qemu: Let empty default VNC password work as documented

CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit bb848feec0) (cherry picked from commit d933f68ee6) (cherry picked from commit 139a426577)
domain_conf: fix domain deadlock
2025-10-23 23:34:16 +03:00 · 2016-06-30 14:47:18 +01:00 · 2014-10-01 12:27:27 -06:00 · 2014-09-17 22:26:28 -06:00 · 2014-09-17 22:26:25 -06:00 · 2014-07-03 07:07:34 -06:00
12 changed files with 215 additions and 54 deletions
--- a/docs/apibuild.py
+++ b/docs/apibuild.py
@@ -1310,7 +1310,7 @@ class CParser:
        name = None
        self.comment = None
        comment = ""
-        value = "0"
+        value = "-1"
        while token != None:
            if token[0] == "sep" and token[1] == "{":
                token = self.token()
--- a/gnulib/local/top/maint.mk.diff
+++ b/gnulib/local/top/maint.mk.diff
@@ -0,0 +1,125 @@
+diff --git c/top/maint.mk w/top/maint.mk
+index e52deb4..d5bb427 100644
+--- c/top/maint.mk
+++ w/top/maint.mk
+@@ -2,7 +2,7 @@
+ # This Makefile fragment tries to be general-purpose enough to be
+ # used by many projects via the gnulib maintainer-makefile module.
+
+-## Copyright (C) 2001-2012 Free Software Foundation, Inc.
+## Copyright (C) 2001-2014 Free Software Foundation, Inc.
+ ##
+ ## This program is free software: you can redistribute it and/or modify
+ ## it under the terms of the GNU General Public License as published by
+@@ -155,7 +155,7 @@ export LC_ALL = C
+ ## Sanity checks.  ##
+ ## --------------- ##
+
+-_cfg_mk := $(shell test -f $(srcdir)/cfg.mk && echo '$(srcdir)/cfg.mk')
+_cfg_mk := $(wildcard $(srcdir)/cfg.mk)
+
+ # Collect the names of rules starting with 'sc_'.
+ syntax-check-rules := $(sort $(shell sed -n 's/^\(sc_[a-zA-Z0-9_-]*\):.*/\1/p' \
+@@ -591,7 +591,7 @@ sc_prohibit_root_dev_ino_without_use:
+
+ sc_prohibit_openat_without_use:
+ 	@h='openat.h' \
+-	re='\<(openat_(permissive|needs_fchdir|(save|restore)_fail)|l?(stat|ch(own|mod))at|(euid)?accessat)\>' \
+	re='\<(openat_(permissive|needs_fchdir|(save|restore)_fail)|l?(stat|ch(own|mod))at|(euid)?accessat|(FCHMOD|FCHOWN|STAT)AT_INLINE)\>' \
+ 	  $(_sc_header_without_use)
+
+ # Prohibit the inclusion of c-ctype.h without an actual use.
+@@ -809,7 +809,7 @@ sc_prohibit_always_true_header_tests:
+ 	  $(_sc_search_regexp)
+
+ sc_prohibit_defined_have_decl_tests:
+-	@prohibit='#[	 ]*if(n?def|.*\<defined)\>[	 (]+HAVE_DECL_'	\
+	@prohibit='(#[	 ]*ifn?def|\<defined)\>[	 (]+HAVE_DECL_'	\
+ 	halt='HAVE_DECL macros are always defined'			\
+ 	  $(_sc_search_regexp)
+
+@@ -1121,9 +1121,11 @@ fix_po_file_diag = \
+ 'you have changed the set of files with translatable diagnostics;\n\
+ apply the above patch\n'
+
+-# Verify that all source files using _() are listed in po/POTFILES.in.
+# Verify that all source files using _() (more specifically, files that
+# match $(_gl_translatable_string_re)) are listed in po/POTFILES.in.
+ po_file ?= $(srcdir)/po/POTFILES.in
+ generated_files ?= $(srcdir)/lib/*.[ch]
+_gl_translatable_string_re ?= \b(N?_|gettext *)\([^)"]*("|$$)
+ sc_po_check:
+ 	@if test -f $(po_file); then					\
+ 	  grep -E -v '^(#|$$)' $(po_file)				\
+@@ -1143,7 +1145,7 @@ sc_po_check:
+ 	    esac;							\
+ 	    files="$$files $$file";					\
+ 	  done;								\
+-	  grep -E -l '\b(N?_|gettext *)\([^)"]*("|$$)' $$files		\
+	  grep -E -l '$(_gl_translatable_string_re)' $$files		\
+ 	    | sed 's|^$(_dot_escaped_srcdir)/||' | sort -u > $@-2;	\
+ 	  diff -u -L $(po_file) -L $(po_file) $@-1 $@-2			\
+ 	    || { printf '$(ME): '$(fix_po_file_diag) 1>&2; exit 1; };	\
+@@ -1281,15 +1283,17 @@ vc-diff-check:
+ rel-files = $(DIST_ARCHIVES)
+
+ gnulib_dir ?= $(srcdir)/gnulib
+-gnulib-version = $$(cd $(gnulib_dir) && git describe)
+gnulib-version = $$(cd $(gnulib_dir)				\
+                    && { git describe || git rev-parse --short=10 HEAD; } )
+ bootstrap-tools ?= autoconf,automake,gnulib
+
+gpgv = $$(gpgv2 --version >/dev/null && echo gpgv2 || echo gpgv)
+ # If it's not already specified, derive the GPG key ID from
+ # the signed tag we've just applied to mark this release.
+ gpg_key_ID ?=								\
+   $$(cd $(srcdir)							\
+      && git cat-file tag v$(VERSION)					\
+-        | gpgv --status-fd 1 --keyring /dev/null - - 2>/dev/null	\
+        | $(gpgv) --status-fd 1 --keyring /dev/null - - 2>/dev/null	\
+         | awk '/^\[GNUPG:\] ERRSIG / {print $$3; exit}')
+
+ translation_project_ ?= coordinator@translationproject.org
+@@ -1313,7 +1317,7 @@ announcement_mail_Cc_ ?= $(announcement_mail_Cc_$(release-type))
+ announcement_mail_headers_ ?= $(announcement_mail_headers_$(release-type))
+ announcement: NEWS ChangeLog $(rel-files)
+ # Not $(AM_V_GEN) since the output of this command serves as
+-# annoucement message: it would start with " GEN announcement".
+# announcement message: it would start with " GEN announcement".
+ 	$(AM_V_at)$(srcdir)/$(_build-aux)/announce-gen			\
+ 	    --mail-headers='$(announcement_mail_headers_)'		\
+ 	    --release-type=$(release-type)				\
+@@ -1368,7 +1372,8 @@ endef
+
+ .PHONY: no-submodule-changes
+ no-submodule-changes:
+-	$(AM_V_GEN)if test -d $(srcdir)/.git; then			\
+	$(AM_V_GEN)if test -d $(srcdir)/.git				\
+		&& git --version >/dev/null 2>&1; then			\
+ 	  diff=$$(cd $(srcdir) && git submodule -q foreach		\
+ 		  git diff-index --name-only HEAD)			\
+ 	    || exit 1;							\
+@@ -1386,10 +1391,12 @@ submodule-checks ?= no-submodule-changes public-submodule-commit
+ # cannot be built from a fresh clone.
+ .PHONY: public-submodule-commit
+ public-submodule-commit:
+-	$(AM_V_GEN)if test -d $(srcdir)/.git; then			\
+	$(AM_V_GEN)if test -d $(srcdir)/.git				\
+		&& git --version >/dev/null 2>&1; then			\
+ 	  cd $(srcdir) &&						\
+-	  git submodule --quiet foreach test '$$(git rev-parse $$sha1)'	\
+-	      = '$$(git merge-base origin $$sha1)'			\
+	  git submodule --quiet foreach					\
+	      'test "$$(git rev-parse "$$sha1")"			\
+		  = "$$(git merge-base origin "$$sha1")"'		\
+ 	    || { echo '$(ME): found non-public submodule commit' >&2;	\
+ 		 exit 1; };						\
+ 	else								\
+@@ -1419,6 +1426,7 @@ alpha beta stable: $(local-check) writable-files $(submodule-checks)
+ 	$(AM_V_at)$(MAKE) -s emit_upload_commands RELEASE_TYPE=$@
+
+ release:
+	$(AM_V_GEN)$(MAKE) _version
+ 	$(AM_V_GEN)$(MAKE) $(release-type)
+
+ # Override this in cfg.mk if you follow different procedures.
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -15272,7 +15272,7 @@ virDomainListPopulate(void *payload,
    /* just count the machines */
    if (!data->domains) {
        data->ndomains++;
-        return;
+        goto cleanup;
    }

    if (!(dom = virGetDomain(data->conn, vm->def->name, vm->def->uuid))) {
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -520,9 +520,22 @@ libxlVmReap(libxlDriverPrivatePtr driver,
 }

 /*
- * Handle previously registered event notification from libxenlight
+ * Handle previously registered event notification from libxenlight.
+ *
+ * Note: Xen 4.3 removed the const from the event handler signature.
+ * Detect which signature to use based on
+ * LIBXL_HAVE_NONCONST_EVENT_OCCURS_EVENT_ARG.
 */
-static void libxlEventHandler(void *data, const libxl_event *event)
+
+#ifdef LIBXL_HAVE_NONCONST_EVENT_OCCURS_EVENT_ARG
+# define VIR_LIBXL_EVENT_CONST /* empty */
+#else
+# define VIR_LIBXL_EVENT_CONST const
+#endif
+
+static void
+libxlEventHandler(void *data ATTRIBUTE_UNUSED,
+                  VIR_LIBXL_EVENT_CONST libxl_event *event)
 {
    libxlDriverPrivatePtr driver = libxl_driver;
    virDomainObjPtr vm = data;
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -170,6 +170,9 @@ nwfilterDriverStartup(int privileged)
    char *base = NULL;
    DBusConnection *sysbus = NULL;

+    if (!privileged)
+        return 0;
+
 #if HAVE_DBUS
    sysbus = virDBusGetSystemBus();
 #endif /* HAVE_DBUS */
@@ -185,9 +188,6 @@ nwfilterDriverStartup(int privileged)
    driverState->watchingFirewallD = (sysbus != NULL);
    driverState->privileged = privileged;

-    if (!privileged)
-        return 0;
-
    nwfilterDriverLock(driverState);

    if (virNWFilterIPAddrMapInit() < 0)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -8340,26 +8340,6 @@ qemuDomainBlockStats(virDomainPtr dom,
        goto cleanup;
    }

-    if (!virDomainObjIsActive(vm)) {
-        virReportError(VIR_ERR_OPERATION_INVALID,
-                       "%s", _("domain is not running"));
-        goto cleanup;
-    }
-
-    if ((i = virDomainDiskIndexByName(vm->def, path, false)) < 0) {
-        virReportError(VIR_ERR_INVALID_ARG,
-                       _("invalid path: %s"), path);
-        goto cleanup;
-    }
-    disk = vm->def->disks[i];
-
-    if (!disk->info.alias) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("missing disk device alias name for %s"), disk->dst);
-        goto cleanup;
-    }
-
-    priv = vm->privateData;
    if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
        goto cleanup;

@@ -8369,6 +8349,21 @@ qemuDomainBlockStats(virDomainPtr dom,
        goto endjob;
    }

+    if ((i = virDomainDiskIndexByName(vm->def, path, false)) < 0) {
+        virReportError(VIR_ERR_INVALID_ARG,
+                       _("invalid path: %s"), path);
+        goto endjob;
+    }
+    disk = vm->def->disks[i];
+
+    if (!disk->info.alias) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("missing disk device alias name for %s"), disk->dst);
+        goto endjob;
+    }
+
+    priv = vm->privateData;
+
    qemuDomainObjEnterMonitor(driver, vm);
    ret = qemuMonitorGetBlockStatsInfo(priv->mon,
                                       disk->info.alias,
@@ -9164,6 +9159,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    struct stat sb;
    int i;
    int format;
+    char *alias = NULL;

    virCheckFlags(0, -1);

@@ -9286,13 +9282,18 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
        virDomainObjIsActive(vm)) {
        qemuDomainObjPrivatePtr priv = vm->privateData;

+        if (!(alias = strdup(disk->info.alias))) {
+            virReportOOMError();
+            goto cleanup;
+        }
+
        if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0)
            goto cleanup;

        if (virDomainObjIsActive(vm)) {
            qemuDomainObjEnterMonitor(driver, vm);
            ret = qemuMonitorGetBlockExtent(priv->mon,
-                                            disk->info.alias,
+                                            alias,
                                            &info->allocation);
            qemuDomainObjExitMonitor(driver, vm);
        } else {
@@ -9306,6 +9307,7 @@ static int qemuDomainGetBlockInfo(virDomainPtr dom,
    }

 cleanup:
+    VIR_FREE(alias);
    virStorageFileFreeMetadata(meta);
    VIR_FORCE_CLOSE(fd);
    if (vm)
@@ -12617,11 +12619,6 @@ qemuDomainBlockJobImpl(virDomainPtr dom, const char *path, const char *base,
        goto cleanup;
    }

-    device = qemuDiskPathToAlias(vm, path, &idx);
-    if (!device)
-        goto cleanup;
-    disk = vm->def->disks[idx];
-
    if (qemuDomainObjBeginJobWithDriver(driver, vm, QEMU_JOB_MODIFY) < 0)
        goto cleanup;

@@ -12631,6 +12628,11 @@ qemuDomainBlockJobImpl(virDomainPtr dom, const char *path, const char *base,
        goto endjob;
    }

+    device = qemuDiskPathToAlias(vm, path, &idx);
+    if (!device)
+        goto endjob;
+    disk = vm->def->disks[idx];
+
    qemuDomainObjEnterMonitorWithDriver(driver, vm);
    /* XXX - libvirt should really be tracking the backing file chain
     * itself, and validating that base is on the chain, rather than
@@ -13025,12 +13027,6 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
        goto cleanup;
    }

-    device = qemuDiskPathToAlias(vm, disk, NULL);
-
-    if (!device) {
-        goto cleanup;
-    }
-
    if (qemuDomainObjBeginJobWithDriver(driver, vm, QEMU_JOB_MODIFY) < 0)
        goto cleanup;

@@ -13038,6 +13034,11 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
                                        &persistentDef) < 0)
        goto endjob;

+    device = qemuDiskPathToAlias(vm, disk, NULL);
+    if (!device) {
+        goto endjob;
+    }
+
    if (flags & VIR_DOMAIN_AFFECT_LIVE) {
        priv = vm->privateData;
        qemuDomainObjEnterMonitorWithDriver(driver, vm);
@@ -13048,9 +13049,13 @@ qemuDomainGetBlockIoTune(virDomainPtr dom,
    }

    if (flags & VIR_DOMAIN_AFFECT_CONFIG) {
-        int idx = virDomainDiskIndexByName(vm->def, disk, true);
-        if (idx < 0)
+        int idx = virDomainDiskIndexByName(persistentDef, disk, true);
+        if (idx < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("disk '%s' was not found in the domain config"),
+                           disk);
            goto endjob;
+        }
        reply = persistentDef->disks[idx]->blkdeviotune;
    }

--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -2358,19 +2358,19 @@ qemuDomainChangeGraphicsPasswords(struct qemud_driver *driver,
    time_t now = time(NULL);
    char expire_time [64];
    const char *connected = NULL;
+    const char *password;
    int ret;

    if (!auth->passwd && !driver->vncPassword)
        return 0;

+    password = auth->passwd ? auth->passwd : defaultPasswd;
+
    if (auth->connected)
        connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);

    qemuDomainObjEnterMonitorWithDriver(driver, vm);
-    ret = qemuMonitorSetPassword(priv->mon,
-                                 type,
-                                 auth->passwd ? auth->passwd : defaultPasswd,
-                                 connected);
+    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);

    if (ret == -2) {
        if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
@@ -2378,14 +2378,15 @@ qemuDomainChangeGraphicsPasswords(struct qemud_driver *driver,
                           _("Graphics password only supported for VNC"));
            ret = -1;
        } else {
-            ret = qemuMonitorSetVNCPassword(priv->mon,
-                                            auth->passwd ? auth->passwd : defaultPasswd);
+            ret = qemuMonitorSetVNCPassword(priv->mon, password);
        }
    }
    if (ret != 0)
        goto cleanup;

-    if (auth->expires) {
+    if (password[0] == '\0') {
+        snprintf(expire_time, sizeof(expire_time), "now");
+    } else if (auth->expires) {
        time_t lifetime = auth->validTo - now;
        if (lifetime <= 0)
            snprintf(expire_time, sizeof(expire_time), "now");
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -4945,7 +4945,7 @@ static int remoteDomainEventDeregisterAny(virConnectPtr conn,
    /* If that was the last callback for this eventID, we need to disable
     * events on the server */
    if (count == 0) {
-        args.eventID = callbackID;
+        args.eventID = eventID;

        if (call (conn, priv, 0, REMOTE_PROC_DOMAIN_EVENTS_DEREGISTER_ANY,
                  (xdrproc_t) xdr_remote_domain_events_deregister_any_args, (char *) &args,
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -799,7 +799,7 @@ int virNetClientSetTLSSession(virNetClientPtr client,
        if (ret < 0 && (errno == EAGAIN || errno == EINTR))
            goto repoll;

-        ignore_value(pthread_sigmask(SIG_BLOCK, &oldmask, NULL));
+        ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
    }

    ret = virNetTLSContextCheckCertificate(tls, client->tls);
@@ -823,7 +823,7 @@ int virNetClientSetTLSSession(virNetClientPtr client,
    if (ret < 0 && (errno == EAGAIN || errno == EINTR))
        goto repoll2;

-    ignore_value(pthread_sigmask(SIG_BLOCK, &oldmask, NULL));
+    ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));

    len = virNetTLSSessionRead(client->tls, buf, 1);
    if (len < 0 && errno != ENOMSG) {
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -1209,9 +1209,22 @@ cleanup:
 int
 virNetServerClientStartKeepAlive(virNetServerClientPtr client)
 {
-    int ret;
+    int ret = -1;
+
    virNetServerClientLock(client);
+
+    /* The connection might have been closed before we got here and thus the
+     * keepalive object could have been removed too.
+     */
+    if (!client->keepalive) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("connection not open"));
+        goto cleanup;
+    }
+
    ret = virKeepAliveStart(client->keepalive, 0, 0);
+
+cleanup:
    virNetServerClientUnlock(client);
    return ret;
 }
--- a/src/util/xml.c
+++ b/src/util/xml.c
@@ -739,11 +739,11 @@ virXMLParseHelper(int domcode,

    if (filename) {
        xml = xmlCtxtReadFile(pctxt, filename, NULL,
-                              XML_PARSE_NOENT | XML_PARSE_NONET |
+                              XML_PARSE_NONET |
                              XML_PARSE_NOWARNING);
    } else {
        xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
-                             XML_PARSE_NOENT | XML_PARSE_NONET |
+                             XML_PARSE_NONET |
                             XML_PARSE_NOWARNING);
    }
    if (!xml)
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -2951,6 +2951,8 @@ of C<virsh>

 Turn on verbose debugging of virsh commands. Valid levels are

+=over 4
+
 =item * VIRSH_DEBUG=0

 DEBUG - Messages at ALL levels get logged
@@ -2971,6 +2973,8 @@ WARNING - Logs messages at levels WARNING and ERROR

 ERROR - Messages at only ERROR level gets logged.

+=back
+
 =item VIRSH_LOG_FILE=C<LOGFILE>

 The file to log virsh debug messages.
Author	SHA1	Message	Date
Jiri Denemark	418a165da6	qemu: Let empty default VNC password work as documented CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `bb848feec0`) (cherry picked from commit `d933f68ee6`) (cherry picked from commit `139a426577`)	2016-06-30 14:47:18 +01:00
Pavel Hrdina	a397e887ed	domain_conf: fix domain deadlock If you use public api virConnectListAllDomains() with second parameter set to NULL to get only the number of domains you will lock out all other operations with domains. Introduced by commit `2c680804`. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> (cherry picked from commit `fc22b2e748`)	2014-10-01 12:27:27 -06:00
Peter Krempa	0fa54204f2	CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk Live definition was used to look up the disk index while persistent one was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the correct def and report a nice error. Unfortunately it's accessible via read-only connection, though it can only crash libvirtd in the cases where the guest is hot-plugging disks without reflecting those changes to the persistent definition. So avoiding hotplug, or doing hotplug where persistent is always modified alongside live definition, will avoid the out-of-bounds access. Introduced in: `eca96694a7` (v0.9.8) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724 Reported-by: Luyao Huang <lhuang@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> (cherry picked from commit `3e745e8f77`) Conflicts: src/qemu/qemu_driver.c - context due to fewer functions	2014-09-17 22:26:28 -06:00
Daniel P. Berrange	16d55b311a	LSN-2014-0003: Don't expand entities when parsing XML If the XML_PARSE_NOENT flag is passed to libxml2, then any entities in the input document will be fully expanded. This allows the user to read arbitrary files on the host machine by creating an entity pointing to a local file. Removing the XML_PARSE_NOENT flag means that any entities are left unchanged by the parser, or expanded to "" by the XPath APIs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit `d6b27d3e4c`)	2014-09-17 22:26:25 -06:00
Eric Blake	da038007c2	build: fix 'make check' with newer git Newer git doesn't like the maint.mk rule 'public-submodule-commit' run during 'make check', as inherited from our checkout of gnulib. I tracked down that libvirt commit `8531301` picked up a gnulib fix that makes git happy. Rather than try and do a full .gnulib submodule update to gnulib.git d18d1b802 (as used in that libvirt commit), it was easier to just backport the fixed maint.mk from gnulib on top of our existing submodule level. I did it as follows, where these steps will have to be repeated when cherry-picking this commit to any other maintenance branch: mkdir -p gnulib/local/top cd .gnulib git checkout d18d1b802 top/maint.mk git diff HEAD > ../gnulib/local/top/maint.mk.diff git reset --hard cd .. git add gnulib/local/top Signed-off-by: Eric Blake <eblake@redhat.com>	2014-07-03 07:07:34 -06:00
Eric Blake	1f9e9f830e	docs: publish correct enum values We publish libvirt-api.xml for others to use, and in fact, the libvirt-python bindings use it to generate python constants that correspond to our enum values. However, we had an off-by-one bug that any enum that relied on C's rules for implicit initialization of the first enum member to 0 got listed in the xml as having a value of 1 (and all later members of the enum were equally botched). The fix is simple - since we add one to the previous value when encountering an enum without an initializer, the previous value must start at -1 so that the first enum member is assigned 0. The python generator code has had the off-by-one ever since DV first wrote it years ago, but most of our public enums were immune because they had an explicit = 0 initializer. The only affected enums are: - virDomainEventGraphicsAddressType (such as VIR_DOMAIN_EVENT_GRAPHICS_ADDRESS_IPV4), since commit `987e31e` (libvirt v0.8.0) - virDomainCoreDumpFormat (such as VIR_DOMAIN_CORE_DUMP_FORMAT_RAW), since commit `9fbaff0` (libvirt v1.2.3) - virIPAddrType (such as VIR_IP_ADDR_TYPE_IPV4), since commit `03e0e79` (not yet released) Thanks to Nehal J Wani for reporting the problem on IRC, and for helping me zero in on the culprit function. * docs/apibuild.py (CParser.parseEnumBlock): Fix implicit enum values. Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit `9b291bbe20`) Conflicts: docs/apibuild.py - context with `2a40951`	2014-06-26 20:14:37 -06:00
Michal Privoznik	b1066acb19	virNetClientSetTLSSession: Restore original signal mask Currently, we use pthread_sigmask(SIG_BLOCK, ...) prior to calling poll(). This is okay, as we don't want poll() to be interrupted. However, then - immediately as we fall out from the poll() - we try to restore the original sigmask - again using SIG_BLOCK. But as the man page says, SIG_BLOCK adds signals to the signal mask: SIG_BLOCK The set of blocked signals is the union of the current set and the set argument. Therefore, when restoring the original mask, we need to completely overwrite the one we set earlier and hence we should be using: SIG_SETMASK The set of blocked signals is set to the argument set. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> (cherry picked from commit `3d4b4f5ac6`)	2014-03-20 08:32:00 -06:00
Jiri Denemark	35ed979698	Really don't crash if a connection closes early https://bugzilla.redhat.com/show_bug.cgi?id=1047577 When writing commit `173c291`, I missed the fact virNetServerClientClose unlocks the client object before actually clearing client->sock and thus it is possible to hit a window when client->keepalive is NULL while client->sock is not NULL. I was thinking client->sock == NULL was a better check for a closed connection but apparently we have to go with client->keepalive == NULL to actually fix the crash. Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `066c8ef6c1`)	2014-01-15 13:20:08 -07:00
Jiri Denemark	41a540c78f	Don't crash if a connection closes early https://bugzilla.redhat.com/show_bug.cgi?id=1047577 When a client closes its connection to libvirtd early during virConnectOpen, more specifically just after making REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting for the result, libvirtd may crash due to a race in keep-alive initialization. Once receiving the REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, the daemon's event loop delegates it to a worker thread. In case the event loop detects EOF on the connection and calls virNetServerClientClose before the worker thread starts to handle REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, client->keepalive will be disposed by the time virNetServerClientStartKeepAlive gets called from remoteDispatchConnectSupportsFeature. Because the flow is common for both authenticated and read-only connections, even unprivileged clients may cause the daemon to crash. To avoid the crash, virNetServerClientStartKeepAlive needs to check if the connection is still open before starting keep-alive protocol. Every libvirt release since 0.9.8 is affected by this bug. (cherry picked from commit `173c291473`) Conflicts: src/rpc/virnetserverclient.c - older locking style	2014-01-15 13:19:07 -07:00
Jiri Denemark	f59d02c487	qemu: Fix job usage in virDomainGetBlockIoTune CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit `3b56425938`) Conflicts: src/qemu/qemu_driver.c - older BeginJobWithDriver	2014-01-15 12:39:45 -07:00
Jiri Denemark	95836cb26b	qemu: Fix job usage in qemuDomainBlockJobImpl CVE-2013-6458 Every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit `f93d2caa07`) Conflicts: src/qemu/qemu_driver.c - older style BeginJobWithDriver, context	2014-01-15 12:27:23 -07:00
Jiri Denemark	7a9bcfa1cc	qemu: Avoid using stale data in virDomainGetBlockInfo CVE-2013-6458 Generally, every API that is going to begin a job should do that before fetching data from vm->def. However, qemuDomainGetBlockInfo does not know whether it will have to start a job or not before checking vm->def. To avoid using disk alias that might have been freed while we were waiting for a job, we use its copy. In case the disk was removed in the meantime, we will fail with "cannot find statistics for device '...'" error message. (cherry picked from commit `b799259583`) Conflicts: src/qemu/qemu_driver.c - VIR_STRDUP not backported, context	2014-01-15 12:22:51 -07:00
Jiri Denemark	5f5e9eb23d	qemu: Do not access stale data in virDomainBlockStats CVE-2013-6458 https://bugzilla.redhat.com/show_bug.cgi?id=1043069 When virDomainDetachDeviceFlags is called concurrently to virDomainBlockStats: libvirtd may crash because qemuDomainBlockStats finds a disk in vm->def before getting a job on a domain and uses the disk pointer after getting the job. However, the domain in unlocked while waiting on a job condition and thus data behind the disk pointer may disappear. This happens when thread 1 runs virDomainDetachDeviceFlags and enters monitor to actually remove the disk. Then another thread starts running virDomainBlockStats, finds the disk in vm->def, and while it's waiting on the job condition (owned by the first thread), the first thread finishes the disk removal. When the second thread gets the job, the memory pointed to be the disk pointer is already gone. That said, every API that is going to begin a job should do that before fetching data from vm->def. (cherry picked from commit `db86da5ca2`) Conflicts: src/qemu/qemu_driver.c - context: no ACLs	2014-01-15 12:21:39 -07:00
Eric Blake	e200284078	build: use proper pod for nested bulleted VIRSH_DEBUG list Newer pod (hello rawhide) complains if you attempt to mix bullets and non-bullets in the same list: virsh.pod around line 3177: Expected text after =item, not a bullet As our intent was to nest an inner list, we make that explicit to keep pod happy. * tools/virsh.pod (ENVIRONMENT): Use correct pod syntax. (cherry picked from commit `00d69b4af1`)	2014-01-15 12:20:23 -07:00
Jim Fehlig	dae75860eb	libxl: fix build with Xen4.3 Xen 4.3 fixes a mistake in the libxl event handler signature where the event owned by the application was defined as const. Detect this and define the libvirt libxl event handler signature appropriately. (cherry picked from commit `43b0ff5b1e`) Conflicts: src/libxl/libxl_driver.c - context in formatting	2014-01-15 12:20:04 -07:00
Ján Tomko	56222e0428	Disable nwfilter driver when running unprivileged When opening a new connection to the driver, nwfilterOpen only succeeds if the driverState has been allocated. Move the privilege check in driver initialization before the state allocation to disable the driver. This changes the nwfilter-define error from: error: cannot create config directory (null): Bad address To: this function is not supported by the connection driver: virNWFilterDefineXML https://bugzilla.redhat.com/show_bug.cgi?id=1029266 (cherry picked from commit `b7829f959b`) Conflicts: src/nwfilter/nwfilter_driver.c (`da77f04` Convert HAVE_DBUS to WITH_DBUS not backported)	2013-11-13 10:54:06 +01:00
Zhou Yimin	6cfc7a5d09	remote: fix regression in event deregistration Introduced by 7b87a3 When I quit the process which only register VIR_DOMAIN_EVENT_ID_REBOOT, I got error like: "libvirt: XML-RPC error : internal error: domain event 0 not registered". Then I add the following code, it fixed. Signed-off-by: Zhou Yimin <zhouyimin@huawei.com> Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit `9712c2510e`)	2013-10-18 07:57:30 -06:00