Ján Tomko [Fri, 14 Jun 2019 07:17:39 +0000 (09:17 +0200)]
api: disallow virConnect*HypervisorCPU on read-only connections
These APIs can be used to execute arbitrary emulators.
Forbid them on read-only connections.
Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Ján Tomko [Fri, 14 Jun 2019 07:16:14 +0000 (09:16 +0200)]
api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.
Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Ján Tomko [Fri, 14 Jun 2019 07:14:53 +0000 (09:14 +0200)]
api: disallow virDomainManagedSaveDefineXML on read-only connections
The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.
Fixes: CVE-2019-10166 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Ján Tomko [Fri, 14 Jun 2019 06:47:42 +0000 (08:47 +0200)]
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) Signed-off-by: Ján Tomko <jtomko@redhat.com>
Conflicts:
src/libvirt-domain.c
src/remote/remote_protocol.x
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
admin: reject clients unless their UID matches the current UID
The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
The bit is set when microcode provides the mechanism to invoke a flush
of various exploitable CPU buffers by invoking the VERW instruction.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85)
My earlier commit be46f61326 was incomplete. It removed caching of
microcode version in the CPU driver, which means the capabilities XML
will see the correct microcode version. But it is also cached in the
QEMU capabilities cache where it is used to detect whether we need to
reprobe QEMU. By missing the second place, the original commit be46f61326 made the situation even worse since libvirt would report
correct microcode version while still using the old host CPU model
(visible in domain capabilities XML).
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 673c62a3b7855a0685d8f116e227c402720b9ee9)
Conflicts:
src/qemu/qemu_capabilities.c
- virQEMUCapsCacheLookupByArch refactoring (commits 7948ad4129a and 1a3de67001c) are missing
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The microcode version checks are used to invalidate cached CPU data we
get from QEMU. To minimize /proc/cpuinfo parsing the microcode version
was only read when libvirtd started and cached for the daemon's
lifetime. However, the CPU microcode can change anytime (updating the
microcode package can automatically upload it to the CPU) and we need to
stop caching it to avoid using stale CPU model data.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit be46f613261d3b655a1f15afd635087e68a9c39b)
Farhan Ali [Thu, 30 Aug 2018 17:07:34 +0000 (13:07 -0400)]
qemu: mdev: Use vfio-pci 'display' property only with vfio-pci mdevs
S390 is aware of both vfio-pci and vfio-ccw devices, so
on S390 the capability QEMU_CAPS_VFIO_PCI_DISPLAY will be
available. Add an extra check to make sure we only set the
display to off for vfio-pci mediated devices. Otherwise we
add display for vfio-ccw device and this breaks vfio-ccw
device qemu command line.
Fixes: d54e45b6e conf: Introduce new <hostdev> attribute 'display' Signed-off-by: Farhan Ali <alifm@linux.ibm.com> Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
Luyao Huang [Mon, 20 Aug 2018 09:48:33 +0000 (17:48 +0800)]
qemu: Validate memory access during validate domain config
Commit 6534b3c4 tried to raise an error when there is no numa
nodes by setting access='shared' in the domain config, but added
a helper called from qemuDomainDeviceDefValidate instead of a
helper called from qemuDomainDefValidate for XML:
Since there are no memory devices in the test XML, there would
be no validation failure, but the test added was still failing.
Investigating that it turns out that unnecessary XML elements
were causing the failure (no need for <video>, <graphics>,
<pm>, usb controller model "piix3-uhci", disk attribute for
"discard='unmap'", <serial>, <console>, <channel> and a
memballoon model). Removing all those before moving the method
caused the test to succeed.
So this patch moves the validation to the right place and
removes all the unnecessary XML pieces that were causing
a false validation failure.
Simon Kobyda [Wed, 29 Aug 2018 07:48:10 +0000 (09:48 +0200)]
vsh-table: Fix broken build on centos and rhel
The reason of broken build was that centos and rhel use older version of
glibc. These versions of glibc on these platforms cannot work with newer
unicodes, thus causing functions iswprint() and wcwidth() return
unexpected values causing the vshtabletest to fail. Therefore, let's
replace the new unicode characters causing issues with some older ones
to fix the test suite, as the issue would still persist during runtime.
Signed-off-by: Simon Kobyda <skobyda@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
Marc Hartmayer [Mon, 27 Aug 2018 13:20:13 +0000 (15:20 +0200)]
virDomainObjListAddLocked: fix double free
If @vm has flagged as "to be removed" virDomainObjListFindByNameLocked
returns NULL (although the definition actually exists). Therefore, the
possibility exits that "virHashAddEntry" will raise the error
"Duplicate key" => virDomainObjListAddObjLocked fails =>
virDomainObjEndAPI(&vm) is called and this leads to a freeing of @def
since @def is already assigned to vm->def. But actually this leads to
a double free since the common usage pattern is that the caller of
virDomainObjListAdd(Locked) is responsible for freeing @def in case of
an error.
Let's fix this by setting vm->def to NULL in case of an error.
Backtrace:
➤ bt
#0 virFree (ptrptr=0x7575757575757575)
#1 0x000003ffb5b25b3e in virDomainResourceDefFree
#2 0x000003ffb5b37c34 in virDomainDefFree
#3 0x000003ff9123f734 in qemuDomainDefineXMLFlags
#4 0x000003ff9123f7f4 in qemuDomainDefineXML
#5 0x000003ffb5cd2c84 in virDomainDefineXML
#6 0x000000011745aa82 in remoteDispatchDomainDefineXML
...
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com> Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Andrea Bolognani [Tue, 28 Aug 2018 15:40:27 +0000 (17:40 +0200)]
qemu: Add more defaults for RISC-V virt guests
We would have used virtio for networking anyway, but it's
better to be explicit; for graphics, none of the existing
models work right now but virtio is the only one which
has a non-PCI variant, so it's as good a default as any
Spotted-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Andrea Bolognani [Mon, 27 Aug 2018 08:25:17 +0000 (10:25 +0200)]
qemu: Introduce 16550A serial console model
None of the existing models is suitable for use with
RISC-V virt guests, and we don't want information about
the serial console to be missing from the XML.
The name is based on comments in qemu/hw/riscv/virt.c:
RISC-V machine with 16550a UART and VirtIO MMIO
and in qemu/hw/char/serial.c:
QEMU 16550A UART emulation
along with the output of dmesg in the guest:
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled 10000000.uart: ttyS0 at MMIO 0x10000000 (irq = 13,
base_baud= 230400) is a 16550A
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 16 Aug 2018 14:19:22 +0000 (16:19 +0200)]
util: json: Allow converting a virTristate(Bool|Switch) into JSON
Add a new modifier letter for virJSONValueObjectAddVArgs which will add
a boolean value with our tristate semantics. The value is omitted when
the _ABSENT value is used.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
The x86 and ppc impls both duplicate some logic when parsing CPU
features. Change the callback signature so that this duplication can be
pushed up a level to common code.
Reviewed-by: Jiri Denemark <jdenemar@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Two pieces of code accidentally jumped to the wrong label when they
failed causing incorrect cleanup, returning a partially initialized
CPU model struct.
Reviewed-by: Jiri Denemark <jdenemar@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Ján Tomko [Tue, 28 Aug 2018 10:53:25 +0000 (12:53 +0200)]
qemu: initialize variables in qemuParseCommandLine
Commit 6700062 introduced a jump to error which skipped the
initialization of def:
qemu/qemu_parse_command.c:1870:9: error: variable 'def' is
used uninitialized whenever 'if' condition is true
[-Werror,-Wsometimes-uninitialized]
if (!(qemuCaps = virQEMUCapsCacheLookup(capsCache, progargv[0])))
Initialize def to fix this warning and qemuCaps, to prevent
a future error like this.
qemu: fix default machine for argv -> xml convertor
Historically the argv -> xml convertor wanted the same default machine
as we'd set when parsing xml. The latter has now changed, however, to
use a default defined by libvirt. The former needs fixing to again
honour the default QEMU machine.
This exposed a bug in handling for the aarch64 target, as QEMU does not
define any default machine. Thus we should not having been accepting
argv without a -machine provided.
Reviewed-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: rename method for getting preferred machine type
The virQEMUCapsGetDefaultMachine() method doesn't get QEMU's default
machine any more, instead it gets the historical default that libvirt
prefers for each arch. Rename it, so that the old name can be used for
getting QEMU's default.
Reviewed-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: record the QEMU default machine in capabilities
We don't honour the QEMU default machine type anymore, always using the
libvirt chosen default instead. The QEMU argv parser, however, will need
to know the exacty QEMU default, so we must record that info.
Reviewed-by: John Ferlan <jferlan@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Mon, 27 Aug 2018 16:06:20 +0000 (18:06 +0200)]
tests: qemuxml2argv: Remove 'args' for tests only used in xml2xmltest
'metadata' and 'leases' are features internal to libvirt and thus don't
influence the generated QEMU command line. As they are not tested we
don't need the output files.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
Peter Krempa [Mon, 27 Aug 2018 15:59:26 +0000 (17:59 +0200)]
tests: qemuxml2argv: Make use of 'vram64' QXL device tests
The test files were unused, but we don't have any other test for this
feature. Make use of the existing files by removing disks and using
DO_TEST_CAPS_LATEST to execute them. The legacy output files will be
dropped.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
Katerina Koukiou [Fri, 24 Aug 2018 10:28:41 +0000 (12:28 +0200)]
qemu: qemuDomainChangeNet: validity checks should be done before XML autocompletion
This patch ensures that changes in attributes of interfaces will emit
errors except if they are missing from the XML.
Previously we were falsely reporting successful updates, because some
changed attributes got overwritten before the validity checks.
QEMU is probed through monitor fd to check capabilities during libvirtd init.
The monitor fd is closed after probing by virQEMUCapsInitQMPCommandFree
that calls virQEMUCapsInitQMPCommandAbort that calls qemuMonitorClose,
the latter one notifies the event loop via an interrupt handle in
qemuMonitorUnregister and after then closes monitor fd.
There could be a case when interrupt is sent after eventLoop is unlocked
but before virEventPollRunOnce blocks in poll, shortly before file
descriptor is closed by qemuMonitorClose. Then poll receives closed monitor
fd in fdset and returns EBADF.
EBADF is not mentioned as a valid errno on macOS poll man-page but such
behaviour can appear release-to-release, according to cpython:
https://github.com/python/cpython/blob/master/Modules/selectmodule.c#L1161
The change also fixes the issue in qemucapabilitiestest. It returns
Bad file descriptor message 25 times without the fix.
Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 23 Aug 2018 08:21:03 +0000 (10:21 +0200)]
docs: api_extension: Remove links to the stale example patches
The patches used as an example for the api_extension manual don't hold
up to the current standards any more. Carefully remove links and
mentions of the patches from the docs.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 14 Aug 2018 15:53:05 +0000 (17:53 +0200)]
qemu: capabilities: Detect active block commit via QMP schema probing if possible
For versions where we can probe that the arguments are optional we can
perform the probing by a schema query rather than sending a separate
command to do so.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
Peter Krempa [Wed, 15 Aug 2018 06:39:19 +0000 (08:39 +0200)]
qemu: qapi: Split up virQEMUQAPISchemaObjectGetType
Split it into a function that returns the whole schema entry so that we
can do additional checks and a helper getting the type string from the
schema entry.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
Peter Krempa [Wed, 15 Aug 2018 06:32:04 +0000 (08:32 +0200)]
qemu: qapi: Simplify value handling in virQEMUQAPISchemaTraverse
Introduce a few variables so that we can easily access the modifier
character and also don't have to do pointer arithmetic when selecting
the schema entries. This will simplify adding of new modifier
characters.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
Add some cautionary words related to the create and delete
NWFilter Binding use cases and possible issues that may result
to the virsh nwfilter-binding-{create|delete} descriptions
and the virNWFilterBinding{CreateXML|Delete) API descriptions.
Essentially summarizing commit 2d9318b6c without using the
shoot yourself in the foot wording.
Signed-off-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Generation of the ACL API policy is a "automated process"
based on this perl script which "worked" with the changes to
add nwfilter binding API's because they had the "nwfilter"
prefix; however, the generated output name was incorrect
based on the remote protocol algorithm which expected to
generate names such as 'nwfilter-binding.action' instead
of 'nwfilter.binding-action'.
This effectively changes src/access/org.libvirt.api.policy entries:
Lubomir Rintel [Wed, 22 Aug 2018 09:15:25 +0000 (11:15 +0200)]
qemu: add qemuDomainAssignVirtioMMIOAddresses()
We're going to need to assign virtio-mmio addresses to non-ARM
guests soon, so let's create a generic wrapper that calls to
the architecture-specific implementation.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Simon Kobyda [Thu, 23 Aug 2018 15:53:43 +0000 (17:53 +0200)]
vsh: Added tests
For now, there are 9 test cases
- testVshTableNew: Creating table with empty header
- testVshTableHeader: Printing table with/without header
- testVshTableRowAppend: Appending row with various number of cells.
Only row with same number of cells as in header is accepted.
- testUnicode: Printing table with unicode characters.
Checking correct alignment.
- testUnicodeArabic: test opposite (right to left) writing
- testUnicodeZeroWidthChar
- testUnicodeCombiningChar
- testUnicodeNonPrintableChar,
- testNTables: Create and print varios types of tables - one column,
one row table, table without content, standart table...
Simon Kobyda [Thu, 23 Aug 2018 15:53:42 +0000 (17:53 +0200)]
virsh: Implement new table API for virsh list
Instead of printing it straight in virsh, it creates table struct
which is filled with header and rows(domains). It allows us to know
more about table before printing to calculate alignment right.
Simon Kobyda [Thu, 23 Aug 2018 15:53:41 +0000 (17:53 +0200)]
vsh: Add API for printing tables.
It solves problems with alignment of columns. Width of each column
is calculated by its biggest cell. Should solve unicode bug.
In future, it may be implemented in virsh, virt-admin...
This API has 5 public functions:
- vshTableNew - adds new table and defines its header
- vshTableRowAppend - appends new row (for same number of columns as in
header)
- vshTablePrintToStdout
- vshTablePrintToString
- vshTableFree
Andrea Bolognani [Thu, 23 Aug 2018 16:46:52 +0000 (18:46 +0200)]
qemu: Make sure preferredMachines is not missing any entry
With the current implementation, adding a new architecture
and not updating preferredMachines accordingly will not
cause a build failure, making it very likely that subtle
bugs will be introduced in the process. Rework the code
so that such issues will be caught by the compiler.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
storage: fix the error message when encrypted raw volume resize
The vol-dumpxml shows the volume target format type as raw for
encrypted volumes. The error message when attempting to resize
with prealloc is confusing here.
Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
Peter Krempa [Wed, 22 Aug 2018 11:20:52 +0000 (13:20 +0200)]
qemu: monitor: Fix device matching in qemuMonitorJSONBlockIoThrottleInfo
We should compare the alias/qdev id only when it was provided by the
caller and when it was found in the reply. Otherwise we could
dereference a NULL pointer. STRNEQ_NULLABLE is not appropriate since
it would return 'true' if the string was not present in the JSON output.
Found by Coverity.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
projects / thirdparty / libvirt.git / log
