From 44539dfc946e641cd32d84b13f32894d37a8476c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 05 2015 19:37:50 +0000 Subject: import libvirt-1.1.1-29.el7_0.4 --- diff --git a/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch b/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch new file mode 100644 index 0000000..6441809 --- /dev/null +++ b/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch @@ -0,0 +1,70 @@ +From aa85786b2868f5d2372d98e5630dd0be32997f18 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Eric Blake +Date: Thu, 6 Nov 2014 09:56:08 +0100 +Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag + +Commit 28f8dfd (v1.0.0) introduced a security hole: in at least +the qemu implementation of virDomainGetXMLDesc, the use of the +flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only +connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE +prior to calling qemuDomainFormatXML. However, the use of +VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write +clients only. This patch treats the migratable flag as requiring +the same permissions, rather than analyzing what might break if +migratable xml no longer includes secret information. + +Fortunately, the information leak is low-risk: all that is gated +by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; +but VNC passwords are already weak (FIPS forbids their use, and +on a non-FIPS machine, anyone stupid enough to trust a max-8-byte +password sent in plaintext over the network deserves what they +get). SPICE offers better security than VNC, and all other +secrets are properly protected by use of virSecret associations +rather than direct output in domain XML. + +* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): +Tighten rules on use of migratable flag. +* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. + +Signed-off-by: Eric Blake +(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b) + +Conflicts: + src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError +Signed-off-by: Eric Blake +Signed-off-by: Jiri Denemark +--- + src/libvirt.c | 3 ++- + src/remote/remote_protocol.x | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libvirt.c b/src/libvirt.c +index af94326..cbcc24b 100644 +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -4576,7 +4576,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags) + + conn = domain->conn; + +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { ++ if ((conn->flags & VIR_CONNECT_RO) && ++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) { + virLibConnError(VIR_ERR_OPERATION_DENIED, "%s", + _("virDomainGetXMLDesc with secure flag")); + goto error; +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index ab8216e..a1298dd 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -2979,6 +2979,7 @@ enum remote_procedure { + * @generate: both + * @acl: domain:read + * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE + */ + REMOTE_PROC_DOMAIN_GET_XML_DESC = 14, + +-- +2.2.0 + diff --git a/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch b/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch new file mode 100644 index 0000000..9da9c51 --- /dev/null +++ b/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch @@ -0,0 +1,37 @@ +From bc80e46dc56255dec477073bf021a7360ba48ce5 Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Thu, 12 Jun 2014 10:50:43 +0200 +Subject: [PATCH] Fix crash when saving a domain with type none dac label + +qemuDomainGetImageIds did not check if there was a label +in the seclabel, thus crashing on + + +https://bugzilla.redhat.com/show_bug.cgi?id=1108590 +https://bugzilla.redhat.com/show_bug.cgi?id=1171124 +(cherry picked from commit 7eb0ee175b278a4439cee65a7a554767f0be9cd1) +Signed-off-by: Jiri Denemark + +Conflicts: + src/qemu/qemu_domain.c - the call to virParseOwnershipIds is not + present in 7.0.z +--- + src/qemu/qemu_driver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 1ce4c39..b0d4f33 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -2777,6 +2777,7 @@ qemuOpenFile(virQEMUDriverPtr driver, + /* TODO: Take imagelabel into account? */ + if (vm && + (seclabel = virDomainDefGetSecurityLabelDef(vm->def, "dac")) != NULL && ++ seclabel->label != NULL && + (virParseOwnershipIds(seclabel->label, &user, &group) < 0)) + goto cleanup; + +-- +2.2.0 + diff --git a/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch b/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch new file mode 100644 index 0000000..5c3f948 --- /dev/null +++ b/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch @@ -0,0 +1,87 @@ +From 8b3fc29cdc829d0808c54cfa0936991a74f06aaf Mon Sep 17 00:00:00 2001 +Message-Id: <8b3fc29cdc829d0808c54cfa0936991a74f06aaf@dist-git> +From: Peter Krempa +Date: Wed, 1 Oct 2014 17:41:58 -0600 +Subject: [PATCH] qemu: blockcopy: Don't remove existing disk mirror info + +RHEL 7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1149078 +RHEL 7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1113751 + +When creating a new disk mirror the new struct is stored in a separate +variable until everything went well. The removed hunk would actually +remove existing mirror information for example when the api would be run +if a mirror still exists. + +(cherry picked from commit 02b364e186d487f54ed410c01af042f23e812d42) + +This fixes a regression introduced in commit ff5f30b. + +Signed-off-by: Eric Blake + +Conflicts: + src/qemu/qemu_driver.c - no refactoring of commits 7b7bf001, 4f20226 +Signed-off-by: Jiri Denemark +--- + src/qemu/qemu_driver.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index ebdbfd7..ea87d50 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -15037,6 +15037,7 @@ qemuDomainBlockCopy(virDomainObjPtr vm, + struct stat st; + bool need_unlink = false; + char *mirror = NULL; ++ int mirrorFormat; + virQEMUDriverConfigPtr cfg = NULL; + + /* Preliminaries: find the disk we are editing, sanity checks */ +@@ -15124,10 +15125,10 @@ qemuDomainBlockCopy(virDomainObjPtr vm, + goto endjob; + VIR_FORCE_CLOSE(fd); + if (!format) +- disk->mirrorFormat = disk->format; ++ mirrorFormat = disk->format; + } else if (format) { +- disk->mirrorFormat = virStorageFileFormatTypeFromString(format); +- if (disk->mirrorFormat <= 0) { ++ mirrorFormat = virStorageFileFormatTypeFromString(format); ++ if (mirrorFormat <= 0) { + virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"), + format); + goto endjob; +@@ -15137,11 +15138,11 @@ qemuDomainBlockCopy(virDomainObjPtr vm, + * also passed the RAW flag (and format is non-NULL), or it is + * safe for us to probe the format from the file that we will + * be using. */ +- disk->mirrorFormat = virStorageFileProbeFormat(dest, cfg->user, +- cfg->group); ++ mirrorFormat = virStorageFileProbeFormat(dest, cfg->user, ++ cfg->group); + } +- if (!format && disk->mirrorFormat > 0) +- format = virStorageFileFormatTypeToString(disk->mirrorFormat); ++ if (!format && mirrorFormat > 0) ++ format = virStorageFileFormatTypeToString(mirrorFormat); + if (VIR_STRDUP(mirror, dest) < 0) + goto endjob; + +@@ -15167,13 +15168,12 @@ qemuDomainBlockCopy(virDomainObjPtr vm, + /* Update vm in place to match changes. */ + need_unlink = false; + disk->mirror = mirror; ++ disk->mirrorFormat = mirrorFormat; + mirror = NULL; + + endjob: + if (need_unlink && unlink(dest)) + VIR_WARN("unable to unlink just-created %s", dest); +- if (ret < 0 && disk) +- disk->mirrorFormat = VIR_STORAGE_FILE_NONE; + VIR_FREE(mirror); + if (qemuDomainObjEndJob(driver, vm) == 0) { + vm = NULL; +-- +2.2.0 + diff --git a/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch b/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch new file mode 100644 index 0000000..c38d78d --- /dev/null +++ b/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch @@ -0,0 +1,102 @@ +From bdc1f6bf79de43824f36bfba548b523765b24fb6 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Peter Krempa +Date: Wed, 1 Oct 2014 17:41:59 -0600 +Subject: [PATCH] qemu: copy: Accept 'format' parameter when copying to a + non-existing img + +RHEL 7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1149078 +RHEL 7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1113751 + +We have the following matrix of possible arguments handled by the logic +statement touched by this patch: + | flags & _REUSE_EXT | !(flags & _REUSE_EXT) +-------+--------------------+---------------------- + format| (1) | (2) +-------+--------------------+---------------------- +!format| (3) | (4) +-------+--------------------+---------------------- + +In cases 1 and 2 the user provided a format, in cases 3 and 4 not. The +user requests to use a pre-existing image in 1 and 3 and libvirt will +create a new image in 2 and 4. + +The difference between cases 3 and 4 is that for 3 the format is probed +from the user-provided image, whereas in 4 we just use the existing disk +format. + +The current code would treat cases 1,3 and 4 correctly but in case 2 the +format provided by the user would be ignored. + +The particular piece of code was broken in commit 35c7701c64508f975dfeb8 +but since it was introduced a few commits before that it was never +released as working. + +(cherry picked from commit 42619ed05d7924978f3e6e2399522fc6f30607de) +Signed-off-by: Eric Blake + +Conflicts: + src/qemu/qemu_driver.c - no refactoring of commits 7b7bf001, 4f20226 +Signed-off-by: Jiri Denemark +--- + src/qemu/qemu_driver.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index ea87d50..72d03b5 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -15118,29 +15118,34 @@ qemuDomainBlockCopy(virDomainObjPtr vm, + goto endjob; + } + ++ if (format) { ++ if ((mirrorFormat = virStorageFileFormatTypeFromString(format)) <= 0) { ++ virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"), ++ format); ++ goto endjob; ++ } ++ } else { ++ if (!(flags & VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT)) { ++ mirrorFormat = disk->format; ++ } else { ++ /* If the user passed the REUSE_EXT flag, then either they ++ * also passed the RAW flag (and format is non-NULL), or it is ++ * safe for us to probe the format from the file that we will ++ * be using. */ ++ mirrorFormat = virStorageFileProbeFormat(dest, cfg->user, ++ cfg->group); ++ } ++ } ++ ++ /* pre-create the image file */ + if (!(flags & VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT)) { + int fd = qemuOpenFile(driver, vm, dest, O_WRONLY | O_TRUNC | O_CREAT, + &need_unlink, NULL); + if (fd < 0) + goto endjob; + VIR_FORCE_CLOSE(fd); +- if (!format) +- mirrorFormat = disk->format; +- } else if (format) { +- mirrorFormat = virStorageFileFormatTypeFromString(format); +- if (mirrorFormat <= 0) { +- virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"), +- format); +- goto endjob; +- } +- } else { +- /* If the user passed the REUSE_EXT flag, then either they +- * also passed the RAW flag (and format is non-NULL), or it is +- * safe for us to probe the format from the file that we will +- * be using. */ +- mirrorFormat = virStorageFileProbeFormat(dest, cfg->user, +- cfg->group); + } ++ + if (!format && mirrorFormat > 0) + format = virStorageFileFormatTypeToString(mirrorFormat); + if (VIR_STRDUP(mirror, dest) < 0) +-- +2.2.0 + diff --git a/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch b/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch new file mode 100644 index 0000000..44001a9 --- /dev/null +++ b/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch @@ -0,0 +1,62 @@ +From f78e7381ac369952197ffb23b02f56ee430214e7 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Eric Blake +Date: Thu, 21 Aug 2014 16:07:30 -0600 +Subject: [PATCH] qemu: reject rather than hang on blockcommit of active layer + +7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1150379 +7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1062142 + +qemu 2.0 added the ability to commit the active layer, but slightly +differently than what libvirt had been anticipating in its +implementation of the virDomainBlockCommit call. As a result, if +you attempt to do a 'virsh blockcommit $dom vda', qemu gets into a +state where it is waiting on libvirt to end the job, while libvirt +is waiting on qemu to end the job, and the guest is effectively +hung with regards to further commands for that block device. + +I have patches coming down the pipeline that will add full support +for blockcommit of the active layer when coupled with qemu 2.0 or +later; but they depend on Peter's improvements to block job handling +and form enough of a new feature that they are not ready for +inclusion in the 1.2.5 release. So for now, just reject the +attempt, rather than letting the user get stuck. This is no worse +than the behavior of qemu 1.7 rejecting the job. + +* src/qemu/qemu_driver.c (qemuDomainBlockCommit): Reject active +commit. + +Signed-off-by: Eric Blake +(cherry picked from commit e6bcbcd32c70ae394e7b6a530012fe8b07a59b5d) + +Conflicts: + src/qemu/qemu_driver.c - no refactoring of virStorageFileChainLookup +Signed-off-by: Jiri Denemark +--- + src/qemu/qemu_driver.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 72d03b5..1ce4c39 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -15312,6 +15312,16 @@ qemuDomainBlockCommit(virDomainPtr dom, const char *path, const char *base, + top, path); + goto endjob; + } ++ ++ /* FIXME: qemu 2.0 supports active commit, but as a two-stage ++ * process; qemu 2.1 is further improving active commit. We need ++ * to start supporting it in libvirt. */ ++ if (top_meta == disk->backingChain) { ++ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", ++ _("committing the active layer not supported yet")); ++ goto endjob; ++ } ++ + if (!top_meta || !top_meta->backingStore) { + virReportError(VIR_ERR_INVALID_ARG, + _("top '%s' in chain for '%s' has no backing file"), +-- +2.2.0 + diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec index 678f294..d8dc72e 100644 --- a/SPECS/libvirt.spec +++ b/SPECS/libvirt.spec @@ -379,7 +379,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.1.1 -Release: 29%{?dist}.3%{?extra_release} +Release: 29%{?dist}.4%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -906,6 +906,11 @@ Patch513: libvirt-qemu-split-out-cpuset.mems-setting.patch Patch514: libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch Patch515: libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch Patch516: libvirt-domain_conf-fix-domain-deadlock.patch +Patch517: libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch +Patch518: libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch +Patch519: libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch +Patch520: libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch +Patch521: libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch %if %{with_libvirtd} @@ -2699,6 +2704,13 @@ exit 0 %endif %changelog +* Tue Dec 9 2014 Jiri Denemark - 1.1.1-29.el7_0.4 +- qemu: blockcopy: Don't remove existing disk mirror info (rhbz#1149078) +- qemu: copy: Accept 'format' parameter when copying to a non-existing img (rhbz#1149078) +- qemu: reject rather than hang on blockcommit of active layer (rhbz#1150379) +- CVE-2014-7823: dumpxml: security hole with migratable flag (CVE-2014-7823) +- Fix crash when saving a domain with type none dac label (rhbz#1171124) + * Tue Sep 23 2014 Jiri Denemark - 1.1.1-29.el7_0.3 - domain_conf: fix domain deadlock (CVE-2014-3657)