qemu: Let empty default VNC password work as documented

CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit bb848feec0)
driver: log missing modules as INFO, not WARN
2025-10-06 11:34:01 +03:00 · 2016-06-30 12:52:42 +01:00 · 2016-03-17 17:09:26 -04:00 · 2016-03-17 16:25:20 -04:00 · 2016-01-20 19:11:58 -05:00 · 2016-01-20 19:10:30 -05:00
8 changed files with 38 additions and 39 deletions
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -30,8 +30,8 @@
  <define name="domain">
    <element name="domain">
      <ref name="hvs"/>
-      <ref name="ids"/>
      <interleave>
+        <ref name="ids"/>
        <optional>
          <ref name="title"/>
        </optional>
--- a/src/driver.c
+++ b/src/driver.c
@@ -62,7 +62,7 @@ virDriverLoadModule(const char *name)
        return NULL;

    if (access(modfile, R_OK) < 0) {
-        VIR_WARN("Module %s not accessible", modfile);
+        VIR_INFO("Module %s not accessible", modfile);
        goto cleanup;
    }

--- a/src/network/leaseshelper.c
+++ b/src/network/leaseshelper.c
@@ -439,7 +439,7 @@ main(int argc, char **argv)

    case VIR_LEASE_ACTION_OLD:
    case VIR_LEASE_ACTION_ADD:
-        if (virJSONValueArrayAppend(leases_array_new, lease_new) < 0) {
+        if (lease_new && virJSONValueArrayAppend(leases_array_new, lease_new) < 0) {
            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                           _("failed to create json"));
            goto cleanup;
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -3811,6 +3811,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
    time_t now = time(NULL);
    char expire_time [64];
    const char *connected = NULL;
+    const char *password;
    int ret = -1;
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);

@@ -3818,16 +3819,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
        ret = 0;
        goto cleanup;
    }
+    password = auth->passwd ? auth->passwd : defaultPasswd;

    if (auth->connected)
        connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);

    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
        goto cleanup;
-    ret = qemuMonitorSetPassword(priv->mon,
-                                 type,
-                                 auth->passwd ? auth->passwd : defaultPasswd,
-                                 connected);
+    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);

    if (ret == -2) {
        if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
@@ -3835,14 +3834,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
                           _("Graphics password only supported for VNC"));
            ret = -1;
        } else {
-            ret = qemuMonitorSetVNCPassword(priv->mon,
-                                            auth->passwd ? auth->passwd : defaultPasswd);
+            ret = qemuMonitorSetVNCPassword(priv->mon, password);
        }
    }
    if (ret != 0)
        goto end_job;

-    if (auth->expires) {
+    if (password[0] == '\0') {
+        snprintf(expire_time, sizeof(expire_time), "now");
+    } else if (auth->expires) {
        time_t lifetime = auth->validTo - now;
        if (lifetime <= 0)
            snprintf(expire_time, sizeof(expire_time), "now");
--- a/src/rpc/gensystemtap.pl
+++ b/src/rpc/gensystemtap.pl
@@ -72,7 +72,7 @@ function libvirt_rpc_auth_name(type, verbose)
 {
 EOF
 my $first = 1;
-foreach my $type (keys %auth) {
+foreach my $type (sort(keys %auth)) {
    my $cond = $first ? "if" : "} else if";
    $first = 0;
    print "  $cond (type == ", $type, ") {\n";
@@ -95,7 +95,7 @@ function libvirt_rpc_type_name(type, verbose)
 {
 EOF
 $first = 1;
-foreach my $type (keys %type) {
+foreach my $type (sort(keys %type)) {
    my $cond = $first ? "if" : "} else if";
    $first = 0;
    print "  $cond (type == ", $type, ") {\n";
@@ -118,7 +118,7 @@ function libvirt_rpc_status_name(status, verbose)
 {
 EOF
 $first = 1;
-foreach my $status (keys %status) {
+foreach my $status (sort(keys %status)) {
    my $cond = $first ? "if" : "} else if";
    $first = 0;
    print "  $cond (status == ", $status, ") {\n";
@@ -141,7 +141,7 @@ function libvirt_rpc_program_name(program, verbose)
 {
 EOF
 $first = 1;
-foreach my $prog (keys %funcs) {
+foreach my $prog (sort(keys %funcs)) {
    my $cond = $first ? "if" : "} else if";
    $first = 0;
    print "  $cond (program == ", $funcs{$prog}->{id}, ") {\n";
@@ -165,7 +165,7 @@ function libvirt_rpc_procedure_name(program, version, proc, verbose)
 {
 EOF
 $first = 1;
-foreach my $prog (keys %funcs) {
+foreach my $prog (sort(keys %funcs)) {
    my $cond = $first ? "if" : "} else if";
    $first = 0;
    print "  $cond (program == ", $funcs{$prog}->{id}, " && version == ", $funcs{$prog}->{version}, ") {\n";
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -542,11 +542,15 @@ int virNetSocketNewConnectUNIX(const char *path,
    char *lockpath = NULL;
    int lockfd = -1;
    int fd = -1;
-    int retries = 100;
+    int retries = 500;
    virSocketAddr localAddr;
    virSocketAddr remoteAddr;
    char *rundir = NULL;
    int ret = -1;
+    bool daemonLaunched = false;
+
+    VIR_DEBUG("path=%s spawnDaemon=%d binary=%s", path, spawnDaemon,
+        NULLSTR(binary));

    memset(&localAddr, 0, sizeof(localAddr));
    memset(&remoteAddr, 0, sizeof(remoteAddr));
@@ -608,19 +612,30 @@ int virNetSocketNewConnectUNIX(const char *path,
    if (remoteAddr.data.un.sun_path[0] == '@')
        remoteAddr.data.un.sun_path[0] = '\0';

-    while (retries &&
-           connect(fd, &remoteAddr.data.sa, remoteAddr.len) < 0) {
-        if (!(spawnDaemon && errno == ENOENT)) {
+    while (retries) {
+        if (connect(fd, &remoteAddr.data.sa, remoteAddr.len) == 0) {
+            VIR_DEBUG("connect() succeeded");
+            break;
+        }
+        VIR_DEBUG("connect() failed: retries=%d errno=%d", retries, errno);
+
+        retries--;
+        if (!spawnDaemon ||
+            retries == 0 ||
+            (errno != ENOENT && errno != ECONNREFUSED)) {
            virReportSystemError(errno, _("Failed to connect socket to '%s'"),
                                 path);
            goto cleanup;
        }

-        if (virNetSocketForkDaemon(binary) < 0)
-            goto cleanup;
+        if (!daemonLaunched) {
+            if (virNetSocketForkDaemon(binary) < 0)
+                goto cleanup;

-        retries--;
-        usleep(5000);
+            daemonLaunched = true;
+        }
+
+        usleep(10000);
    }

    localAddr.len = sizeof(localAddr.data);
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -971,14 +971,6 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
        virSecurityDACRestoreSecurityFileLabel(def->os.loader->nvram) < 0)
        rc = -1;

-    if (def->os.kernel &&
-        virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
-        rc = -1;
-
-    if (def->os.initrd &&
-        virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
-        rc = -1;
-
    if (def->os.dtb &&
        virSecurityDACRestoreSecurityFileLabel(def->os.dtb) < 0)
        rc = -1;
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1953,14 +1953,6 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.loader->nvram) < 0)
        rc = -1;

-    if (def->os.kernel &&
-        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.kernel) < 0)
-        rc = -1;
-
-    if (def->os.initrd &&
-        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.initrd) < 0)
-        rc = -1;
-
    if (def->os.dtb &&
        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.dtb) < 0)
        rc = -1;
Author	SHA1	Message	Date
Jiri Denemark	35c2bd75f2	qemu: Let empty default VNC password work as documented CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `bb848feec0`)	2016-06-30 12:52:42 +01:00
Jovanka Gulicoska	d888390142	driver: log missing modules as INFO, not WARN Missing modules is a common expected scenario for most libvirt usage on RPM distributions like Fedora, so it doesn't really warrant logging at WARN level. Use INFO instead https://bugzilla.redhat.com/show_bug.cgi?id=1274849 (cherry picked from commit `9a0c7f5f83`)	2016-03-17 17:09:26 -04:00
Cole Robinson	7434df6525	rpc: wait longer for session daemon to start up https://bugzilla.redhat.com/show_bug.cgi?id=1271183 We only wait 0.5 seconds for the session daemon to start up and present its socket, which isn't sufficient for many users. Bump up the sleep interval and retry amount so we wait for a total of 5.0 seconds. (cherry picked from commit `ca0c06f400`)	2016-03-17 16:25:20 -04:00
Jiri Denemark	1f6d3603ee	security: Do not restore kernel and initrd labels Kernel/initrd files are essentially read-only shareable images and thus should be handled in the same way. We already use the appropriate label for kernel/initrd files when starting a domain, but when a domain gets destroyed we would remove the labels which would make other running domains using the same files very unhappy. https://bugzilla.redhat.com/show_bug.cgi?id=921135 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `68acc701bd`)	2016-01-20 19:11:58 -05:00
Cole Robinson	26256132a7	rpc: socket: Don't repeatedly attempt to launch daemon On every socket connect(2) attempt we were re-launching session libvirtd, up to 100 times in 5 seconds. This understandably caused some weird load races and intermittent qemu:///session startup failures https://bugzilla.redhat.com/show_bug.cgi?id=1271183 (cherry picked from commit `2eb7a97575`)	2016-01-20 19:10:30 -05:00
Cole Robinson	3192efaec8	rpc: socket: Explicitly error if we exceed retry count When we autolaunch libvirtd for session URIs, we spin in a retry loop waiting for the daemon to start and the connect(2) to succeed. However if we exceed the retry count, we don't explicitly raise an error, which can yield a slew of different error messages elsewhere in the code. Explicitly raise the last connect(2) failure if we run out of retries. (cherry picked from commit `8da02d5280`)	2016-01-20 19:10:11 -05:00
Cole Robinson	4cfc14c7f4	rpc: socket: Minor cleanups - Add some debugging - Make the loop dependent only on retries - Make it explicit that connect(2) success exits the loop - Invert the error checking logic (cherry picked from commit `f102c7146e`)	2016-01-20 19:10:03 -05:00
Daniel P. Berrange	fe40b1d1d4	rpc: ensure daemon is spawn even if dead socket exists The auto-spawn code would originally attempt to spawn the daemon for both ENOENT and ECONNREFUSED errors from connect(). The various refactorings eventually lost this so we only spawn the daemon on ENOENT. The result is if the daemon exits uncleanly, so that the socket is left in the filesystem, we will never be able to auto-spawn the daemon again. (cherry picked from commit `406ee8c226`)	2016-01-20 19:10:00 -05:00
Cole Robinson	d7addd6871	build: predictably generate systemtap tapsets (bz 1173641) The generated output is dependent on perl hashtable ordering, which gives different results for i686 and x86_64. Fix this by sorting the hash keys before iterating over them https://bugzilla.redhat.com/show_bug.cgi?id=1173641 (cherry picked from commit `a1edb05c60`)	2016-01-20 19:09:03 -05:00
Ján Tomko	931888e63a	leaseshelper: fix crash when no mac is specified If dnsmasq specified DNSMASQ_IAID (so we're dealing with an IPv6 lease) but no DNSMASQ_MAC, we skip creation of the new lease object. Also skip adding it to the leases array. https://bugzilla.redhat.com/show_bug.cgi?id=1202350 (cherry picked from commit `df9fe124d6`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2016-01-20 10:04:48 +01:00
Ján Tomko	4be842d5f5	schema: interleave domain name and uuid with other elements Allow <name> and <uuid> anywhere under <domain>, not just at the top: error:XML document failed to validate against schema: Unable to validate doc against /usr/share/libvirt/schemas/domain.rng Expecting an element name, got nothing Invalid sequence in interleave Element domain failed to validate content Introduced with the first RelaxNG schema in commit `c642103`. https://bugzilla.redhat.com/show_bug.cgi?id=1292131 (cherry picked from commit `b4e0549feb`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2016-01-05 13:53:47 +01:00