c:165) ==11192== by 0x520A9E1: virNetServerHandleJob (virnetserver.c:186) ==11192== by 0x50DA78F: virThreadPoolWorker (virthreadpool.c:144) ==11192== by 0x50DA11C: virThreadHelper (virthreadpthread.c:161) ==11192== Address 0x1368baa0 is 576 bytes inside a block of size 688 free'd ==11192== at 0x4A07F5C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==11192== by 0x5079A2F: virFree (viralloc.c:580) ==11192== by 0x11456C34: qemuDomainObjPrivateFree (qemu_domain.c:267) ==11192== by 0x50F41B4: virDomainObjDispose (domain_conf.c:2034) ==11192== by 0x50C2991: virObjectUnref (virobject.c:262) ==11192== by 0x50F4CFC: virDomainObjListRemove (domain_conf.c:2361) ==11192== by 0x1145C125: qemuDomainRemoveInactive (qemu_domain.c:2087) ==11192== by 0x11488520: qemuMigrationPrepareAny (qemu_migration.c:2456) ==11192== by 0x11488EA6: qemuMigrationPrepareDirect (qemu_migration.c:2652) ==11192== by 0x114D1509: qemuDomainMigratePrepare3Params (qemu_driver.c:10332) ==11192== by 0x519075D: virDomainMigratePrepare3Params (libvirt.c:7290) ==11192== by 0x1502DA: remoteDispatchDomainMigratePrepare3Params (remote.c:4798) Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> (cherry picked from commit 1f2f879e)
-
由 Ján Tomko 提交于
When opening a new connection to the driver, nwfilterOpen only succeeds if the driverState has been allocated. Move the privilege check in driver initialization before the state allocation to disable the driver. This changes the nwfilter-define error from: error: cannot create config directory (null): Bad address To: this function is not supported by the connection driver: virNWFilterDefineXML https://bugzilla.redhat.com/show_bug.cgi?id=1029266 (cherry picked from commit b7829f95)
-
- 30 10月, 2013 13 次提交
-
-
由 Daniel P. Berrange 提交于
Avoid people introducing security flaws in their apps by forbidding the use of libvirt.so in setuid programs, with a check in virInitialize. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9cd6a57d)
-
由 Daniel P. Berrange 提交于
Most of the usage of getuid()/getgid() is in cases where we are considering what privileges we have. As such the code should be using the effective IDs, not real IDs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9b0af092)
-
由 Daniel P. Berrange 提交于
We already have stubs for getuid, geteuid, getgid but not for getegid. Something in gnulib already does a check for it during configure, so we already have the HAVE_GETEGID macro defined. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit c566fa1a)
-
由 Daniel P. Berrange 提交于
We don't want setuid programs automatically spawning libvirtd, so disable any use of autostart when setuid. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 171bb129)
-
由 Daniel P. Berrange 提交于
We don't know enough about quality of external libraries used for non-UNIX transports, nor do we want to spawn external commands when setuid. Restrict to the bare minimum which is UNIX transport for local usage. Users shouldn't need to be running setuid if connecting to remote hypervisors in any case. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit e22b0232)
-
由 Daniel P. Berrange 提交于
The use of getenv is typically insecure, and we want people to use our wrappers, to force them to think about setuid needs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 71b21f12)
-
由 Daniel P. Berrange 提交于
Unconditional use of getenv is not secure in setuid env. While not all libvirt code runs in a setuid env (since much of it only exists inside libvirtd) this is not always clear to developers. So make all the code paranoid, even if it only ever runs inside libvirtd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 1e4a02bd)
-
由 Daniel P. Berrange 提交于
When running setuid, we must be careful about what env vars we allow commands to inherit from us. Replace the virCommandAddEnvPass function with two new ones which do filtering virCommandAddEnvPassAllowSUID virCommandAddEnvPassBlockSUID And make virCommandAddEnvPassCommon use the appropriate ones Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9b8f307c) Conflicts: src/qemu/qemu_command.c
-
由 Daniel P. Berrange 提交于
In Fedora 20, libvirt_lxc crashes immediately at startup with a trace #0 0x00007f0cddb653ec in free () from /lib64/libc.so.6 #1 0x00007f0ce0e16f4a in virFree (ptrptr=ptrptr@entry=0x7f0ce1830058) at util/viralloc.c:580 #2 0x00007f0ce0e2764b in virResetError (err=0x7f0ce1830030) at util/virerror.c:354 #3 0x00007f0ce0e27a5a in virResetLastError () at util/virerror.c:387 #4 0x00007f0ce0e28858 in virEventRegisterDefaultImpl () at util/virevent.c:233 #5 0x00007f0ce0db47c6 in main (argc=11, argv=0x7fff4596c328) at lxc/lxc_controller.c:2352 Normally virInitialize calls virErrorInitialize and virThreadInitialize, but we don't link to libvirt.so in libvirt_lxc, and nor did we ever call the error or thread initializers. I have absolutely no idea how this has ever worked, let alone what caused it to stop working in Fedora 20. In addition not all code paths from virLogSetFromEnv will ensure virLogInitialize is called correctly, which is another possible crash scenario. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 97973ebb)
-
由 Daniel P. Berrange 提交于
The log message regex has been [0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}\+[0-9]{4}: [0-9]+: debug|info|warning|error : The precedence of '|' is high though, so this is equivalent to matching [0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}\+[0-9]{4}: [0-9]+: debug Or info Or warning Or error : Which is clearly not what it should have done. This caused the code to skip over things which are not log messages. The solution is to simply add brackets. A test case is also added to validate correctness. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 5787f0b9)
-
由 Daniel P. Berrange 提交于
Many people will not want the setuid virt-login-shell binary installed by default, so move it into a separate sub-RPM named libvirt-login-shell. This RPM is only generated if LXC is enabled Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 8adc9269)
-
由 Eric Blake 提交于
'make rpm' failed if ~/.rpmmacros contains '%_without_lxc 1', which simulates the case of not having lxc available. RPM build errors: File not found: /home/eblake/rpmbuild/BUILDROOT/libvirt-1.1.1-1.fc19.x86_64/etc/libvirt/virt-login-shell.conf File not found by glob: /home/eblake/rpmbuild/BUILDROOT/libvirt-1.1.1-1.fc19.x86_64/usr/share/man/man1/virt-login-shell.1* File not found: /home/eblake/rpmbuild/BUILDROOT/libvirt-1.1.1-1.fc19.x86_64/usr/bin/virt-login-shell make: *** [rpm] Error 1 Reported by Dan Berrange. * libvirt.spec.in: Mark virt-login-shell as conditional on lxc. Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit d42906fd)
-
由 Daniel P. Berrange 提交于
The virt-login-shell binary shouldn't need to execute programs relying on $PATH, but just in case set a fixed $PATH value of /bin:/usr/bin Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit d665003d)
-
- 23 10月, 2013 3 次提交
-
-
由 Marian Neagul 提交于
Commit d76227be added functions virDomainCreateWithFiles and virDomainCreateXMLWithFiles, but there was a little piece missing in python bindings. This patch fixes proper passing of file descriptors in the overwrites of these functions.
-
由 Jim Fehlig 提交于
On systems where gnutls uses libgcrypt, I'm seeing the following build failure libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function) ... Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h
-
由 Jim Fehlig 提交于
After commit 3e2f27e1, I've noticed build failures of virt-login-shell when libapparmor-devel is installed on the build host CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status I was about to commit an easy fix under the build-breaker rule (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it makes sense (build-fix-2.patch). Should I just stick with the simple fix, or is something along the lines of patch 2 preferred? Regards, Jim >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001 From: Jim Fehlig <jfehlig@suse.com> Date: Mon, 21 Oct 2013 15:30:02 -0600 Subject: [PATCH] build: fix virt-login-shell build with apparmor With libapparmor-devel installed, virt-login-shell fails to link CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status Fix by linking libvirt_setuid_rpc_client with previously determined SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS and use both throughout src/Makefile.am where it makes sense. Signed-off-by: NJim Fehlig <jfehlig@suse.com> Conflicts: src/Makefile.am: Context
-
- 21 10月, 2013 5 次提交
-
-
由 Daniel P. Berrange 提交于
The libvirt.so library has far too many library deps to allow linking against it from setuid programs. Those libraries can do stuff in __attribute__((constructor) functions which is not setuid safe. The virt-login-shell needs to link directly against individual files that it uses, with all library deps turned off except for libxml2 and libselinux. Create a libvirt-setuid-rpc-client.la library which is linked to by virt-login-shell. A config-post.h file allows this library to disable all external deps except libselinux and libxml2. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 3e2f27e1)
-
由 Daniel P. Berrange 提交于
We don't want to inherit any FDs in the new namespace except for the stdio FDs. Explicitly close them all, just in case some do not have the close-on-exec flag set. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit b7fcc799)
-
由 Daniel P. Berrange 提交于
We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 8c3586ea)
-
由 Daniel P. Berrange 提交于
Care must be taken accessing env variables when running setuid. Introduce a virGetEnvAllowSUID for env vars which are safe to use in a setuid environment, and another virGetEnvBlockSUID for vars which are not safe. Also add a virIsSUID helper method for any other non-env var code to use. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit ae53e5d1)
-
由 Daniel P. Berrange 提交于
The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 57687fd6)
-
- 18 10月, 2013 1 次提交
-
-
由 Zhou Yimin 提交于
Introduced by 7b87a3 When I quit the process which only register VIR_DOMAIN_EVENT_ID_REBOOT, I got error like: "libvirt: XML-RPC error : internal error: domain event 0 not registered". Then I add the following code, it fixed. Signed-off-by: NZhou Yimin <zhouyimin@huawei.com> Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 9712c251)
-
- 15 10月, 2013 7 次提交
-
-
由 Daniel Hansel 提交于
Introduced by commit 3f029fb5 the RPM build was broken due to a missing LXC textcase. Signed-off-by: NDaniel Hansel <daniel.hansel@linux.vnet.ibm.com> (cherry picked from commit 6285c17f)
-
由 Ján Tomko 提交于
Introduced by 1fa7946f. https://bugzilla.redhat.com/show_bug.cgi?id=1019023 (cherry picked from commit 15fac93b)
-
由 Ján Tomko 提交于
Since 76b644c3 when the support for RAM filesystems was introduced, libvirt accepted the following XML: <source usage='1024' unit='KiB'/> This was parsed correctly and internally stored in bytes, but it was formatted as (with an extra 's'): <source usage='1024' units='KiB'/> When read again, this was treated as if the units were missing, meaning libvirt was unable to parse its own XML correctly. The usage attribute was documented as being in KiB, but it was not scaled if the unit was missing. Transient domains still worked, because this was balanced by an extra 'k' in the mount options. This patch: Changes the parser to use 'units' instead of 'unit', as the latter was never documented (fixing persistent domains) and some programs (libvirt-glib, libvirt-sandbox) already parse the 'units' attribute. Removes the extra 'k' from the tmpfs mount options, which is needed because now we parse our own XML correctly. Changes the default input unit to KiB to match documentation, fixing: https://bugzilla.redhat.com/show_bug.cgi?id=1015689 (cherry picked from commit 3f029fb5)
-
由 Michal Privoznik 提交于
After successful @cmd construction the memory where @keys points to is part of @cmd. Avoid double freeing it. (cherry picked from commit 3e8343e1)
-
由 Liuji (Jeremy) 提交于
After freeing the bitmap pointer, it must set the pointer to NULL. This will avoid any other use of the freed memory of the bitmap pointer. https://bugzilla.redhat.com/show_bug.cgi?id=1006710Signed-off-by: NLiuji (Jeremy) <jeremy.liu@huawei.com> (cherry picked from commit ef5d51d4)
-
由 Ján Tomko 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1008619 1,003 bytes in 1 blocks are definitely lost in loss record 599 of 635 ==404== by 0x50728A7: virBufferAddChar (virbuffer.c:185) ==404== by 0x50BC466: virSystemdEscapeName (virsystemd.c:67) ==404== by 0x50BC6B2: virSystemdMakeSliceName (virsystemd.c:108) ==404== by 0x50BC870: virSystemdCreateMachine (virsystemd.c:169) ==404== by 0x5078267: virCgroupNewMachine (vircgroup.c:1498) (cherry picked from commit 09b48562)
-
由 Jiri Denemark 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1006864 Commit 38ab1225 changed the default value of ret from true to false but forgot to set ret = true when job is NONE. Thus, virsh domjobinfo returned 1 when there was no job running for a domain but it used to (and should) return 0 in this case. (cherry picked from commit f084caae)
-
- 07 10月, 2013 1 次提交
-
-
由 Claudio Bley 提交于
Commit 27e81517 set the payload size to 256 KB, which is actually the max packet size, including the size of the header. Reduce this by VIR_NET_MESSAGE_HEADER_MAX (24) and set VIR_NET_MESSAGE_LEGACY_PAYLOAD_MAX to 262120, which was the original value before increasing the limit in commit eb635de1. (cherry picked from commit 609eb987)
-
- 01 10月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The libvirtd server pushes data out to clients. It does not know what protocol version the client might have, so must be conservative and use the old payload limits. ie send no more than 256kb of data per packet. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 27e81517)
-
- 27 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
When a client disconnects from libvirtd, all event callbacks must be removed. This involves running the public API virConnectDomainEventDeregisterAny This code does not run in normal API dispatch context, so no identity was set. The result was that the access control drivers denied the attempt to deregister callbacks. The callbacks thus continued to trigger after the client was free'd causing fairly predictable use of free memory & a crash. This can be triggered by any client with readonly access when the ACL drivers are active. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 8294aa0c)
-
- 25 9月, 2013 1 次提交
-
-
由 Martin Kletzander 提交于
Since the wait is done during migration (still inside QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such in order to prohibit all other jobs from interfering in the meantime. This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was waiting on the monitor condition and after GetSpiceMigrationStatus mangled its internal data, the daemon crashed. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 (cherry picked from commit 484cc321)
-
- 24 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The fix for CVE-2013-4311 had a pre-requisite enhancement to the identity code commit db7a5688 Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Aug 22 16:00:01 2013 +0100 Also store user & group ID values in virIdentity This had a typo which caused the group ID to overwrite the user ID string. This meant any checks using this would have the wrong ID value. This only affected the ACL code, not the initial polkit auth. It also leaked memory. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit e4697b92)
-
- 20 9月, 2013 1 次提交
-
-
由 Simone Gotti 提交于
After commit 8aecd351 it'll detect that a required option is not defined and it will assert and exit with: virsh.c:1364: vshCommandOpt: Assertion `valid->name' failed. Problem has been latent since commit ed23b106. Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit fe64499d)
-
- 19 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The 'stats' variable was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. This is a security flaw, since the API can be called from a readonly connection which can trigger the validation checks. This was introduced in release v0.9.1 onwards by commit 158ba873 Author: Daniel P. Berrange <berrange@redhat.com> Date: Wed Apr 13 16:21:35 2011 +0100 Merge all returns paths from dispatcher into single path Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit e7f400a1)
-
- 18 9月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
With the existing pkcheck (pid, start time) tuple for identifying the process, there is a race condition, where a process can make a libvirt RPC call and in another thread exec a setuid application, causing it to change to effective UID 0. This in turn causes polkit to do its permission check based on the wrong UID. To address this, libvirt must get the UID the caller had at time of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) triple to the pkcheck program. This fix requires that libvirt is re-built against a version of polkit that has the fix for its CVE-2013-4288, so that libvirt can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' Signed-off-by: NColin Walters <walters@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 922b7fda)
-
由 Daniel P. Berrange 提交于
The polkit access driver will want to use the process start time field. This was already set for network identities, but not for the system identity. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit e65667c0)
-