api: disallow virConnectGetDomainCapabilities on read-only connections

This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 8afa68bac0) Signed-off-by: Ján Tomko <jtomko@redhat.com>
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
2025-09-19 01:44:56 +03:00 · 2019-06-24 10:22:01 +02:00 · 2019-06-24 10:22:01 +02:00 · 2016-10-04 07:45:50 +02:00 · 2016-10-04 07:45:47 +02:00 · 2016-10-04 07:45:45 +02:00
11 changed files with 36 additions and 33 deletions
--- a/cfg.mk
+++ b/cfg.mk
@@ -1259,7 +1259,7 @@ exclude_file_name_regexp--sc_prohibit_include_public_headers_brackets = \
  ^(tools/|examples/|include/libvirt/(virterror|libvirt(-(admin|qemu|lxc))?)\.h$$)

 exclude_file_name_regexp--sc_prohibit_int_ijk = \
-  ^(src/remote_protocol-structs|src/remote/remote_protocol.x|cfg.mk|include/|src/admin_protocol-structs|src/admin/admin_protocol.x)$
+  ^(src/remote_protocol-structs|src/remote/remote_protocol\.x|cfg\.mk|include/libvirt/libvirt.+|src/admin_protocol-structs|src/admin/admin_protocol\.x)$$

 exclude_file_name_regexp--sc_prohibit_getenv = \
  ^tests/.*\.[ch]$$
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -926,6 +926,9 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
+            %if 0%{?fedora} >= 24
+Requires: systemd-container
+            %endif

 %description daemon-driver-qemu
 The qemu driver plugin for the libvirtd daemon, providing
@@ -941,6 +944,9 @@ Group: Development/Libraries
 Requires: libvirt-daemon = %{version}-%{release}
 # There really is a hard cross-driver dependency here
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
+            %if 0%{?fedora} >= 24
+Requires: systemd-container
+            %endif

 %description daemon-driver-lxc
 The LXC driver plugin for the libvirtd daemon, providing
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
 * previously by virDomainSave() or virDomainSaveFlags().
 *
 * No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
- * connections.  For this API, @flags should not contain either
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ * VIR_DOMAIN_XML_SECURE.
 *
 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
 * error.  The caller must free() the returned value.
@@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(file, error);
-
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
-        goto error;
-    }
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainSaveImageGetXMLDesc) {
        char *ret;
@@ -11316,6 +11309,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
    virResetLastError();

    virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectGetDomainCapabilities) {
        char *ret;
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -4197,7 +4197,7 @@ lxcDomainAttachDeviceNetLive(virConnectPtr conn,
    if (!priv->initpid) {
        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
                       _("Cannot attach disk until init PID is known"));
-        goto cleanup;
+        return -1;
    }

    /* preallocate new slot for device */
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1570,7 +1570,7 @@ iptablesCreateRuleInstanceStateCtrl(virFirewallPtr fw,
                                    const char *ifname,
                                    virNWFilterVarCombIterPtr vars)
 {
-    int rc;
+    int rc = 0;
    bool directionIn = false;
    char chainPrefix[2];
    bool maySkipICMP, inout = false;
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2783,6 +2783,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,
    int ret = -1;
    virJSONValuePtr props = NULL;
    bool nodeSpecified = virDomainNumatuneNodeSpecified(def->numa, guestNode);
+    bool needHugepage = !!pagesize;

    *backendProps = NULL;
    *backendType = NULL;
@@ -2805,10 +2806,10 @@ qemuBuildMemoryBackendStr(unsigned long long size,
        mode = VIR_DOMAIN_NUMATUNE_MEM_STRICT;

    if (pagesize == 0) {
+        bool thisHugepage = false;
+
        /* Find the huge page size we want to use */
        for (i = 0; i < def->mem.nhugepages; i++) {
-            bool thisHugepage = false;
-
            hugepage = &def->mem.hugepages[i];

            if (!hugepage->nodemask) {
@@ -2830,6 +2831,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,

            if (thisHugepage) {
                /* Hooray, we've found the page size */
+                needHugepage = true;
                break;
            }
        }
@@ -2936,7 +2938,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,
    }

    /* If none of the following is requested... */
-    if (!pagesize && !userNodeset && !memAccess && !nodeSpecified && !force) {
+    if (!needHugepage && !userNodeset && !memAccess && !nodeSpecified && !force) {
        /* report back that using the new backend is not necessary
         * to achieve the desired configuration */
        ret = 1;
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6688,7 +6688,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
    if (fd < 0)
        goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
        goto cleanup;

    ret = qemuDomainDefFormatXML(driver, def, flags);
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -4029,6 +4029,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
    time_t now = time(NULL);
    char expire_time [64];
    const char *connected = NULL;
+    const char *password;
    int ret = -1;
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);

@@ -4036,16 +4037,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
        ret = 0;
        goto cleanup;
    }
+    password = auth->passwd ? auth->passwd : defaultPasswd;

    if (auth->connected)
        connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);

    if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
        goto cleanup;
-    ret = qemuMonitorSetPassword(priv->mon,
-                                 type,
-                                 auth->passwd ? auth->passwd : defaultPasswd,
-                                 connected);
+    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);

    if (ret == -2) {
        if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
@@ -4053,14 +4052,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
                           _("Graphics password only supported for VNC"));
            ret = -1;
        } else {
-            ret = qemuMonitorSetVNCPassword(priv->mon,
-                                            auth->passwd ? auth->passwd : defaultPasswd);
+            ret = qemuMonitorSetVNCPassword(priv->mon, password);
        }
    }
    if (ret != 0)
        goto end_job;

-    if (auth->expires) {
+    if (password[0] == '\0') {
+        snprintf(expire_time, sizeof(expire_time), "now");
+    } else if (auth->expires) {
        time_t lifetime = auth->validTo - now;
        if (lifetime <= 0)
            snprintf(expire_time, sizeof(expire_time), "now");
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -4934,8 +4934,7 @@ enum remote_procedure {
    /**
     * @generate: both
     * @priority: high
-     * @acl: domain:read
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,

--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -819,6 +819,10 @@ virBitmapLastSetBit(virBitmapPtr bitmap)
    ssize_t sz;
    unsigned long bits;

+    /* If bitmap is empty then there is no set bit */
+    if (bitmap->map_len == 0)
+        return -1;
+
    unusedBits = bitmap->map_len * VIR_BITMAP_BITS_PER_UNIT - bitmap->max_bit;

    sz = bitmap->map_len - 1;
@@ -836,8 +840,8 @@ virBitmapLastSetBit(virBitmapPtr bitmap)
            goto found;
    }

-    if (bits == 0)
-        return -1;
+    /* Only reached if no set bit was found */
+    return -1;

 found:
    for (i = VIR_BITMAP_BITS_PER_UNIT - 1; i >= 0; i--) {
--- a/tests/qemuxml2argvdata/qemuxml2argv-hugepages-pages2.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-hugepages-pages2.args
@@ -10,12 +10,10 @@ QEMU_AUDIO_DRV=none \
 -M pc \
 -m 1024 \
 -smp 2 \
-object memory-backend-file,id=ram-node0,prealloc=yes,\
-mem-path=/dev/hugepages2M/libvirt/qemu,size=268435456 \
-numa node,nodeid=0,cpus=0,memdev=ram-node0 \
-object memory-backend-file,id=ram-node1,prealloc=yes,\
-mem-path=/dev/hugepages2M/libvirt/qemu,size=805306368 \
-numa node,nodeid=1,cpus=1,memdev=ram-node1 \
+-mem-prealloc \
+-mem-path /dev/hugepages2M/libvirt/qemu \
+-numa node,nodeid=0,cpus=0,mem=256 \
+-numa node,nodeid=1,cpus=1,mem=768 \
 -uuid ef1bdff4-27f3-4e85-a807-5fb4d58463cc \
 -nographic \
 -nodefaults \
Author	SHA1	Message	Date
Ján Tomko	ab728b5658	api: disallow virConnectGetDomainCapabilities on read-only connections This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `8afa68bac0`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 10:22:01 +02:00
Ján Tomko	a8ae178438	api: disallow virDomainSaveImageGetXMLDesc on read-only connections The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `aed6a032ce`) Signed-off-by: Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit `12a51f372` which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 10:22:01 +02:00
Martin Kletzander	303047146e	spec: Fix indentation Fixed in master by multiple commits. This merely makes sure syntax-check works with cppi installed. Signed-off-by: Martin Kletzander <mkletzan@redhat.com>	2016-10-04 07:45:50 +02:00
Pavel Hrdina	4ccc2ec4f9	maint: fix syntax-check sc_prohibit_int_ijk exclude rule Fix the regex for excluding files for this syntax-rule. The rule "include/" will not work, because we are matching the whole line like this "^(...\|include/\|...)$ so we need to use "include/libvirt/libvirt.+". The second issue is that we are using only one '$' but there should be two of those at the end. The last small adjustment is to escape dots '.' so it match only dot. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> (cherry picked from commit `a94efa50e2`)	2016-10-04 07:45:47 +02:00
Marc Hartmayer	19ca7bbf10	util: bitmap: clarify virBitmapLastSetBit() behavior for empty bitmaps Before the variable 'bits' was initialized with 0 (commit `3470cd860d`), the following bug was possible. A function call with an empty bitmap leads to undefined behavior. Because if 'bitmap->map_len == 0' 'unusedBits' will be <= 0 and 'sz == 1'. So the non global and non static variable 'bits' would have never been set. Consequently the check 'bits == 0' results in undefined behavior. This patch clarifies the current version of the function by handling the empty bitmap explicitly. Also, for an empty bitmap there is obviously no bit set so we can just return -1 (indicating no bit set) right away. The explicit check for 'bits == 0' after the loop is unnecessary because we only get to this point if no set bit was found. Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com> Reviewed-by: Sascha Silbe <silbe@linux.vnet.ibm.com> Reviewed-by: Bjoern Walk <bwalk@linux.vnet.ibm.com> Signed-off-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> (cherry picked from commit `7cd01a248b`)	2016-10-04 07:45:45 +02:00
Martin Kletzander	2d02be4cf1	Fix building with -Og When building using -Og, gcc sees that some variables can be used uninitialized It can be debatable whether it is possible with our codeflow, but functions should be self-contained and initializations are always good. The return instead of goto is due to actualType being used in the cleanup. Signed-off-by: Martin Kletzander <mkletzan@redhat.com> (cherry picked from commit `3470cd860d`)	2016-10-04 07:45:43 +02:00
Martin Kletzander	c2960353ba	qemu: Only use memory-backend-file with NUMA if needed If this reminds you of a commit message from around a year ago, it's `41c2aa729f` and yes, we're dealing with "the same thing" again. Or `f309db1f4d` and it's similar. There is a logic in place that if there is no real need for memory-backend-file, qemuBuildMemoryBackendStr() returns 0. However that wasn't the case with hugepage backing. The reason for that was that we abused the 'pagesize' variable for storing that information, but we should rather have a separate one that specifies whether we really need the new object for hugepage backing. And that variable should be set only if this particular NUMA cell needs special treatment WRT hugepages. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1372153 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> (cherry picked from commit 4372a7845acbc6974f6027ef68e7dd3eeb47f425)	2016-10-04 07:45:36 +02:00
Daniel P. Berrange	e4d0b3d5c0	libvirt.spec.in: require systemd-container on >= f24 The systemd-machined tools libvirt uses were split into a systemd-container RPM. Without depending on this, libvirt may silently fallback to the non-systemd cgroup impl which is not desirable. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit `ffc49e579c`)	2016-07-13 17:48:42 +01:00
Jiri Denemark	040c033292	qemu: Let empty default VNC password work as documented CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> (cherry picked from commit `bb848feec0`)	2016-07-04 10:18:46 +01:00