rpms / libvirt

Clone
Source Code
GIT

Blame SOURCES/libvirt-virdevmapper-Don-t-use-libdevmapper-to-obtain-dependencies.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale
  1.   2ba5aaceffa1cbb6a0a8ac79c6b530d41c63b532
  2.   SOURCES
  3.   libvirt-virdevmapper-Don-t-use-libdevmapper-to-obtain-dependencies.patch
Blob History Raw
ad1c90 
From 7ba9a0bbdf30984c13e7719e0646fffc7539f853 Mon Sep 17 00:00:00 2001
ad1c90 
Message-Id: <7ba9a0bbdf30984c13e7719e0646fffc7539f853@dist-git>
ad1c90 
From: Michal Privoznik <mprivozn@redhat.com>
ad1c90 
Date: Mon, 27 Jul 2020 12:36:52 +0200
ad1c90 
Subject: [PATCH] virdevmapper: Don't use libdevmapper to obtain dependencies
ad1c90 
MIME-Version: 1.0
ad1c90 
Content-Type: text/plain; charset=UTF-8
ad1c90 
Content-Transfer-Encoding: 8bit
ad1c90
ad1c90 
CVE-2020-14339
ad1c90
ad1c90 
When building domain's private /dev in a namespace, libdevmapper
ad1c90 
is consulted for getting full dependency tree of domain's disks.
ad1c90 
The reason is that for a multipath devices all dependent devices
ad1c90 
must be created in the namespace and allowed in CGroups.
ad1c90
ad1c90 
However, this approach is very fragile as building of namespace
ad1c90 
happens in the forked off child process, after mass close of FDs
ad1c90 
and just before dropping privileges and execing QEMU. And it so
ad1c90 
happens that when calling libdevmapper APIs, one of them opens
ad1c90 
/dev/mapper/control and saves the FD into a global variable. The
ad1c90 
FD is kept open until the lib is unlinked or dm_lib_release() is
ad1c90 
called explicitly. We are doing neither.
ad1c90
ad1c90 
However, the virDevMapperGetTargets() function is called also
ad1c90 
from libvirtd (when setting up CGroups) and thus has to be thread
ad1c90 
safe. Unfortunately, libdevmapper APIs are not thread safe (nor
ad1c90 
async signal safe) and thus we can't use them. Reimplement what
ad1c90 
libdevmapper would do using plain C (ioctl()-s, /proc/devices
ad1c90 
parsing, /dev/mapper dirwalking, and so on).
ad1c90
ad1c90 
Fixes: a30078cb832646177defd256e77c632905f1e6d0
ad1c90 
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1858260
ad1c90
ad1c90 
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
ad1c90 
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
ad1c90 
(cherry picked from commit 22494556542c676d1b9e7f1c1f2ea13ac17e1e3e)
ad1c90
ad1c90 
https://bugzilla.redhat.com/show_bug.cgi?id=1860421
ad1c90
ad1c90 
Conflicts:
ad1c90 
- po/POTFILES.in - In c6a0d3ff8b4ead3b1f38a40668df65f152cc2f32
ad1c90 
  (po: change the format of POTFILES.in) we've changed the format
ad1c90 
  of the file and haven't backported it, yet.
ad1c90
ad1c90 
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
ad1c90 
Message-Id: <bf0ad2c93723aab2579368496aab4289701a94d8.1595846084.git.mprivozn@redhat.com>
ad1c90 
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
ad1c90 
---
ad1c90 
 po/POTFILES.in          |   1 +
ad1c90 
 src/util/virdevmapper.c | 300 +++++++++++++++++++++++++++++-----------
ad1c90 
 2 files changed, 217 insertions(+), 84 deletions(-)
ad1c90
ad1c90 
diff --git a/po/POTFILES.in b/po/POTFILES.in
ad1c90 
index 29984042f4..49348292eb 100644
ad1c90 
--- a/po/POTFILES.in
ad1c90 
+++ b/po/POTFILES.in
ad1c90 
@@ -238,6 +238,7 @@
ad1c90 
 @SRCDIR@/src/util/vircrypto.c
ad1c90 
 @SRCDIR@/src/util/virdbus.c
ad1c90 
 @SRCDIR@/src/util/virdnsmasq.c
ad1c90 
+@SRCDIR@/src/util/virdevmapper.c
ad1c90 
 @SRCDIR@/src/util/virerror.c
ad1c90 
 @SRCDIR@/src/util/virerror.h
ad1c90 
 @SRCDIR@/src/util/virevent.c
ad1c90 
diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
ad1c90 
index 44c4731fb4..a471504176 100644
ad1c90 
--- a/src/util/virdevmapper.c
ad1c90 
+++ b/src/util/virdevmapper.c
ad1c90 
@@ -20,38 +20,67 @@
ad1c90
ad1c90 
 #include <config.h>
ad1c90
ad1c90 
+#include "virdevmapper.h"
ad1c90 
+#include "internal.h"
ad1c90 
+
ad1c90 
 #ifdef __linux__
ad1c90 
 # include <sys/sysmacros.h>
ad1c90 
-#endif
ad1c90 
+# include <linux/dm-ioctl.h>
ad1c90 
+# include <sys/ioctl.h>
ad1c90 
+# include <sys/types.h>
ad1c90 
+# include <sys/stat.h>
ad1c90 
+# include <fcntl.h>
ad1c90
ad1c90 
-#ifdef WITH_DEVMAPPER
ad1c90 
-# include <libdevmapper.h>
ad1c90 
-#endif
ad1c90 
+# include "virthread.h"
ad1c90 
+# include "viralloc.h"
ad1c90 
+# include "virstring.h"
ad1c90 
+# include "virfile.h"
ad1c90 
+
ad1c90 
+# define VIR_FROM_THIS VIR_FROM_STORAGE
ad1c90 
+
ad1c90 
+# define PROC_DEVICES "/proc/devices"
ad1c90 
+# define DM_NAME "device-mapper"
ad1c90 
+# define DEV_DM_DIR "/dev/" DM_DIR
ad1c90 
+# define CONTROL_PATH DEV_DM_DIR "/" DM_CONTROL_NODE
ad1c90 
+# define BUF_SIZE (16 * 1024)
ad1c90 
+
ad1c90 
+G_STATIC_ASSERT(BUF_SIZE > sizeof(struct dm_ioctl));
ad1c90 
+
ad1c90 
+static unsigned int virDMMajor;
ad1c90
ad1c90 
-#include "virdevmapper.h"
ad1c90 
-#include "internal.h"
ad1c90 
-#include "virthread.h"
ad1c90 
-#include "viralloc.h"
ad1c90 
-#include "virstring.h"
ad1c90 
-
ad1c90 
-#ifdef WITH_DEVMAPPER
ad1c90 
-static void
ad1c90 
-virDevMapperDummyLogger(int level G_GNUC_UNUSED,
ad1c90 
-                        const char *file G_GNUC_UNUSED,
ad1c90 
-                        int line G_GNUC_UNUSED,
ad1c90 
-                        int dm_errno G_GNUC_UNUSED,
ad1c90 
-                        const char *fmt G_GNUC_UNUSED,
ad1c90 
-                        ...)
ad1c90 
-{
ad1c90 
-    return;
ad1c90 
-}
ad1c90
ad1c90 
 static int
ad1c90 
 virDevMapperOnceInit(void)
ad1c90 
 {
ad1c90 
-    /* Ideally, we would not need this. But libdevmapper prints
ad1c90 
-     * error messages to stderr by default. Sad but true. */
ad1c90 
-    dm_log_with_errno_init(virDevMapperDummyLogger);
ad1c90 
+    g_autofree char *buf = NULL;
ad1c90 
+    VIR_AUTOSTRINGLIST lines = NULL;
ad1c90 
+    size_t i;
ad1c90 
+
ad1c90 
+    if (virFileReadAll(PROC_DEVICES, BUF_SIZE, &buf) < 0)
ad1c90 
+        return -1;
ad1c90 
+
ad1c90 
+    lines = virStringSplit(buf, "\n", 0);
ad1c90 
+    if (!lines)
ad1c90 
+        return -1;
ad1c90 
+
ad1c90 
+    for (i = 0; lines[i]; i++) {
ad1c90 
+        g_autofree char *dev = NULL;
ad1c90 
+        unsigned int maj;
ad1c90 
+
ad1c90 
+        if (sscanf(lines[i], "%u %ms\n", &maj, &dev) == 2 &&
ad1c90 
+            STREQ(dev, DM_NAME)) {
ad1c90 
+            virDMMajor = maj;
ad1c90 
+            break;
ad1c90 
+        }
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    if (!lines[i]) {
ad1c90 
+        virReportError(VIR_ERR_INTERNAL_ERROR,
ad1c90 
+                       _("Unable to find major for %s"),
ad1c90 
+                       DM_NAME);
ad1c90 
+        return -1;
ad1c90 
+    }
ad1c90 
+
ad1c90 
     return 0;
ad1c90 
 }
ad1c90
ad1c90 
@@ -59,94 +88,190 @@ virDevMapperOnceInit(void)
ad1c90 
 VIR_ONCE_GLOBAL_INIT(virDevMapper);
ad1c90
ad1c90
ad1c90 
+static void *
ad1c90 
+virDMIoctl(int controlFD, int cmd, struct dm_ioctl *dm, char **buf)
ad1c90 
+{
ad1c90 
+    size_t bufsize = BUF_SIZE;
ad1c90 
+
ad1c90 
+ reread:
ad1c90 
+    *buf = g_new0(char, bufsize);
ad1c90 
+
ad1c90 
+    dm->version[0] = DM_VERSION_MAJOR;
ad1c90 
+    dm->version[1] = 0;
ad1c90 
+    dm->version[2] = 0;
ad1c90 
+    dm->data_size = bufsize;
ad1c90 
+    dm->data_start = sizeof(struct dm_ioctl);
ad1c90 
+
ad1c90 
+    memcpy(*buf, dm, sizeof(struct dm_ioctl));
ad1c90 
+
ad1c90 
+    if (ioctl(controlFD, cmd, *buf) < 0) {
ad1c90 
+        VIR_FREE(*buf);
ad1c90 
+        return NULL;
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    memcpy(dm, *buf, sizeof(struct dm_ioctl));
ad1c90 
+
ad1c90 
+    if (dm->flags & DM_BUFFER_FULL_FLAG) {
ad1c90 
+        bufsize += BUF_SIZE;
ad1c90 
+        VIR_FREE(*buf);
ad1c90 
+        goto reread;
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    return *buf + dm->data_start;
ad1c90 
+}
ad1c90 
+
ad1c90 
+
ad1c90 
 static int
ad1c90 
-virDevMapperGetTargetsImpl(const char *path,
ad1c90 
+virDMOpen(void)
ad1c90 
+{
ad1c90 
+    VIR_AUTOCLOSE controlFD = -1;
ad1c90 
+    struct dm_ioctl dm;
ad1c90 
+    g_autofree char *tmp = NULL;
ad1c90 
+    int ret;
ad1c90 
+
ad1c90 
+    memset(&dm, 0, sizeof(dm));
ad1c90 
+
ad1c90 
+    if ((controlFD = open(CONTROL_PATH, O_RDWR)) < 0)
ad1c90 
+        return -1;
ad1c90 
+
ad1c90 
+    if (!virDMIoctl(controlFD, DM_VERSION, &dm, &tmp)) {
ad1c90 
+        virReportSystemError(errno, "%s",
ad1c90 
+                             _("Unable to get device-mapper version"));
ad1c90 
+        return -1;
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    if (dm.version[0] != DM_VERSION_MAJOR) {
ad1c90 
+        virReportError(VIR_ERR_OPERATION_UNSUPPORTED,
ad1c90 
+                       _("Unsupported device-mapper version. Expected %d got %d"),
ad1c90 
+                       DM_VERSION_MAJOR, dm.version[0]);
ad1c90 
+        return -1;
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    ret = controlFD;
ad1c90 
+    controlFD = -1;
ad1c90 
+    return ret;
ad1c90 
+}
ad1c90 
+
ad1c90 
+
ad1c90 
+static char *
ad1c90 
+virDMSanitizepath(const char *path)
ad1c90 
+{
ad1c90 
+    g_autofree char *dmDirPath = NULL;
ad1c90 
+    struct dirent *ent = NULL;
ad1c90 
+    struct stat sb[2];
ad1c90 
+    DIR *dh = NULL;
ad1c90 
+    const char *p;
ad1c90 
+    char *ret = NULL;
ad1c90 
+    int rc;
ad1c90 
+
ad1c90 
+    /* If a path is NOT provided then assume it's DM name */
ad1c90 
+    p = strrchr(path, '/');
ad1c90 
+
ad1c90 
+    if (!p)
ad1c90 
+        return g_strdup(path);
ad1c90 
+    else
ad1c90 
+        p++;
ad1c90 
+
ad1c90 
+    /* It's a path. Check if the last component is DM name */
ad1c90 
+    if (stat(path, &sb[0]) < 0) {
ad1c90 
+        virReportError(errno,
ad1c90 
+                       _("Unable to stat %p"),
ad1c90 
+                       path);
ad1c90 
+        return NULL;
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    dmDirPath = g_strdup_printf(DEV_DM_DIR "/%s", p);
ad1c90 
+
ad1c90 
+    if (stat(dmDirPath, &sb[1]) == 0 &&
ad1c90 
+        sb[0].st_rdev == sb[1].st_rdev) {
ad1c90 
+        return g_strdup(p);
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    /* The last component of @path wasn't DM name. Let's check if
ad1c90 
+     * there's a device under /dev/mapper/ with the same rdev. */
ad1c90 
+    if (virDirOpen(&dh, DEV_DM_DIR) < 0)
ad1c90 
+        return NULL;
ad1c90 
+
ad1c90 
+    while ((rc = virDirRead(dh, &ent, DEV_DM_DIR)) > 0) {
ad1c90 
+        g_autofree char *tmp = g_strdup_printf(DEV_DM_DIR "/%s", ent->d_name);
ad1c90 
+
ad1c90 
+        if (stat(tmp, &sb[1]) == 0 &&
ad1c90 
+            sb[0].st_rdev == sb[0].st_rdev) {
ad1c90 
+            ret = g_steal_pointer(&tmp);
ad1c90 
+            break;
ad1c90 
+        }
ad1c90 
+    }
ad1c90 
+
ad1c90 
+    virDirClose(&dh);
ad1c90 
+    return ret;
ad1c90 
+}
ad1c90 
+
ad1c90 
+
ad1c90 
+static int
ad1c90 
+virDevMapperGetTargetsImpl(int controlFD,
ad1c90 
+                           const char *path,
ad1c90 
                            char ***devPaths_ret,
ad1c90 
                            unsigned int ttl)
ad1c90 
 {
ad1c90 
-    struct dm_task *dmt = NULL;
ad1c90 
-    struct dm_deps *deps;
ad1c90 
-    struct dm_info info;
ad1c90 
+    g_autofree char *sanitizedPath = NULL;
ad1c90 
+    g_autofree char *buf = NULL;
ad1c90 
+    struct dm_ioctl dm;
ad1c90 
+    struct dm_target_deps *deps = NULL;
ad1c90 
     VIR_AUTOSTRINGLIST devPaths = NULL;
ad1c90 
     size_t i;
ad1c90 
-    int ret = -1;
ad1c90
ad1c90 
+    memset(&dm, 0, sizeof(dm));
ad1c90 
     *devPaths_ret = NULL;
ad1c90
ad1c90 
-    if (virDevMapperInitialize() < 0)
ad1c90 
-        return ret;
ad1c90 
-
ad1c90 
     if (ttl == 0) {
ad1c90 
         errno = ELOOP;
ad1c90 
-        return ret;
ad1c90 
+        return -1;
ad1c90 
     }
ad1c90
ad1c90 
     if (!virIsDevMapperDevice(path))
ad1c90 
         return 0;
ad1c90
ad1c90 
-    if (!(dmt = dm_task_create(DM_DEVICE_DEPS))) {
ad1c90 
-        if (errno == ENOENT || errno == ENODEV) {
ad1c90 
-            /* It's okay. Kernel is probably built without
ad1c90 
-             * devmapper support. */
ad1c90 
-            ret = 0;
ad1c90 
-        }
ad1c90 
-        return ret;
ad1c90 
-    }
ad1c90 
-
ad1c90 
-    if (!dm_task_set_name(dmt, path)) {
ad1c90 
-        if (errno == ENOENT) {
ad1c90 
-            /* It's okay, @path is not managed by devmapper =>
ad1c90 
-             * not a devmapper device. */
ad1c90 
-            ret = 0;
ad1c90 
-        }
ad1c90 
-        goto cleanup;
ad1c90 
-    }
ad1c90 
-
ad1c90 
-    dm_task_no_open_count(dmt);
ad1c90 
+    if (!(sanitizedPath = virDMSanitizepath(path)))
ad1c90 
+        return 0;
ad1c90
ad1c90 
-    if (!dm_task_run(dmt)) {
ad1c90 
-        if (errno == ENXIO) {
ad1c90 
-            /* If @path = "/dev/mapper/control" ENXIO is returned. */
ad1c90 
-            ret = 0;
ad1c90 
-        }
ad1c90 
-        goto cleanup;
ad1c90 
+    if (virStrncpy(dm.name, sanitizedPath, -1, DM_TABLE_DEPS) < 0) {
ad1c90 
+        virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
ad1c90 
+                       _("Resolved device mapper name too long"));
ad1c90 
+        return -1;
ad1c90 
     }
ad1c90
ad1c90 
-    if (!dm_task_get_info(dmt, &info))
ad1c90 
-        goto cleanup;
ad1c90 
+    deps = virDMIoctl(controlFD, DM_TABLE_DEPS, &dm, &buf;;
ad1c90 
+    if (!deps) {
ad1c90 
+        if (errno == ENXIO)
ad1c90 
+            return 0;
ad1c90
ad1c90 
-    if (!info.exists) {
ad1c90 
-        ret = 0;
ad1c90 
-        goto cleanup;
ad1c90 
+        virReportSystemError(errno,
ad1c90 
+                             _("Unable to query dependencies for %s"),
ad1c90 
+                             path);
ad1c90 
+        return -1;
ad1c90 
     }
ad1c90
ad1c90 
-    if (!(deps = dm_task_get_deps(dmt)))
ad1c90 
-        goto cleanup;
ad1c90 
-
ad1c90 
     if (VIR_ALLOC_N_QUIET(devPaths, deps->count + 1) < 0)
ad1c90 
-        goto cleanup;
ad1c90 
+        return -1;
ad1c90
ad1c90 
     for (i = 0; i < deps->count; i++) {
ad1c90 
         devPaths[i] = g_strdup_printf("/dev/block/%u:%u",
ad1c90 
-                                      major(deps->device[i]),
ad1c90 
-                                      minor(deps->device[i]));
ad1c90 
+                                      major(deps->dev[i]),
ad1c90 
+                                      minor(deps->dev[i]));
ad1c90 
     }
ad1c90
ad1c90 
     for (i = 0; i < deps->count; i++) {
ad1c90 
         VIR_AUTOSTRINGLIST tmpPaths = NULL;
ad1c90
ad1c90 
-        if (virDevMapperGetTargetsImpl(devPaths[i], &tmpPaths, ttl - 1) < 0)
ad1c90 
-            goto cleanup;
ad1c90 
+        if (virDevMapperGetTargetsImpl(controlFD, devPaths[i], &tmpPaths, ttl - 1) < 0)
ad1c90 
+            return -1;
ad1c90
ad1c90 
         if (virStringListMerge(&devPaths, &tmpPaths) < 0)
ad1c90 
-            goto cleanup;
ad1c90 
+            return -1;
ad1c90 
     }
ad1c90
ad1c90 
     *devPaths_ret = g_steal_pointer(&devPaths);
ad1c90 
-    ret = 0;
ad1c90 
- cleanup:
ad1c90 
-    dm_task_destroy(dmt);
ad1c90 
-    return ret;
ad1c90 
+    return 0;
ad1c90 
 }
ad1c90
ad1c90
ad1c90 
@@ -165,9 +290,6 @@ virDevMapperGetTargetsImpl(const char *path,
ad1c90 
  * If @path consists of yet another devmapper targets these are
ad1c90 
  * consulted recursively.
ad1c90 
  *
ad1c90 
- * If we don't have permissions to talk to kernel, -1 is returned
ad1c90 
- * and errno is set to EBADF.
ad1c90 
- *
ad1c90 
  * Returns 0 on success,
ad1c90 
  *        -1 otherwise (with errno set, no libvirt error is
ad1c90 
  *        reported)
ad1c90 
@@ -176,13 +298,20 @@ int
ad1c90 
 virDevMapperGetTargets(const char *path,
ad1c90 
                        char ***devPaths)
ad1c90 
 {
ad1c90 
+    VIR_AUTOCLOSE controlFD = -1;
ad1c90 
     const unsigned int ttl = 32;
ad1c90
ad1c90 
     /* Arbitrary limit on recursion level. A devmapper target can
ad1c90 
      * consist of devices or yet another targets. If that's the
ad1c90 
      * case, we have to stop recursion somewhere. */
ad1c90
ad1c90 
-    return virDevMapperGetTargetsImpl(path, devPaths, ttl);
ad1c90 
+    if (virDevMapperInitialize() < 0)
ad1c90 
+        return -1;
ad1c90 
+
ad1c90 
+    if ((controlFD = virDMOpen()) < 0)
ad1c90 
+        return -1;
ad1c90 
+
ad1c90 
+    return virDevMapperGetTargetsImpl(controlFD, path, devPaths, ttl);
ad1c90 
 }
ad1c90
ad1c90
ad1c90 
@@ -191,15 +320,18 @@ virIsDevMapperDevice(const char *dev_name)
ad1c90 
 {
ad1c90 
     struct stat buf;
ad1c90
ad1c90 
+    if (virDevMapperInitialize() < 0)
ad1c90 
+        return false;
ad1c90 
+
ad1c90 
     if (!stat(dev_name, &buf) &&
ad1c90 
         S_ISBLK(buf.st_mode) &&
ad1c90 
-        dm_is_dm_major(major(buf.st_rdev)))
ad1c90 
-            return true;
ad1c90 
+        major(buf.st_rdev) == virDMMajor)
ad1c90 
+        return true;
ad1c90
ad1c90 
     return false;
ad1c90 
 }
ad1c90
ad1c90 
-#else /* ! WITH_DEVMAPPER */
ad1c90 
+#else /* !defined(__linux__)  */
ad1c90
ad1c90 
 int
ad1c90 
 virDevMapperGetTargets(const char *path G_GNUC_UNUSED,
ad1c90 
@@ -215,4 +347,4 @@ virIsDevMapperDevice(const char *dev_name G_GNUC_UNUSED)
ad1c90 
 {
ad1c90 
     return false;
ad1c90 
 }
ad1c90 
-#endif /* ! WITH_DEVMAPPER */
ad1c90 
+#endif /* ! defined(__linux__) */
ad1c90 
--
ad1c90 
2.28.0
ad1c90

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation