Merge branch 'c8-stream-rhel' into a8-stream-rhel

This commit is contained in:
eabdullin 2022-11-08 13:21:11 +00:00 committed by Stepan Oksanichenko
commit 69798ff103
6 changed files with 364 additions and 7 deletions

View File

@ -0,0 +1,86 @@
From fbb053fc71c0c072acb3fbf6e5fbbfc3b0667fd2 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 28 Jan 2021 12:20:49 +0000
Subject: [PATCH] appliance: Use -cpu max.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU has a newish feature (from about 2017 / qemu 2.9) called -cpu max
which is supposed to select the best CPU, ideal for libguestfs.
After this change, on x86-64:
KVM TCG
Direct -cpu max -cpu max
(non-libvirt)
Libvirt <cpu mode="host-passthrough"> <cpu mode="host-model">
<model fallback="allow"/> <model fallback="allow"/>
</cpu> </cpu>
Thanks: Daniel Berrangé
(cherry picked from commit 30f74f38bd6e42e783ba80895f4d6826abddd417)
---
lib/appliance-cpu.c | 16 ++++++++--------
lib/launch-libvirt.c | 9 +++++++++
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/lib/appliance-cpu.c b/lib/appliance-cpu.c
index 5ef9f5c72..54ac6e2e3 100644
--- a/lib/appliance-cpu.c
+++ b/lib/appliance-cpu.c
@@ -38,6 +38,11 @@
*
* The literal string C<"host"> means use C<-cpu host>.
*
+ * =item C<"max">
+ *
+ * The literal string C<"max"> means use C<-cpu max> (the best
+ * possible). This requires awkward translation for libvirt.
+ *
* =item some string
*
* Some string such as C<"cortex-a57"> means use C<-cpu cortex-a57>.
@@ -80,14 +85,9 @@ guestfs_int_get_cpu_model (int kvm)
/* See discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1605071 */
return NULL;
#else
- /* On most architectures, it is faster to pass the CPU host model to
- * the appliance, allowing maximum speed for things like checksums
- * and encryption. Only do this with KVM. It is broken in subtle
- * ways on TCG, and fairly pointless when you're emulating anyway.
+ /* On most architectures we can use "max" to get the best possible CPU.
+ * For recent qemu this should work even on TCG.
*/
- if (kvm)
- return "host";
- else
- return NULL;
+ return "max";
#endif
}
diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
index f6bb39d99..e3ff1ffe0 100644
--- a/lib/launch-libvirt.c
+++ b/lib/launch-libvirt.c
@@ -1169,6 +1169,15 @@ construct_libvirt_xml_cpu (guestfs_h *g,
attribute ("fallback", "allow");
} end_element ();
}
+ else if (STREQ (cpu_model, "max")) {
+ if (params->data->is_kvm)
+ attribute ("mode", "host-passthrough");
+ else
+ attribute ("mode", "host-model");
+ start_element ("model") {
+ attribute ("fallback", "allow");
+ } end_element ();
+ }
else
single_element ("model", cpu_model);
} end_element ();
--
2.31.1

View File

@ -0,0 +1,48 @@
From 7dde1007525ec235e769351be15ca5de34eeda4a Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 18 Mar 2021 12:32:26 +0000
Subject: [PATCH] appliance: Use <cpu mode="maximum"/> for -cpu max on libvirt.
Note this requires libvirt >= 7.1.0 which was only released in March 2021.
With an older libvirt you will see this error:
Original error from libvirt: unsupported configuration: Invalid mode attribute 'maximum' [code=67 int1=-1]
In theory we could check if this is supported by looking at the
libvirt capabilities and fall back, but this commit does not do that,
in the expectation that most people will be using the default backend
(direct) and on Fedora/RHEL we will add an explicit minimum version
dependency to the package.
qemu support has been around quite a bit longer (at least since 2017).
Fixes: commit 30f74f38bd6e42e783ba80895f4d6826abddd417
(cherry picked from commit 13ceb6a87b2869909a6a0e3c8caa962b72e4cb0e)
---
lib/launch-libvirt.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
index e3ff1ffe0..db619910f 100644
--- a/lib/launch-libvirt.c
+++ b/lib/launch-libvirt.c
@@ -1170,13 +1170,8 @@ construct_libvirt_xml_cpu (guestfs_h *g,
} end_element ();
}
else if (STREQ (cpu_model, "max")) {
- if (params->data->is_kvm)
- attribute ("mode", "host-passthrough");
- else
- attribute ("mode", "host-model");
- start_element ("model") {
- attribute ("fallback", "allow");
- } end_element ();
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */
+ attribute ("mode", "maximum");
}
else
single_element ("model", cpu_model);
--
2.31.1

View File

@ -0,0 +1,92 @@
From bb19cc0cdd43619ccf830e1e608f79e46f8ddf86 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 12 May 2022 08:36:37 +0100
Subject: [PATCH] lib: Disable 5-level page tables when using -cpu max
In https://bugzilla.redhat.com/show_bug.cgi?id=2082806 we've been
tracking an insidious qemu bug which intermittently prevents the
libguestfs appliance from starting. The symptoms are that SeaBIOS
starts and displays its messages, but the kernel isn't reached. We
found that the kernel does in fact start, but when it tries to set up
page tables and jump to protected mode it gets a triple fault which
causes the emulated CPU in qemu to reset (qemu exits).
This seems to only affect TCG (not KVM).
Yesterday I found that this is caused by using -cpu max which enables
the "la57" feature (5-level page tables[0]), and that we can make the
problem go away using -cpu max,la57=off. Note that I still don't
fully understand the qemu bug, so this is only a workaround.
I chose to disable 5-level page tables for both TCG and KVM, partly to
make the patch simpler, and partly because I guess it's not a feature
(ie. 57 bit linear addresses) that is useful for the libguestfs
appliance case, where we have limited physical memory and no need to
run any programs with huge address spaces.
I tested this by running both the direct & libvirt paths overnight. I
expect that this patch will fail with old qemu/libvirt which doesn't
understand the "la57" feature, but this is only intended as a
temporary workaround.
[0] Article about 5-level page tables as background:
https://lwn.net/Articles/717293/
Thanks: Laszlo Ersek
Fixes: https://answers.launchpad.net/ubuntu/+source/libguestfs/+question/701625
[RHEL 8.7: Patch is not upstream. This is the initial patch as posted
to the mailing list here:
https://listman.redhat.com/archives/libguestfs/2022-May/028853.html]
---
lib/launch-direct.c | 15 +++++++++++++--
lib/launch-libvirt.c | 7 +++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/lib/launch-direct.c b/lib/launch-direct.c
index de17d2167..6b28e4724 100644
--- a/lib/launch-direct.c
+++ b/lib/launch-direct.c
@@ -534,8 +534,19 @@ launch_direct (guestfs_h *g, void *datav, const char *arg)
} end_list ();
cpu_model = guestfs_int_get_cpu_model (has_kvm && !force_tcg);
- if (cpu_model)
- arg ("-cpu", cpu_model);
+ if (cpu_model) {
+#if defined(__x86_64__)
+ /* Temporary workaround for RHBZ#2082806 */
+ if (STREQ (cpu_model, "max")) {
+ start_list ("-cpu") {
+ append_list (cpu_model);
+ append_list ("la57=off");
+ } end_list ();
+ }
+ else
+#endif
+ arg ("-cpu", cpu_model);
+ }
if (g->smp > 1)
arg_format ("-smp", "%d", g->smp);
diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
index db619910f..bad4a54ea 100644
--- a/lib/launch-libvirt.c
+++ b/lib/launch-libvirt.c
@@ -1172,6 +1172,13 @@ construct_libvirt_xml_cpu (guestfs_h *g,
else if (STREQ (cpu_model, "max")) {
/* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */
attribute ("mode", "maximum");
+#if defined(__x86_64__)
+ /* Temporary workaround for RHBZ#2082806 */
+ start_element ("feature") {
+ attribute ("policy", "disable");
+ attribute ("name", "la57");
+ } end_element ();
+#endif
}
else
single_element ("model", cpu_model);
--
2.31.1

View File

@ -0,0 +1,103 @@
From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 28 Jun 2022 13:54:16 +0200
Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211
Short log for the common submodule, commit range
f8de5508fe75..35467027f657:
Laszlo Ersek (2):
mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
options: fix buffer overflow in get_keys() [CVE-2022-2211]
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53.
For the cherry pick I only added one submodule commit:
options: fix buffer overflow in get_keys() [CVE-2022-2211]
---
common | 2 +-
docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
Submodule common be09523d6..1174b443a:
diff --git a/common/options/keys.c b/common/options/keys.c
index 798315c..d27a712 100644
--- a/common/options/keys.c
+++ b/common/options/keys.c
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
char **
get_keys (struct key_store *ks, const char *device, const char *uuid)
{
- size_t i, j, len;
+ size_t i, j, nmemb;
char **r;
char *s;
/* We know the returned list must have at least one element and not
* more than ks->nr_keys.
*/
- len = 1;
- if (ks)
- len = MIN (1, ks->nr_keys);
- r = calloc (len+1, sizeof (char *));
+ nmemb = 1;
+ if (ks && ks->nr_keys > nmemb)
+ nmemb = ks->nr_keys;
+
+ /* make room for the terminating NULL */
+ if (nmemb == (size_t)-1)
+ error (EXIT_FAILURE, 0, _("size_t overflow"));
+ nmemb++;
+
+ r = calloc (nmemb, sizeof (char *));
if (r == NULL)
error (EXIT_FAILURE, errno, "calloc");
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
index 9ceef5623..efa35b29d 100644
--- a/docs/guestfs-security.pod
+++ b/docs/guestfs-security.pod
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
The solution is to update qemu to a version containing the fix (see
L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
+=head2 CVE-2022-2211
+
+L<https://bugzilla.redhat.com/CVE-2022-2211>
+
+The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
+those I<--key> options from the command line into a new array that match
+a particular block device that's being decrypted for inspection. The
+function intends to size the result array such that potentially all
+I<--key> options, plus a terminating C<NULL> element, fit into it. The
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
+only one element is allocated before the C<NULL> terminator.
+
+Passing precisely two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> to overwrite the
+terminating C<NULL>, leading to an out-of-bounds read in
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
+
+Passing more than two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> itself to perform
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
+later on.
+
+This issue affects -- broadly speaking -- all libguestfs-based utilities
+that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
+C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
+C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
+
=head1 SEE ALSO
L<guestfs(3)>,
--
2.31.1

View File

@ -6,7 +6,7 @@ set -e
# directory. Use it like this:
# ./copy-patches.sh
rhel_version=8.6.0
rhel_version=8.7.0
# Check we're in the right directory.
if [ ! -f libguestfs.spec ]; then

View File

@ -33,7 +33,7 @@ Summary: Access and modify virtual machine disk images
Name: libguestfs
Epoch: 1
Version: 1.44.0
Release: 5%{?dist}
Release: 9%{?dist}
License: LGPLv2+
ExclusiveArch: x86_64 %{power64} aarch64 s390x
@ -46,7 +46,7 @@ Source1: http://libguestfs.org/download/%{source_directory}/%{name}-%{vers
%endif
# RHEL 8 git repository is:
# https://github.com/libguestfs/libguestfs/tree/rhel-8.6.0
# https://github.com/libguestfs/libguestfs/tree/rhel-8.7.0
# Use 'copy-patches.sh' to copy the patches from the git repo
# to the current directory.
@ -70,6 +70,10 @@ Patch0016: 0016-test-data-phony-guests-Fix-phony-RPM-database-fix-vi.patch
Patch0017: 0017-launch-libvirt-place-our-virtio-net-pci-device-in-sl.patch
Patch0018: 0018-lib-extract-NETWORK_ADDRESS-and-NETWORK_PREFIX-as-ma.patch
Patch0019: 0019-launch-libvirt-add-virtio-net-via-the-standard-inter.patch
Patch0020: 0020-appliance-Use-cpu-max.patch
Patch0021: 0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch
Patch0022: 0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch
Patch0023: 0023-docs-guestfs-security-document-CVE-2022-2211.patch
# AlmaLinux detection patch
@ -135,7 +139,8 @@ BuildRequires: systemd-units
BuildRequires: netpbm-progs
BuildRequires: icoutils
# RHBZ#1710713 (RHBZ#1661940)
BuildRequires: libvirt-daemon-kvm >= 5.3.0
# libvirt must support -cpu max
BuildRequires: libvirt-daemon-kvm >= 8.0.0
BuildRequires: libacl-devel
BuildRequires: libcap-devel
# https://bugzilla.redhat.com/show_bug.cgi?id=1836094
@ -233,7 +238,7 @@ BuildRequires: iputils
%if !0%{?rhel}
BuildRequires: jfsutils
%endif
BuildRequires: kernel
BuildRequires: (kernel without kernel-debug-core)
BuildRequires: kmod
BuildRequires: kpartx
BuildRequires: less
@ -303,6 +308,12 @@ BuildRequires: zfs-fuse
# to replace it with (eg) a fixed appliance.
Requires: (%{name}-appliance = %{epoch}:%{version}-%{release} or %{name}-noappliance)
# libguestfs-benchmarking was accidentally present in RHEL AV 8.5 and
# removed in RHEL 8.6+. Add an Obsoletes to smooth the upgrade path
# for anyone who had this package installed.
# https://bugzilla.redhat.com/show_bug.cgi?id=2091597
Obsoletes: %{name}-benchmarking < %{epoch}:%{version}-%{release}
# The daemon dependencies are not included automatically, because it
# is buried inside the appliance, so list them here.
Requires: augeas-libs%{?_isa}
@ -335,7 +346,8 @@ Requires: /usr/bin/qemu-img
# For libvirt backend.
# RHBZ#1500870, RHBZ#1501239, RHBZ#1508299
Requires: libvirt-daemon-kvm >= 5.3.0
# libvirt must support -cpu max
Requires: libvirt-daemon-kvm >= 8.0.0
%ifarch aarch64
Requires: edk2-aarch64
%endif
@ -1189,10 +1201,26 @@ rm ocaml/html/.gitignore
%changelog
* Tue May 10 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.44.0-5.alma
* Tue Nov 08 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.44.0-9.alma
- Fix build for AlmaLinux
- Avoid permission denied for yum/dnf cache
* Tue Jul 05 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-9
- Fix CVE-2022-2211 Denial of Service in --key parameter
resolves: rhbz#2101280
* Tue Jun 07 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-8
- Obsolete old libguestfs-benchmarking subpackage
resolves: rhbz#2091597
* Thu May 12 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-7
- Disable 5-level page tables when using -cpu max
resolves: rhbz#2084566
related: rhbz#2075424
* Thu Apr 14 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-6
- Backport support for -cpu max to allow RHEL 9 guests to be modified
resolves: rhbz#2075424
* Fri Dec 24 2021 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-5
- Fix libguestfs failure with qemu 6.2, libvirt 7.10
resolves: rhbz#2035177