qemu: Let empty default VNC password work as documented

CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit bb848feec0)
CVE-2015-5313: storage: don't allow '/' in filesystem volume names
2025-09-19 01:44:56 +03:00 · 2016-06-30 12:53:06 +01:00 · 2015-12-15 14:46:15 -07:00 · 2015-09-03 17:46:06 +02:00 · 2015-08-28 10:35:37 -06:00 · 2015-06-16 17:12:48 +01:00
12 changed files with 87 additions and 80 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1609,11 +1609,10 @@ remoteDispatchConnectListAllDomains(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (doms && ndomains > 0) {
+    if (doms && ndomains > 0)
        for (i = 0; i < ndomains; i++)
            virObjectUnref(doms[i]);
-        VIR_FREE(doms);
-    }
+    VIR_FREE(doms);
    return rv;
 }

@@ -4533,11 +4532,10 @@ remoteDispatchDomainListAllSnapshots(virNetServerPtr server ATTRIBUTE_UNUSED,
    if (rv < 0)
        virNetMessageSaveError(rerr);
    virObjectUnref(dom);
-    if (snaps && nsnaps > 0) {
+    if (snaps && nsnaps > 0)
        for (i = 0; i < nsnaps; i++)
            virObjectUnref(snaps[i]);
-        VIR_FREE(snaps);
-    }
+    VIR_FREE(snaps);
    return rv;
 }

@@ -4602,11 +4600,10 @@ remoteDispatchDomainSnapshotListAllChildren(virNetServerPtr server ATTRIBUTE_UNU
        virNetMessageSaveError(rerr);
    virObjectUnref(snapshot);
    virObjectUnref(dom);
-    if (snaps && nsnaps > 0) {
+    if (snaps && nsnaps > 0)
        for (i = 0; i < nsnaps; i++)
            virObjectUnref(snaps[i]);
-        VIR_FREE(snaps);
-    }
+    VIR_FREE(snaps);
    return rv;
 }

@@ -4661,11 +4658,10 @@ remoteDispatchConnectListAllStoragePools(virNetServerPtr server ATTRIBUTE_UNUSED
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (pools && npools > 0) {
+    if (pools && npools > 0)
        for (i = 0; i < npools; i++)
            virObjectUnref(pools[i]);
-        VIR_FREE(pools);
-    }
+    VIR_FREE(pools);
    return rv;
 }

@@ -4724,11 +4720,10 @@ remoteDispatchStoragePoolListAllVolumes(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (vols && nvols > 0) {
+    if (vols && nvols > 0)
        for (i = 0; i < nvols; i++)
            virObjectUnref(vols[i]);
-        VIR_FREE(vols);
-    }
+    VIR_FREE(vols);
    virObjectUnref(pool);
    return rv;
 }
@@ -4784,11 +4779,10 @@ remoteDispatchConnectListAllNetworks(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (nets && nnets > 0) {
+    if (nets && nnets > 0)
        for (i = 0; i < nnets; i++)
            virObjectUnref(nets[i]);
-        VIR_FREE(nets);
-    }
+    VIR_FREE(nets);
    return rv;
 }

@@ -4843,11 +4837,10 @@ remoteDispatchConnectListAllInterfaces(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (ifaces && nifaces > 0) {
+    if (ifaces && nifaces > 0)
        for (i = 0; i < nifaces; i++)
            virObjectUnref(ifaces[i]);
-        VIR_FREE(ifaces);
-    }
+    VIR_FREE(ifaces);
    return rv;
 }

@@ -4902,11 +4895,10 @@ remoteDispatchConnectListAllNodeDevices(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (devices && ndevices > 0) {
+    if (devices && ndevices > 0)
        for (i = 0; i < ndevices; i++)
            virObjectUnref(devices[i]);
-        VIR_FREE(devices);
-    }
+    VIR_FREE(devices);
    return rv;
 }

@@ -4961,11 +4953,10 @@ remoteDispatchConnectListAllNWFilters(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (filters && nfilters > 0) {
+    if (filters && nfilters > 0)
        for (i = 0; i < nfilters; i++)
            virObjectUnref(filters[i]);
-        VIR_FREE(filters);
-    }
+    VIR_FREE(filters);
    return rv;
 }

@@ -5020,11 +5011,10 @@ remoteDispatchConnectListAllSecrets(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (secrets && nsecrets > 0) {
+    if (secrets && nsecrets > 0)
        for (i = 0; i < nsecrets; i++)
            virObjectUnref(secrets[i]);
-        VIR_FREE(secrets);
-    }
+    VIR_FREE(secrets);
    return rv;
 }

@@ -6192,11 +6182,10 @@ remoteDispatchNetworkGetDHCPLeases(virNetServerPtr server ATTRIBUTE_UNUSED,
 cleanup:
    if (rv < 0)
        virNetMessageSaveError(rerr);
-    if (leases && nleases > 0) {
+    if (leases && nleases > 0)
        for (i = 0; i < nleases; i++)
            virNetworkDHCPLeaseFree(leases[i]);
-        VIR_FREE(leases);
-    }
+    VIR_FREE(leases);
    virObjectUnref(net);
    return rv;
 }
--- a/src/conf/cpu_conf.c
+++ b/src/conf/cpu_conf.c
@@ -158,6 +158,7 @@ virCPUDefCopy(const virCPUDef *cpu)

        for (i = 0; i < cpu->ncells; i++) {
            copy->cells[i].mem = cpu->cells[i].mem;
+            copy->cells[i].memAccess = cpu->cells[i].memAccess;

            copy->cells[i].cpumask = virBitmapNewCopy(cpu->cells[i].cpumask);

--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -845,7 +845,7 @@ typedef struct {

 static const virLXCBasicMountInfo lxcBasicMounts[] = {
    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false },
+    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
    { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true },
    { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true },
    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
@@ -1025,7 +1025,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled,

        if (bindOverReadonly &&
            mount(mnt_src, mnt->dst, NULL,
-                  MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+                  MS_BIND|MS_REMOUNT|mnt_mflags|MS_RDONLY, NULL) < 0) {
            virReportSystemError(errno,
                                 _("Failed to re-mount %s on %s flags=%x"),
                                 mnt_src, mnt->dst,
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -598,7 +598,7 @@ static int lxcDomainGetInfo(virDomainPtr dom,

    if (!virDomainObjIsActive(vm)) {
        info->cpuTime = 0;
-        info->memory = 0;
+        info->memory = vm->def->mem.cur_balloon;
    } else {
        if (virCgroupGetCpuacctUsage(priv->cgroup, &(info->cpuTime)) < 0) {
            virReportError(VIR_ERR_OPERATION_FAILED,
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -789,7 +789,7 @@ qemuInitCgroup(virQEMUDriverPtr driver,
 static void
 qemuRestoreCgroupState(virDomainObjPtr vm)
 {
-    char *mem_mask;
+    char *mem_mask = NULL;
    int empty = -1;
    qemuDomainObjPrivatePtr priv = vm->privateData;
    virBitmapPtr all_nodes;
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1380,6 +1380,12 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm, virVcpuInfoPtr info, int maxinfo,
    if ((hostcpus = nodeGetCPUCount()) < 0)
        return -1;

+    if (priv->vcpupids == NULL) {
+        virReportError(VIR_ERR_OPERATION_INVALID,
+                       "%s", _("cpu affinity is not supported"));
+        return -1;
+    }
+
    maxcpu = maplen * 8;
    if (maxcpu > hostcpus)
        maxcpu = hostcpus;
@@ -1395,8 +1401,7 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm, virVcpuInfoPtr info, int maxinfo,
                info[i].number = i;
                info[i].state = VIR_VCPU_RUNNING;

-                if (priv->vcpupids != NULL &&
-                    qemuGetProcessInfo(&(info[i].cpuTime),
+                if (qemuGetProcessInfo(&(info[i].cpuTime),
                                       &(info[i].cpu),
                                       NULL,
                                       vm->pid,
@@ -1410,28 +1415,22 @@ qemuDomainHelperGetVcpus(virDomainObjPtr vm, virVcpuInfoPtr info, int maxinfo,

        if (cpumaps != NULL) {
            memset(cpumaps, 0, maplen * maxinfo);
-            if (priv->vcpupids != NULL) {
-                for (v = 0; v < maxinfo; v++) {
-                    unsigned char *cpumap = VIR_GET_CPUMAP(cpumaps, maplen, v);
-                    virBitmapPtr map = NULL;
-                    unsigned char *tmpmap = NULL;
-                    int tmpmapLen = 0;
+            for (v = 0; v < maxinfo; v++) {
+                unsigned char *cpumap = VIR_GET_CPUMAP(cpumaps, maplen, v);
+                virBitmapPtr map = NULL;
+                unsigned char *tmpmap = NULL;
+                int tmpmapLen = 0;

-                    if (virProcessGetAffinity(priv->vcpupids[v],
-                                              &map, maxcpu) < 0)
-                        return -1;
-                    virBitmapToData(map, &tmpmap, &tmpmapLen);
-                    if (tmpmapLen > maplen)
-                        tmpmapLen = maplen;
-                    memcpy(cpumap, tmpmap, tmpmapLen);
+                if (virProcessGetAffinity(priv->vcpupids[v],
+                                          &map, maxcpu) < 0)
+                    return -1;
+                virBitmapToData(map, &tmpmap, &tmpmapLen);
+                if (tmpmapLen > maplen)
+                    tmpmapLen = maplen;
+                memcpy(cpumap, tmpmap, tmpmapLen);

-                    VIR_FREE(tmpmap);
-                    virBitmapFree(map);
-                }
-            } else {
-                virReportError(VIR_ERR_OPERATION_INVALID,
-                               "%s", _("cpu affinity is not available"));
-                return -1;
+                VIR_FREE(tmpmap);
+                virBitmapFree(map);
            }
        }
    }
@@ -2630,7 +2629,7 @@ static int qemuDomainGetInfo(virDomainPtr dom,
            info->memory = vm->def->mem.cur_balloon;
        }
    } else {
-        info->memory = 0;
+        info->memory = vm->def->mem.cur_balloon;
    }

    info->nrVirtCpu = vm->def->vcpus;
@@ -4605,13 +4604,13 @@ qemuDomainSetVcpusFlags(virDomainPtr dom, unsigned int nvcpus,

    if (flags & VIR_DOMAIN_AFFECT_LIVE && !(flags & VIR_DOMAIN_VCPU_GUEST)) {
        if (virCgroupNewEmulator(priv->cgroup, false, &cgroup_temp) < 0)
-            goto cleanup;
+            goto endjob;

        if (!(all_nodes = virNumaGetHostNodeset()))
-            goto cleanup;
+            goto endjob;

        if (!(all_nodes_str = virBitmapFormat(all_nodes)))
-            goto cleanup;
+            goto endjob;

        if (virCgroupGetCpusetMems(cgroup_temp, &mem_mask) < 0 ||
            virCgroupSetCpusetMems(cgroup_temp, all_nodes_str) < 0)
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -3624,6 +3624,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
    time_t now = time(NULL);
    char expire_time [64];
    const char *connected = NULL;
+    const char *password;
    int ret = -1;
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);

@@ -3631,16 +3632,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
        ret = 0;
        goto cleanup;
    }
+    password = auth->passwd ? auth->passwd : defaultPasswd;

    if (auth->connected)
        connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);

    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
        goto cleanup;
-    ret = qemuMonitorSetPassword(priv->mon,
-                                 type,
-                                 auth->passwd ? auth->passwd : defaultPasswd,
-                                 connected);
+    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);

    if (ret == -2) {
        if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
@@ -3648,14 +3647,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
                           _("Graphics password only supported for VNC"));
            ret = -1;
        } else {
-            ret = qemuMonitorSetVNCPassword(priv->mon,
-                                            auth->passwd ? auth->passwd : defaultPasswd);
+            ret = qemuMonitorSetVNCPassword(priv->mon, password);
        }
    }
    if (ret != 0)
        goto end_job;

-    if (auth->expires) {
+    if (password[0] == '\0') {
+        snprintf(expire_time, sizeof(expire_time), "now");
+    } else if (auth->expires) {
        time_t lifetime = auth->validTo - now;
        if (lifetime <= 0)
            snprintf(expire_time, sizeof(expire_time), "now");
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2498,9 +2498,18 @@ qemuProcessSetVcpuAffinities(virDomainObjPtr vm)
        return 0;

    if (priv->vcpupids == NULL) {
-        virReportError(VIR_ERR_OPERATION_INVALID,
-                       "%s", _("cpu affinity is not supported"));
-        return -1;
+        /* If any CPU has custom affinity that differs from the
+         * VM default affinity, we must reject it
+         */
+        for (n = 0; n < def->vcpus; n++) {
+            if (!virBitmapEqual(def->cpumask,
+                                def->cputune.vcpupin[n]->cpumask)) {
+                virReportError(VIR_ERR_OPERATION_INVALID,
+                               "%s", _("cpu affinity is not supported"));
+                return -1;
+            }
+        }
+        return 0;
    }

    for (n = 0; n < def->vcpus; n++) {
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -540,10 +540,6 @@ remoteClientCloseFunc(virNetClientPtr client ATTRIBUTE_UNUSED,
        cbdata->freeCallback = NULL;
    }
    virObjectUnlock(cbdata);
-
-    /* free the connection reference that comes along with the callback
-     * registration */
-    virObjectUnref(cbdata->conn);
 }

 /* helper macro to ease extraction of arguments from the URI */
--- a/src/storage/storage_backend_fs.c
+++ b/src/storage/storage_backend_fs.c
@@ -1,7 +1,7 @@
 /*
 * storage_backend_fs.c: storage backend for FS and directory handling
 *
- * Copyright (C) 2007-2014 Red Hat, Inc.
+ * Copyright (C) 2007-2015 Red Hat, Inc.
 * Copyright (C) 2007-2008 Daniel P. Berrange
 *
 * This library is free software; you can redistribute it and/or
@@ -1003,6 +1003,14 @@ virStorageBackendFileSystemVolCreate(virConnectPtr conn ATTRIBUTE_UNUSED,

    vol->type = VIR_STORAGE_VOL_FILE;

+    /* Volumes within a directory pools are not recursive; do not
+     * allow escape to ../ or a subdir */
+    if (strchr(vol->name, '/')) {
+        virReportError(VIR_ERR_OPERATION_INVALID,
+                       _("volume name '%s' cannot contain '/'"), vol->name);
+        return -1;
+    }
+
    VIR_FREE(vol->target.path);
    if (virAsprintf(&vol->target.path, "%s/%s",
                    pool->def->target.path,
--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -504,6 +504,12 @@ bool virBitmapEqual(virBitmapPtr b1, virBitmapPtr b2)
    virBitmapPtr tmp;
    size_t i;

+    if (!b1 && !b2)
+        return true;
+
+    if (!b1 || !b2)
+        return false;
+
    if (b1->max_bit > b2->max_bit) {
        tmp = b1;
        b1 = b2;
--- a/src/util/virbitmap.h
+++ b/src/util/virbitmap.h
@@ -84,8 +84,7 @@ virBitmapPtr virBitmapNewData(void *data, int len) ATTRIBUTE_NONNULL(1);
 int virBitmapToData(virBitmapPtr bitmap, unsigned char **data, int *dataLen)
    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);

-bool virBitmapEqual(virBitmapPtr b1, virBitmapPtr b2)
-    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+bool virBitmapEqual(virBitmapPtr b1, virBitmapPtr b2);

 size_t virBitmapSize(virBitmapPtr bitmap)
    ATTRIBUTE_NONNULL(1);
Author	SHA1	Message	Date
Jiri Denemark	819c14190c	qemu: Let empty default VNC password work as documented CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `bb848feec0`)	2016-06-30 12:53:06 +01:00
Eric Blake	b5ddfbc0fe	CVE-2015-5313: storage: don't allow '/' in filesystem volume names The libvirt file system storage driver determines what file to act on by concatenating the pool location with the volume name. If a user is able to pick names like "../../../etc/passwd", then they can escape the bounds of the pool. For that matter, virStoragePoolListVolumes() doesn't descend into subdirectories, so a user really shouldn't use a name with a slash. Normally, only privileged users can coerce libvirt into creating or opening existing files using the virStorageVol APIs; and such users already have full privilege to create any domain XML (so it is not an escalation of privilege). But in the case of fine-grained ACLs, it is feasible that a user can be granted storage_vol:create but not domain:write, and it violates assumptions if such a user can abuse libvirt to access files outside of the storage pool. Therefore, prevent all use of volume names that contain "/", whether or not such a name is actually attempting to escape the pool. This changes things from: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 Vol ../../../../../../etc/haha created $ rm /etc/haha to: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 error: Failed to create vol ../../../../../../etc/haha error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/' Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit `034e47c338`)	2015-12-15 14:46:15 -07:00
Michal Privoznik	56fe8df69f	remoteClientCloseFunc: Don't mangle connection object refcount Well, in `8ad126e6` we tried to fix a memory corruption problem. However, the fix was not as good as it could be. I mean, the commit has one line more than it should. I've noticed this output just recently: # ./run valgrind --leak-check=full --show-reachable=yes ./tools/virsh domblklist gentoo ==17019== Memcheck, a memory error detector ==17019== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==17019== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==17019== Command: /home/zippy/work/libvirt/libvirt.git/tools/.libs/virsh domblklist gentoo ==17019== Target Source ------------------------------------------------ fda /var/lib/libvirt/images/fd.img vda /var/lib/libvirt/images/gentoo.qcow2 hdc /home/zippy/tmp/install-amd64-minimal-20150402.iso ==17019== Thread 2: ==17019== Invalid read of size 4 ==17019== at 0x4EFF5B4: virObjectUnref (virobject.c:258) ==17019== by 0x5038CFF: remoteClientCloseFunc (remote_driver.c:552) ==17019== by 0x5069D57: virNetClientCloseLocked (virnetclient.c:685) ==17019== by 0x506C848: virNetClientIncomingEvent (virnetclient.c:1852) ==17019== by 0x5082136: virNetSocketEventHandle (virnetsocket.c:1913) ==17019== by 0x4ECD64E: virEventPollDispatchHandles (vireventpoll.c:509) ==17019== by 0x4ECDE02: virEventPollRunOnce (vireventpoll.c:658) ==17019== by 0x4ECBF00: virEventRunDefaultImpl (virevent.c:308) ==17019== by 0x130386: vshEventLoop (vsh.c:1864) ==17019== by 0x4F1EB07: virThreadHelper (virthread.c:206) ==17019== by 0xA8462D3: start_thread (in /lib64/libpthread-2.20.so) ==17019== by 0xAB441FC: clone (in /lib64/libc-2.20.so) ==17019== Address 0x139023f4 is 4 bytes inside a block of size 240 free'd ==17019== at 0x4C2B1F0: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==17019== by 0x4EA8949: virFree (viralloc.c:582) ==17019== by 0x4EFF6D0: virObjectUnref (virobject.c:273) ==17019== by 0x4FE74D6: virConnectClose (libvirt.c:1390) ==17019== by 0x13342A: virshDeinit (virsh.c:406) ==17019== by 0x134A37: main (virsh.c:950) The problem is, when registering remoteClientCloseFunc(), it's conn->closeCallback which is ref'd. But in the function itself it's conn->closeCallback->conn what is unref'd. This is causing imbalance in reference counting. Moreover, there's no need for the remote driver to increase/decrease conn refcount since it's not used anywhere. It's just merely passed to client registered callback. And for that purpose it's correctly ref'd in virConnectRegisterCloseCallback() and then unref'd in virConnectUnregisterCloseCallback(). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> (cherry picked from commit `e689300770`) Signed-off-by: Michal Privoznik <mprivozn@redhat.com>	2015-09-03 17:46:06 +02:00
Jim Fehlig	039372edd9	Revert "LXC: show used memory as 0 when domain is not active" This reverts commit `1ce7c1d20c`, which introduced a significant semantic change to the virDomainGetInfo() API. Additionally, the change was only made to 2 of the 15 virt drivers. Conflicts: src/qemu/qemu_driver.c Signed-off-by: Jim Fehlig <jfehlig@suse.com> (cherry picked from commit `60acb38abb`)	2015-08-28 10:35:37 -06:00
Eric W. Biederman	32eb2a5897	lxc: set nosuid+nodev+noexec flags on /proc/sys mount Future kernels will mandate the use of nosuid+nodev+noexec flags when mounting the /proc/sys filesystem. Unconditionally add them now since they don't harm things regardless and could mitigate future security attacks. (cherry picked from commit `24710414d4`)	2015-06-16 17:12:48 +01:00
Thibaut Collet	bd1a133fc8	conf: fix issue on virCPUDefCopy The cpu xml copy is incorrect: the memAccess field is not copied. The lack of copy of this memAccess field can cause unexpected behaviour for live migration when vhost user is used. For example if guest has the following configuration: .... <cpu> <model>Westmere</model> <topology sockets="1" cores="4" threads="1"/> <numa> <cell id='0' cpus='0-3' memory='2097152' memAccess='shared'/> </numa> </cpu> .... The used configuration on the remote host in case of live migration is: .... <cpu mode='custom' match='exact'> <model fallback='allow'>Westmere</model> <topology sockets='1' cores='4' threads='1'/> <numa> <cell id='0' cpus='0-3' memory='2097152' unit='KiB'/> </numa> </cpu> .... On the remote host the lack of memAccess info can cause unexpected error on the qemu backend vhost user driver. Fixes: `def6b3598` ("docs, conf, schema: add support for shared memory mapping") This issue is present only for libvirt1.2.9 to libvirt1.2.12 With patch `181742d43` ("conf: Move all NUMA configuration to virDomainNuma") present since libvirt1.2.13 the problem does not exist anymore as NUMA information are no more in the CPU configuration. Signed-off-by: Thibaut Collet <thibaut.collet@6wind.com>	2015-05-22 15:24:06 +02:00
Eric Blake	34538870c7	daemon: avoid memleak when ListAll returns nothing Commit `4f25146` (v1.2.8) managed to silence Coverity, but at the cost of a memory leak detected by valgrind: ==24129== 40 bytes in 5 blocks are definitely lost in loss record 355 of 637 ==24129== at 0x4A08B1C: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==24129== by 0x5084B8E: virReallocN (viralloc.c:245) ==24129== by 0x514D5AA: virDomainObjListExport (domain_conf.c:22200) ==24129== by 0x201227DB: qemuConnectListAllDomains (qemu_driver.c:18042) ==24129== by 0x51CC1B6: virConnectListAllDomains (libvirt-domain.c:6797) ==24129== by 0x14173D: remoteDispatchConnectListAllDomains (remote.c:1580) ==24129== by 0x121BE1: remoteDispatchConnectListAllDomainsHelper (remote_dispatch.h:1072) In short, every time a client calls a ListAll variant and asks for the resulting list, but there are 0 elements to return, we end up leaking the 1-entry array that holds the NULL terminator. What's worse, a read-only client can access these functions in a tight loop to cause libvirtd to eventually run out of memory; and this can be considered a denial of service attack against more privileged clients. Thankfully, the leak is so small (8 bytes per call) that you would already have some other denial of service with any guest calling the API that frequently, so an out-of-memory crash is unlikely enough that this did not warrant a CVE. * daemon/remote.c (remoteDispatchConnectListAllDomains) (remoteDispatchDomainListAllSnapshots) (remoteDispatchDomainSnapshotListAllChildren) (remoteDispatchConnectListAllStoragePools) (remoteDispatchStoragePoolListAllVolumes) (remoteDispatchConnectListAllNetworks) (remoteDispatchConnectListAllInterfaces) (remoteDispatchConnectListAllNodeDevices) (remoteDispatchConnectListAllNWFilters) (remoteDispatchConnectListAllSecrets) (remoteDispatchNetworkGetDHCPLeases): Plug leak. Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit `3c2ff5029b`)	2015-03-16 10:34:14 -06:00
Peter Krempa	c518518bd0	qemu: Exit job on error path of qemuDomainSetVcpusFlags() Commit `e105dc9814` moved some code but didn't adjust the jump labels so that the job would be terminated. (cherry picked from commit `0df2f0404f`)	2015-02-18 18:26:47 +01:00
Pavel Hrdina	5e7b535238	qemu_cgroup: initialize mem_mask to NULL If 'virNumaGetHostNodeset()' fails then the error path will try to free uninitialized pointer mem_mask. Introduced by commit `af2a1f058`. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> (cherry picked from commit `77a9dc0b8d`) Signed-off-by: Pavel Hrdina <phrdina@redhat.com>	2015-02-17 14:51:00 +01:00
Peter Krempa	0e1054a129	util: bitmap: Tolerate NULL bitmaps in virBitmapEqual After virBitmapEqual is able to compare NULL bitmaps few bits of code can be cleaned up. (cherry picked from commit `20448c2a72`) Signed-off-by: Ján Tomko <jtomko@redhat.com> Partial backport without the cleanup.	2015-02-12 16:05:01 +01:00
Daniel P. Berrange	1021df2815	qemu: do upfront check for vcpupids being null when querying pinning The qemuDomainHelperGetVcpus attempted to report an error when the vcpupids info was NULL. Unfortunately earlier code would clamp the value of 'maxinfo' to 0 when nvcpupids was 0, so the error reporting would end up being skipped. This lead to 'virsh vcpuinfo <dom>' just returning an empty list instead of giving the user a clear error. (cherry picked from commit `9358b63a0d`)	2015-02-12 13:08:27 +00:00
Daniel P. Berrange	b89978d53d	qemu: fix setting of VM CPU affinity with TCG If a previous commit I fixed the incorrect handling of vcpu pids for TCG mode QEMU: commit `b07f3d821d` Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Dec 18 16:34:39 2014 +0000 Don't setup fake CPU pids for old QEMU The code assumes that def->vcpus == nvcpupids, so when we setup fake CPU pids for old QEMU with nvcpupids == 1, we cause the later code to read off the end of the array. This has fun results like sche_setaffinity(0, ...) which changes libvirtd's own CPU affinity, or even better sched_setaffinity($RANDOM, ...) which changes the affinity of a random OS process. The intent was that this would merely disable the ability to set per-vCPU affinity. It should still have been possible to set VM level host CPU affinity. Unfortunately, when you set <vcpu cpuset='0-1'>4</vcpu>, the XML parser will internally take this & initialize an entry in the def->cputune.vcpupin array for every VCPU. IOW this is implicitly being treated as <cputune> <vcpupin cpuset='0-1' vcpu='0'/> <vcpupin cpuset='0-1' vcpu='1'/> <vcpupin cpuset='0-1' vcpu='2'/> <vcpupin cpuset='0-1' vcpu='3'/> </cputune> Even more fun, the faked cputune elements are hidden from view when querying the live XML, because their cpuset mask is the same as the VM default cpumask. The upshot was that it was impossible to set VM level CPU affinity. To fix this we must update qemuProcessSetVcpuAffinities so that it only reports a fatal error if the per-VCPU cpu mask is different from the VM level cpu mask. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit `a103bb105c`)	2015-02-12 13:08:22 +00:00