Fix CVE-2023-2700 + bugfixes

2023-07-12 13:43:01 +00:00
12 changed files with 21 additions and 243 deletions
--- a/SOURCES/libvirt-lib-Set-up-cpuset-controller-for-restrictive-numatune.patch
+++ b/SOURCES/libvirt-lib-Set-up-cpuset-controller-for-restrictive-numatune.patch
@ -1,77 +0,0 @@
-From 08ddc711a2e6d94a0fce55fec8e012a434655d2c Mon Sep 17 00:00:00 2001
-Message-ID: <08ddc711a2e6d94a0fce55fec8e012a434655d2c.1690812875.git.jdenemar@redhat.com>
-From: Michal Privoznik <mprivozn@redhat.com>
-Date: Fri, 1 Apr 2022 14:30:05 +0200
-Subject: [PATCH] lib: Set up cpuset controller for restrictive numatune
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The aim of 'restrictive' numatune mode is to rely solely on
-CGroups to have QEMU running on configured NUMA nodes.  However,
-we were never setting the cpuset controller when a domain was
-starting up. We are doing so only when
-virDomainSetNumaParameters() is called (aka live pinning).
-
-This is obviously wrong. Fortunately, fix is simple as
-'restrictive' is similar to 'strict' - every location where
-VIR_DOMAIN_NUMATUNE_MEM_STRICT occurs can be audited and
-VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE case can be added.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2070380
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-(cherry picked from commit 629282d8845407c1aff9a26f5dc026e15121f8cd)
-
-Conflicts:
- src/ch/ch_process.c: The CH driver diverged because it's
-  unsupported downstream. Just drop the conflicting hunk from
-  there.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2223464
-Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
- src/lxc/lxc_controller.c | 3 ++-
- src/qemu/qemu_process.c  | 6 ++++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
-index 3c930eaacd..6fd8373256 100644
--- a/src/lxc/lxc_controller.c
-+++ b/src/lxc/lxc_controller.c
-@@ -812,7 +812,8 @@ static int virLXCControllerSetupResourceLimits(virLXCController *ctrl)
-     virDomainNumatuneMemMode mode;
- 
-     if (virDomainNumatuneGetMode(ctrl->def->numa, -1, &mode) == 0) {
-        if (mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
-+        if ((mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
-+             mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
-             virCgroupControllerAvailable(VIR_CGROUP_CONTROLLER_CPUSET)) {
-             /* Use virNuma* API iff necessary. Once set and child is exec()-ed,
-              * there's no way for us to change it. Rely on cgroups (if available
-diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
-index 0fb665bc82..73d54f01cd 100644
--- a/src/qemu/qemu_process.c
-+++ b/src/qemu/qemu_process.c
-@@ -2645,7 +2645,8 @@ qemuProcessSetupPid(virDomainObj *vm,
-         virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) {
- 
-         if (virDomainNumatuneGetMode(vm->def->numa, -1, &mem_mode) == 0 &&
-            mem_mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
-+            (mem_mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
-+             mem_mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
-             virDomainNumatuneMaybeFormatNodeset(vm->def->numa,
-                                                 priv->autoNodeset,
-                                                 &mem_mask, -1) < 0)
-@@ -3162,7 +3163,8 @@ static int qemuProcessHook(void *data)
-         goto cleanup;
- 
-     if (virDomainNumatuneGetMode(h->vm->def->numa, -1, &mode) == 0) {
-        if (mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT &&
-+        if ((mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT ||
-+             mode == VIR_DOMAIN_NUMATUNE_MEM_RESTRICTIVE) &&
-             h->cfg->cgroupControllers & (1 << VIR_CGROUP_CONTROLLER_CPUSET) &&
-             virCgroupControllerAvailable(VIR_CGROUP_CONTROLLER_CPUSET)) {
-             /* Use virNuma* API iff necessary. Once set and child is exec()-ed,
-- 
-2.41.0
--- a/SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
+++ b/SOURCES/libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
@ -21,6 +21,7 @@ Reviewed-by: Peter Krempa <pkrempa@redhat.com>
 (cherry picked from commit 64d32118540aca3d42bc5ee21c8b780cafe04bfa)
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700
 Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/conf/node_device_conf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/SOURCES/libvirt-nodedev-update-transient-mdevs.patch
+++ b/SOURCES/libvirt-nodedev-update-transient-mdevs.patch
@ -1,79 +0,0 @@
-From aebcc09c7060f6eace93821c6a782031cf107d85 Mon Sep 17 00:00:00 2001
-Message-ID: <aebcc09c7060f6eace93821c6a782031cf107d85.1687452713.git.jdenemar@redhat.com>
-From: Boris Fiuczynski <fiuczy@linux.ibm.com>
-Date: Mon, 8 May 2023 19:10:46 +0200
-Subject: [PATCH] nodedev: update transient mdevs
-
-Instead of updating defined mdevs only add another update for active
-devices as well to cover transient mdev devices as well.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143158
-Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
-Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2143160
-
-(cherry picked from commit 44a0f2f0c8ff5e78c238013ed297b8fce223ac5a)
-Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
---
- src/node_device/node_device_driver.c | 31 ++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
-index e6ab4bb94c..943f6121a0 100644
--- a/src/node_device/node_device_driver.c
-+++ b/src/node_device/node_device_driver.c
-@@ -1651,6 +1651,24 @@ virMdevctlListDefined(virNodeDeviceDef ***devs, char **errmsg)
- }
- 
- 
-+static int
-+virMdevctlListActive(virNodeDeviceDef ***devs, char **errmsg)
-+{
-+    int status;
-+    g_autofree char *output = NULL;
-+    g_autoptr(virCommand) cmd = nodeDeviceGetMdevctlListCommand(false, &output, errmsg);
-+
-+    if (virCommandRun(cmd, &status) < 0 || status != 0) {
-+        return -1;
-+    }
-+
-+    if (!output)
-+        return -1;
-+
-+    return nodeDeviceParseMdevctlJSON(output, devs);
-+}
-+
-+
- typedef struct _virMdevctlForEachData virMdevctlForEachData;
- struct _virMdevctlForEachData {
-     int ndefs;
-@@ -1712,6 +1730,8 @@ int
- nodeDeviceUpdateMediatedDevices(void)
- {
-     g_autofree virNodeDeviceDef **defs = NULL;
-+    g_autofree virNodeDeviceDef **act_defs = NULL;
-+    int act_ndefs = 0;
-     g_autofree char *errmsg = NULL;
-     g_autofree char *mdevctl = NULL;
-     virMdevctlForEachData data = { 0, };
-@@ -1738,6 +1758,17 @@ nodeDeviceUpdateMediatedDevices(void)
-         if (nodeDeviceUpdateMediatedDevice(defs[i]) < 0)
-             return -1;
- 
-+    /* Update active/transient mdev devices */
-+    if ((act_ndefs = virMdevctlListActive(&act_defs, &errmsg)) < 0) {
-+        virReportError(VIR_ERR_INTERNAL_ERROR,
-+                       _("failed to query mdevs from mdevctl: %1$s"), errmsg);
-+        return -1;
-+    }
-+
-+    for (i = 0; i < act_ndefs; i++)
-+        if (nodeDeviceUpdateMediatedDevice(act_defs[i]) < 0)
-+            return -1;
-+
-     return 0;
- }
- 
-- 
-2.41.0
--- a/SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
+++ b/SOURCES/libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
@ -14,6 +14,7 @@ Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit f9ae469a6ebb17e0990096e826f049c1c46cd760)
 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_monitor.h      | 14 --------------
 src/qemu/qemu_monitor_json.c |  3 +++
--- a/SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
+++ b/SOURCES/libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
@ -15,6 +15,7 @@ Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit c5eb99a9d9af8683789e99cc904671e343580058)
 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_monitor.h | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)
--- a/SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
+++ b/SOURCES/libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
@ -16,6 +16,7 @@ Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit 7c35c483eaa78eb847e0865cbb210d5355f75d7a)
 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_monitor.c      | 50 ---------------------------------
 src/qemu/qemu_monitor_priv.h | 54 ++++++++++++++++++++++++++++++++++++
--- a/SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
+++ b/SOURCES/libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
@ -19,6 +19,7 @@ Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit b0e4ad5263c73a926b8246028c76c552b07fca74)
 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_monitor.c      | 4 +++-
 src/qemu/qemu_monitor_priv.h | 2 ++
--- a/SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
+++ b/SOURCES/libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
@ -20,6 +20,7 @@ Reviewed-by: Ján Tomko <jtomko@redhat.com>
    - qemuDomainObjEnter/ExitMonitor still needs 'driver'

 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_block.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)
--- a/SOURCES/libvirt-qemu-relax-shared-memory-check-for-vhostuser-daemons.patch
+++ b/SOURCES/libvirt-qemu-relax-shared-memory-check-for-vhostuser-daemons.patch
@ -1,65 +0,0 @@
-From e9418cec1ba24b6cf78f85bbbef8586ed612692a Mon Sep 17 00:00:00 2001
-Message-Id: <e9418cec1ba24b6cf78f85bbbef8586ed612692a@dist-git>
-From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
-Date: Mon, 13 Mar 2023 13:56:47 +0100
-Subject: [PATCH] qemu: relax shared memory check for vhostuser daemons
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For some vhostuser daemons, we validate that the guest memory is shared
-with the host.
-
-With earlier versions of QEMU, it was only possible to mark memory
-as shared by defining an explicit NUMA topology.  Later, QEMU exposed
-the name of the default memory backend (defaultRAMid) so we can mark
-that memory as shared.
-
-Since libvirt commit:
-  commit bff2ad5d6b1f25da02802273934d2a519159fec7
-    qemu: Relax validation for mem->access if guest has no NUMA
-we already check for the case when user requests shared memory,
-but QEMU did not expose defaultRAMid.
-
-Drop the duplicit check from vhostuser device validation, to make
-it pass on hotplug even after libvirtd restart.
-
-This avoids the need to store the defaultRAMid, since we don't really
-need it for anything after the VM has been already started.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=2078693
-https://bugzilla.redhat.com/show_bug.cgi?id=2177701
-
-Signed-off-by: Ján Tomko <jtomko@redhat.com>
-Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
-(cherry picked from commit d5c7b7870e45575f81fffcb611c2546d0e02e778)
-Signed-off-by: Ján Tomko <jtomko@redhat.com>
---
- src/qemu/qemu_validate.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
-index 7bc14293d6..4069f47c12 100644
--- a/src/qemu/qemu_validate.c
-+++ b/src/qemu/qemu_validate.c
-@@ -1588,16 +1588,12 @@ qemuValidateDomainVirtioOptions(const virDomainVirtioOptions *virtio,
- static int
- qemuValidateDomainDefVhostUserRequireSharedMemory(const virDomainDef *def,
-                                                   const char *name,
-                                                  virQEMUCaps *qemuCaps)
-+                                                  virQEMUCaps *qemuCaps G_GNUC_UNUSED)
- {
-    const char *defaultRAMId = virQEMUCapsGetMachineDefaultRAMid(qemuCaps,
-                                                                 def->virtType,
-                                                                 def->os.machine);
-     size_t numa_nodes = virDomainNumaGetNodeCount(def->numa);
-     size_t i;
- 
-    if (numa_nodes == 0 &&
-        !(defaultRAMId && def->mem.access == VIR_DOMAIN_MEMORY_ACCESS_SHARED)) {
-+    if (numa_nodes == 0 && def->mem.access != VIR_DOMAIN_MEMORY_ACCESS_SHARED) {
-         virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                        _("'%s' requires shared memory"), name);
-         return -1;
-- 
-2.40.1
--- a/SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
+++ b/SOURCES/libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
@ -20,6 +20,7 @@ Signed-off-by: Peter Krempa <pkrempa@redhat.com>
 Reviewed-by: Ján Tomko <jtomko@redhat.com>
 (cherry picked from commit bbd4d4899391b3bd1906cce61a3634f42f4b1bdf)
 https://bugzilla.redhat.com/show_bug.cgi?id=2170472
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/qemu/qemu_monitor_json.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
+++ b/SOURCES/libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
@ -36,6 +36,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=2196351
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-2700

 Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
 ---
 src/util/virpci.c | 1 +
 1 file changed, 1 insertion(+)
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@ -210,7 +210,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 8.0.0
-Release: 22%{?dist}%{?extra_release}
+Release: 19.2%{?dist}%{?extra_release}.alma
 License: LGPLv2+
 URL: https://libvirt.org/

@ -306,17 +306,15 @@ Patch83: libvirt-vircpi-Add-PCIe-5.0-and-6.0-link-speeds.patch
 Patch84: libvirt-conf-Make-VIR_DOMAIN_NET_TYPE_ETHERNET-not-share-host-view.patch
 Patch85: libvirt-qemu-domain-Fix-logic-when-tainting-domain.patch
 Patch86: libvirt-qemu-agent-Make-fetching-of-can-offline-member-from-guest-query-vcpus-optional.patch
+# Patches taken from Oracle Linux libvirt-8.0.0-19.0.2.module+el8.8.0+21112+1cc1a24b.src.rpm
 Patch87: libvirt-qemu-monitor-Drop-old-monitor-fields-from-struct-_qemuMonitorMessage.patch
 Patch88: libvirt-qemu-Make-struct-_qemuMonitorMessage-private.patch
 Patch89: libvirt-qemu-monitor-Move-declaration-of-struct-_qemuMonitor-to-qemu_monitor_priv.h.patch
 Patch90: libvirt-qemu-qemuBlockGetNamedNodeData-Remove-pointless-error-path.patch
 Patch91: libvirt-qemu-monitor-Store-whether-query-named-block-nodes-supports-flat-parameter.patch
 Patch92: libvirt-qemuMonitorJSONBlockStatsUpdateCapacityBlockdev-Use-flat-mode-of-query-named-block-nodes.patch
-Patch93: libvirt-qemu-relax-shared-memory-check-for-vhostuser-daemons.patch
-Patch94: libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
-Patch95: libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch
-Patch96: libvirt-nodedev-update-transient-mdevs.patch
-Patch97: libvirt-lib-Set-up-cpuset-controller-for-restrictive-numatune.patch
+Patch93: libvirt-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
+Patch94: libvirt-node_device_conf-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch

 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -2196,22 +2194,15 @@ exit 0


 %changelog
-* Mon Jul 31 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-22
- lib: Set up cpuset controller for restrictive numatune (rhbz#2223464)
-
-* Thu Jun 22 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-21
- nodedev: update transient mdevs (rhbz#2143160)
-
-* Fri May 19 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-20
- qemu: monitor: Drop old monitor fields from 'struct _qemuMonitorMessage' (rhbz#2170472)
- qemu: Make 'struct _qemuMonitorMessage' private (rhbz#2170472)
- qemu: monitor: Move declaration of struct _qemuMonitor to qemu_monitor_priv.h (rhbz#2170472)
- qemu: qemuBlockGetNamedNodeData: Remove pointless error path (rhbz#2170472)
- qemu: monitor: Store whether 'query-named-block-nodes' supports 'flat' parameter (rhbz#2170472)
- qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat' mode of query-named-block-nodes (rhbz#2170472)
- qemu: relax shared memory check for vhostuser daemons (rhbz#2177701)
- virpci: Resolve leak in virPCIVirtualFunctionList cleanup (CVE-2023-2700)
- node_device_conf: Avoid memleak in virNodeDeviceGetPCIVPDDynamicCap() (CVE-2023-2700)
+* Wed Jul 12 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 8.0.0-19.2.alma
+- qemu: monitor: Drop old monitor fields from 'struct _qemuMonitorMessage'
+- qemu: Make 'struct _qemuMonitorMessage' private
+- qemu: monitor: Move declaration of struct _qemuMonitor to qemu_monitor_priv.h
+- qemu: qemuBlockGetNamedNodeData: Remove pointless error path
+- qemu: monitor: Store whether 'query-named-block-nodes' supports 'flat' parameter
+- qemuMonitorJSONBlockStatsUpdateCapacityBlockdev: Use 'flat' mode of query-named-block-nodes
+- virpci: Resolve leak in virPCIVirtualFunctionList cleanup [CVE-2023-2700]
+- node_device_conf: Avoid memleak in virNodeDeviceGetPCIVPDDynamicCap() [CVE-2023-2700]

 * Tue Mar 14 2023 Jiri Denemark <jdenemar@redhat.com> - 8.0.0-19
 - qemu: domain: Fix logic when tainting domain (rhbz#2174447)