diff --git a/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch b/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
new file mode 100644
index 0000000..818b558
--- /dev/null
+++ b/SOURCES/libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
@@ -0,0 +1,51 @@
+From a102eb9c707bb28506f2ff68716122e306c5be55 Mon Sep 17 00:00:00 2001
+Message-Id: <a102eb9c707bb28506f2ff68716122e306c5be55@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 17 Sep 2014 23:17:23 +0200
+Subject: [PATCH] CVE-2014-3633: qemu: blkiotune: Use correct definition when
+ looking up disk
+
+Live definition was used to look up the disk index while persistent one
+was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the
+correct def and report a nice error.
+
+Unfortunately it's accessible via read-only connection, though it can
+only crash libvirtd in the cases where the guest is hot-plugging disks
+without reflecting those changes to the persistent definition. So
+avoiding hotplug, or doing hotplug where persistent is always modified
+alongside live definition, will avoid the out-of-bounds access.
+
+Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8)
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724
+Reported-by: Luyao Huang <lhuang@redhat.com>
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+
+(cherry picked from commit 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 475b752..ebdbfd7 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15688,9 +15688,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
+ }
+
+ if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
+- int idx = virDomainDiskIndexByName(vm->def, disk, true);
+- if (idx < 0)
++ int idx = virDomainDiskIndexByName(persistentDef, disk, true);
++ if (idx < 0) {
++ virReportError(VIR_ERR_INVALID_ARG,
++ _("disk '%s' was not found in the domain config"),
++ disk);
+ goto endjob;
++ }
+ reply = persistentDef->disks[idx]->blkdeviotune;
+ }
+
+--
+2.1.0
+
diff --git a/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch b/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch
new file mode 100644
index 0000000..77ba5d3
--- /dev/null
+++ b/SOURCES/libvirt-domain_conf-fix-domain-deadlock.patch
@@ -0,0 +1,36 @@
+From 4843e53175b76c8a3676756db314354a696e2785 Mon Sep 17 00:00:00 2001
+Message-Id: <4843e53175b76c8a3676756db314354a696e2785@dist-git>
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Tue, 23 Sep 2014 15:43:37 +0200
+Subject: [PATCH] domain_conf: fix domain deadlock
+
+CVE-2014-3657
+
+If you use public api virConnectListAllDomains() with second parameter
+set to NULL to get only the number of domains you will lock out all
+other operations with domains.
+
+Introduced by commit 2c680804.
+
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/conf/domain_conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
+index d1617b8..bb2e7ef 100644
+--- a/src/conf/domain_conf.c
++++ b/src/conf/domain_conf.c
+@@ -18748,7 +18748,7 @@ virDomainListPopulate(void *payload,
+ /* just count the machines */
+ if (!data->domains) {
+ data->ndomains++;
+- return;
++ goto cleanup;
+ }
+
+ if (!(dom = virGetDomain(data->conn, vm->def->name, vm->def->uuid))) {
+--
+2.1.0
+
diff --git a/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch b/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
new file mode 100644
index 0000000..89cf36e
--- /dev/null
+++ b/SOURCES/libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
@@ -0,0 +1,95 @@
+From b3aac82848c6c8d56dca714b3b359253d74fbceb Mon Sep 17 00:00:00 2001
+Message-Id: <b3aac82848c6c8d56dca714b3b359253d74fbceb@dist-git>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Mon, 1 Sep 2014 14:02:23 +0200
+Subject: [PATCH] qemu: leave restricting cpuset.mems after initialization
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1135871
+
+When domain is started with numatune memory mode strict and the
+nodeset does not include host NUMA node with DMA and DMA32 zones, KVM
+initialization fails. This is because cgroup restrict even kernel
+allocations. We are already doing numa_set_membind() which does the
+same thing, only it does not restrict kernel allocations.
+
+This patch leaves the userspace numa_set_membind() in place and moves
+the cpuset.mems setting after the point where monitor comes up, but
+before vcpu and emulator sub-groups are created.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 7e72ac787848b7434c9359a57c1e2789d92350f8)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_cgroup.c | 10 +++++++---
+ src/qemu/qemu_cgroup.h | 4 +++-
+ src/qemu/qemu_process.c | 4 ++++
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
+index 7e60c19..dfe98be 100644
+--- a/src/qemu/qemu_cgroup.c
++++ b/src/qemu/qemu_cgroup.c
+@@ -592,9 +592,6 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
+ return 0;
+
+- if (qemuSetupCpusetMems(vm, nodemask) < 0)
+- goto cleanup;
+-
+ if (vm->def->cpumask ||
+ (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)) {
+
+@@ -786,6 +783,13 @@ cleanup:
+ }
+
+ int
++qemuSetupCgroupPostInit(virDomainObjPtr vm,
++ virBitmapPtr nodemask)
++{
++ return qemuSetupCpusetMems(vm, nodemask);
++}
++
++int
+ qemuSetupCgroupVcpuBW(virCgroupPtr cgroup,
+ unsigned long long period,
+ long long quota)
+diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
+index 14404d1..40a031e 100644
+--- a/src/qemu/qemu_cgroup.h
++++ b/src/qemu/qemu_cgroup.h
+@@ -1,7 +1,7 @@
+ /*
+ * qemu_cgroup.h: QEMU cgroup management
+ *
+- * Copyright (C) 2006-2007, 2009-2013 Red Hat, Inc.
++ * Copyright (C) 2006-2007, 2009-2014 Red Hat, Inc.
+ * Copyright (C) 2006 Daniel P. Berrange
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -44,6 +44,8 @@ int qemuConnectCgroup(virQEMUDriverPtr driver,
+ int qemuSetupCgroup(virQEMUDriverPtr driver,
+ virDomainObjPtr vm,
+ virBitmapPtr nodemask);
++int qemuSetupCgroupPostInit(virDomainObjPtr vm,
++ virBitmapPtr nodemask);
+ int qemuSetupCgroupVcpuBW(virCgroupPtr cgroup,
+ unsigned long long period,
+ long long quota);
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index af66e0d..3eda15b 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -4028,6 +4028,10 @@ int qemuProcessStart(virConnectPtr conn,
+ if (!qemuProcessVerifyGuestCPU(driver, vm))
+ goto cleanup;
+
++ VIR_DEBUG("Setting up post-init cgroup restrictions");
++ if (qemuSetupCgroupPostInit(vm, nodemask) < 0)
++ goto cleanup;
++
+ VIR_DEBUG("Detecting VCPU PIDs");
+ if (qemuProcessDetectVcpuPIDs(driver, vm) < 0)
+ goto cleanup;
+--
+2.1.0
+
diff --git a/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch b/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch
new file mode 100644
index 0000000..f6617fc
--- /dev/null
+++ b/SOURCES/libvirt-qemu-split-out-cpuset.mems-setting.patch
@@ -0,0 +1,78 @@
+From 118598c04ba4dc1128ca475199551b6645c83736 Mon Sep 17 00:00:00 2001
+Message-Id: <118598c04ba4dc1128ca475199551b6645c83736@dist-git>
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Mon, 1 Sep 2014 14:02:22 +0200
+Subject: [PATCH] qemu: split out cpuset.mems setting
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1135871
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit aa668fccf078bf9833047776549a5a06435cf470)
+
+Conflicts:
+ src/qemu/qemu_cgroup.c -- whitespace before 'cleanup:'
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_cgroup.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
+index e0e1041..7e60c19 100644
+--- a/src/qemu/qemu_cgroup.c
++++ b/src/qemu/qemu_cgroup.c
+@@ -542,13 +542,11 @@ cleanup:
+
+
+ static int
+-qemuSetupCpusetCgroup(virDomainObjPtr vm,
+- virBitmapPtr nodemask,
+- virCapsPtr caps)
++qemuSetupCpusetMems(virDomainObjPtr vm,
++ virBitmapPtr nodemask)
+ {
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ char *mem_mask = NULL;
+- char *cpu_mask = NULL;
+ int ret = -1;
+
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
+@@ -575,6 +573,28 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+ goto cleanup;
+ }
+
++ ret = 0;
++ cleanup:
++ VIR_FREE(mem_mask);
++ return ret;
++}
++
++
++static int
++qemuSetupCpusetCgroup(virDomainObjPtr vm,
++ virBitmapPtr nodemask,
++ virCapsPtr caps)
++{
++ qemuDomainObjPrivatePtr priv = vm->privateData;
++ char *cpu_mask = NULL;
++ int ret = -1;
++
++ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
++ return 0;
++
++ if (qemuSetupCpusetMems(vm, nodemask) < 0)
++ goto cleanup;
++
+ if (vm->def->cpumask ||
+ (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)) {
+
+@@ -600,7 +620,6 @@ qemuSetupCpusetCgroup(virDomainObjPtr vm,
+
+ ret = 0;
+ cleanup:
+- VIR_FREE(mem_mask);
+ VIR_FREE(cpu_mask);
+ return ret;
+ }
+--
+2.1.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 6f8b47e..678f294 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -379,7 +379,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.1.1
-Release: 29%{?dist}.1%{?extra_release}
+Release: 29%{?dist}.3%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -902,6 +902,10 @@ Patch509: libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
Patch510: libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch
Patch511: libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch
Patch512: libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch
+Patch513: libvirt-qemu-split-out-cpuset.mems-setting.patch
+Patch514: libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
+Patch515: libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
+Patch516: libvirt-domain_conf-fix-domain-deadlock.patch
%if %{with_libvirtd}
@@ -2695,6 +2699,14 @@ exit 0
%endif
%changelog
+* Tue Sep 23 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.3
+- domain_conf: fix domain deadlock (CVE-2014-3657)
+
+* Mon Sep 22 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.2
+- qemu: split out cpuset.mems setting (rhbz#1135871)
+- qemu: leave restricting cpuset.mems after initialization (rhbz#1135871)
+- qemu: blkiotune: Use correct definition when looking up disk (CVE-2014-3633)
+
* Thu Jul 3 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.1
- LSN-2014-0003: Don't expand entities when parsing XML (CVE-2014-0179)
- virNetClientSetTLSSession: Restore original signal mask (rhbz#1112689)