diff --git a/SOURCES/0020-appliance-Use-cpu-max.patch b/SOURCES/0020-appliance-Use-cpu-max.patch new file mode 100644 index 0000000..cf34b45 --- /dev/null +++ b/SOURCES/0020-appliance-Use-cpu-max.patch @@ -0,0 +1,86 @@ +From fbb053fc71c0c072acb3fbf6e5fbbfc3b0667fd2 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 28 Jan 2021 12:20:49 +0000 +Subject: [PATCH] appliance: Use -cpu max. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +QEMU has a newish feature (from about 2017 / qemu 2.9) called -cpu max +which is supposed to select the best CPU, ideal for libguestfs. + +After this change, on x86-64: + + KVM TCG + +Direct -cpu max -cpu max +(non-libvirt) + +Libvirt + + + +Thanks: Daniel Berrangé +(cherry picked from commit 30f74f38bd6e42e783ba80895f4d6826abddd417) +--- + lib/appliance-cpu.c | 16 ++++++++-------- + lib/launch-libvirt.c | 9 +++++++++ + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/lib/appliance-cpu.c b/lib/appliance-cpu.c +index 5ef9f5c72..54ac6e2e3 100644 +--- a/lib/appliance-cpu.c ++++ b/lib/appliance-cpu.c +@@ -38,6 +38,11 @@ + * + * The literal string C<"host"> means use C<-cpu host>. + * ++ * =item C<"max"> ++ * ++ * The literal string C<"max"> means use C<-cpu max> (the best ++ * possible). This requires awkward translation for libvirt. ++ * + * =item some string + * + * Some string such as C<"cortex-a57"> means use C<-cpu cortex-a57>. +@@ -80,14 +85,9 @@ guestfs_int_get_cpu_model (int kvm) + /* See discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1605071 */ + return NULL; + #else +- /* On most architectures, it is faster to pass the CPU host model to +- * the appliance, allowing maximum speed for things like checksums +- * and encryption. Only do this with KVM. It is broken in subtle +- * ways on TCG, and fairly pointless when you're emulating anyway. ++ /* On most architectures we can use "max" to get the best possible CPU. ++ * For recent qemu this should work even on TCG. + */ +- if (kvm) +- return "host"; +- else +- return NULL; ++ return "max"; + #endif + } +diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c +index f6bb39d99..e3ff1ffe0 100644 +--- a/lib/launch-libvirt.c ++++ b/lib/launch-libvirt.c +@@ -1169,6 +1169,15 @@ construct_libvirt_xml_cpu (guestfs_h *g, + attribute ("fallback", "allow"); + } end_element (); + } ++ else if (STREQ (cpu_model, "max")) { ++ if (params->data->is_kvm) ++ attribute ("mode", "host-passthrough"); ++ else ++ attribute ("mode", "host-model"); ++ start_element ("model") { ++ attribute ("fallback", "allow"); ++ } end_element (); ++ } + else + single_element ("model", cpu_model); + } end_element (); +-- +2.31.1 + diff --git a/SOURCES/0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch b/SOURCES/0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch new file mode 100644 index 0000000..5309621 --- /dev/null +++ b/SOURCES/0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch @@ -0,0 +1,48 @@ +From 7dde1007525ec235e769351be15ca5de34eeda4a Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 18 Mar 2021 12:32:26 +0000 +Subject: [PATCH] appliance: Use for -cpu max on libvirt. + +Note this requires libvirt >= 7.1.0 which was only released in March 2021. + +With an older libvirt you will see this error: + + Original error from libvirt: unsupported configuration: Invalid mode attribute 'maximum' [code=67 int1=-1] + +In theory we could check if this is supported by looking at the +libvirt capabilities and fall back, but this commit does not do that, +in the expectation that most people will be using the default backend +(direct) and on Fedora/RHEL we will add an explicit minimum version +dependency to the package. + +qemu support has been around quite a bit longer (at least since 2017). + +Fixes: commit 30f74f38bd6e42e783ba80895f4d6826abddd417 +(cherry picked from commit 13ceb6a87b2869909a6a0e3c8caa962b72e4cb0e) +--- + lib/launch-libvirt.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c +index e3ff1ffe0..db619910f 100644 +--- a/lib/launch-libvirt.c ++++ b/lib/launch-libvirt.c +@@ -1170,13 +1170,8 @@ construct_libvirt_xml_cpu (guestfs_h *g, + } end_element (); + } + else if (STREQ (cpu_model, "max")) { +- if (params->data->is_kvm) +- attribute ("mode", "host-passthrough"); +- else +- attribute ("mode", "host-model"); +- start_element ("model") { +- attribute ("fallback", "allow"); +- } end_element (); ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */ ++ attribute ("mode", "maximum"); + } + else + single_element ("model", cpu_model); +-- +2.31.1 + diff --git a/SOURCES/0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch b/SOURCES/0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch new file mode 100644 index 0000000..7fe284e --- /dev/null +++ b/SOURCES/0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch @@ -0,0 +1,92 @@ +From bb19cc0cdd43619ccf830e1e608f79e46f8ddf86 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 12 May 2022 08:36:37 +0100 +Subject: [PATCH] lib: Disable 5-level page tables when using -cpu max + +In https://bugzilla.redhat.com/show_bug.cgi?id=2082806 we've been +tracking an insidious qemu bug which intermittently prevents the +libguestfs appliance from starting. The symptoms are that SeaBIOS +starts and displays its messages, but the kernel isn't reached. We +found that the kernel does in fact start, but when it tries to set up +page tables and jump to protected mode it gets a triple fault which +causes the emulated CPU in qemu to reset (qemu exits). + +This seems to only affect TCG (not KVM). + +Yesterday I found that this is caused by using -cpu max which enables +the "la57" feature (5-level page tables[0]), and that we can make the +problem go away using -cpu max,la57=off. Note that I still don't +fully understand the qemu bug, so this is only a workaround. + +I chose to disable 5-level page tables for both TCG and KVM, partly to +make the patch simpler, and partly because I guess it's not a feature +(ie. 57 bit linear addresses) that is useful for the libguestfs +appliance case, where we have limited physical memory and no need to +run any programs with huge address spaces. + +I tested this by running both the direct & libvirt paths overnight. I +expect that this patch will fail with old qemu/libvirt which doesn't +understand the "la57" feature, but this is only intended as a +temporary workaround. + +[0] Article about 5-level page tables as background: +https://lwn.net/Articles/717293/ + +Thanks: Laszlo Ersek +Fixes: https://answers.launchpad.net/ubuntu/+source/libguestfs/+question/701625 + +[RHEL 8.7: Patch is not upstream. This is the initial patch as posted +to the mailing list here: +https://listman.redhat.com/archives/libguestfs/2022-May/028853.html] +--- + lib/launch-direct.c | 15 +++++++++++++-- + lib/launch-libvirt.c | 7 +++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/launch-direct.c b/lib/launch-direct.c +index de17d2167..6b28e4724 100644 +--- a/lib/launch-direct.c ++++ b/lib/launch-direct.c +@@ -534,8 +534,19 @@ launch_direct (guestfs_h *g, void *datav, const char *arg) + } end_list (); + + cpu_model = guestfs_int_get_cpu_model (has_kvm && !force_tcg); +- if (cpu_model) +- arg ("-cpu", cpu_model); ++ if (cpu_model) { ++#if defined(__x86_64__) ++ /* Temporary workaround for RHBZ#2082806 */ ++ if (STREQ (cpu_model, "max")) { ++ start_list ("-cpu") { ++ append_list (cpu_model); ++ append_list ("la57=off"); ++ } end_list (); ++ } ++ else ++#endif ++ arg ("-cpu", cpu_model); ++ } + + if (g->smp > 1) + arg_format ("-smp", "%d", g->smp); +diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c +index db619910f..bad4a54ea 100644 +--- a/lib/launch-libvirt.c ++++ b/lib/launch-libvirt.c +@@ -1172,6 +1172,13 @@ construct_libvirt_xml_cpu (guestfs_h *g, + else if (STREQ (cpu_model, "max")) { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */ + attribute ("mode", "maximum"); ++#if defined(__x86_64__) ++ /* Temporary workaround for RHBZ#2082806 */ ++ start_element ("feature") { ++ attribute ("policy", "disable"); ++ attribute ("name", "la57"); ++ } end_element (); ++#endif + } + else + single_element ("model", cpu_model); +-- +2.31.1 + diff --git a/SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch b/SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch new file mode 100644 index 0000000..6d74edc --- /dev/null +++ b/SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch @@ -0,0 +1,103 @@ +From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 28 Jun 2022 13:54:16 +0200 +Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211 + +Short log for the common submodule, commit range +f8de5508fe75..35467027f657: + +Laszlo Ersek (2): + mlcustomize: factor out pkg install/update/uninstall from guestfs-tools + options: fix buffer overflow in get_keys() [CVE-2022-2211] + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 +Signed-off-by: Laszlo Ersek +Message-Id: <20220628115418.5376-2-lersek@redhat.com> +Reviewed-by: Richard W.M. Jones + +Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53. +For the cherry pick I only added one submodule commit: + +options: fix buffer overflow in get_keys() [CVE-2022-2211] +--- + common | 2 +- + docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +Submodule common be09523d6..1174b443a: +diff --git a/common/options/keys.c b/common/options/keys.c +index 798315c..d27a712 100644 +--- a/common/options/keys.c ++++ b/common/options/keys.c +@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename) + char ** + get_keys (struct key_store *ks, const char *device, const char *uuid) + { +- size_t i, j, len; ++ size_t i, j, nmemb; + char **r; + char *s; + + /* We know the returned list must have at least one element and not + * more than ks->nr_keys. + */ +- len = 1; +- if (ks) +- len = MIN (1, ks->nr_keys); +- r = calloc (len+1, sizeof (char *)); ++ nmemb = 1; ++ if (ks && ks->nr_keys > nmemb) ++ nmemb = ks->nr_keys; ++ ++ /* make room for the terminating NULL */ ++ if (nmemb == (size_t)-1) ++ error (EXIT_FAILURE, 0, _("size_t overflow")); ++ nmemb++; ++ ++ r = calloc (nmemb, sizeof (char *)); + if (r == NULL) + error (EXIT_FAILURE, errno, "calloc"); + +diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod +index 9ceef5623..efa35b29d 100644 +--- a/docs/guestfs-security.pod ++++ b/docs/guestfs-security.pod +@@ -406,6 +406,34 @@ The libvirt backend is not affected. + The solution is to update qemu to a version containing the fix (see + L). + ++=head2 CVE-2022-2211 ++ ++L ++ ++The C function in F collects ++those I<--key> options from the command line into a new array that match ++a particular block device that's being decrypted for inspection. The ++function intends to size the result array such that potentially all ++I<--key> options, plus a terminating C element, fit into it. The ++code mistakenly uses the C macro instead of C, and therefore ++only one element is allocated before the C terminator. ++ ++Passing precisely two I<--key ID:...> options on the command line for ++the encrypted block device C causes C to overwrite the ++terminating C, leading to an out-of-bounds read in ++C, file F. ++ ++Passing more than two I<--key ID:...> options on the command line for ++the encrypted block device C causes C itself to perform ++out-of-bounds writes. The most common symptom is a crash with C ++later on. ++ ++This issue affects -- broadly speaking -- all libguestfs-based utilities ++that accept I<--key>, namely: C, C, C, ++C, C, C, C, ++C, C, C, C, ++C, C, C. ++ + =head1 SEE ALSO + + L, +-- +2.31.1 + diff --git a/SOURCES/copy-patches.sh b/SOURCES/copy-patches.sh index 0fc8036..de6628e 100755 --- a/SOURCES/copy-patches.sh +++ b/SOURCES/copy-patches.sh @@ -6,7 +6,7 @@ set -e # directory. Use it like this: # ./copy-patches.sh -rhel_version=8.6.0 +rhel_version=8.7.0 # Check we're in the right directory. if [ ! -f libguestfs.spec ]; then diff --git a/SPECS/libguestfs.spec b/SPECS/libguestfs.spec index 1625fd8..28a23d2 100644 --- a/SPECS/libguestfs.spec +++ b/SPECS/libguestfs.spec @@ -33,7 +33,7 @@ Summary: Access and modify virtual machine disk images Name: libguestfs Epoch: 1 Version: 1.44.0 -Release: 5%{?dist} +Release: 9%{?dist} License: LGPLv2+ ExclusiveArch: x86_64 %{power64} aarch64 s390x @@ -46,7 +46,7 @@ Source1: http://libguestfs.org/download/%{source_directory}/%{name}-%{vers %endif # RHEL 8 git repository is: -# https://github.com/libguestfs/libguestfs/tree/rhel-8.6.0 +# https://github.com/libguestfs/libguestfs/tree/rhel-8.7.0 # Use 'copy-patches.sh' to copy the patches from the git repo # to the current directory. @@ -70,6 +70,10 @@ Patch0016: 0016-test-data-phony-guests-Fix-phony-RPM-database-fix-vi.patch Patch0017: 0017-launch-libvirt-place-our-virtio-net-pci-device-in-sl.patch Patch0018: 0018-lib-extract-NETWORK_ADDRESS-and-NETWORK_PREFIX-as-ma.patch Patch0019: 0019-launch-libvirt-add-virtio-net-via-the-standard-inter.patch +Patch0020: 0020-appliance-Use-cpu-max.patch +Patch0021: 0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch +Patch0022: 0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch +Patch0023: 0023-docs-guestfs-security-document-CVE-2022-2211.patch # AlmaLinux detection patch @@ -135,7 +139,8 @@ BuildRequires: systemd-units BuildRequires: netpbm-progs BuildRequires: icoutils # RHBZ#1710713 (RHBZ#1661940) -BuildRequires: libvirt-daemon-kvm >= 5.3.0 +# libvirt must support -cpu max +BuildRequires: libvirt-daemon-kvm >= 8.0.0 BuildRequires: libacl-devel BuildRequires: libcap-devel # https://bugzilla.redhat.com/show_bug.cgi?id=1836094 @@ -233,7 +238,7 @@ BuildRequires: iputils %if !0%{?rhel} BuildRequires: jfsutils %endif -BuildRequires: kernel +BuildRequires: (kernel without kernel-debug-core) BuildRequires: kmod BuildRequires: kpartx BuildRequires: less @@ -303,6 +308,12 @@ BuildRequires: zfs-fuse # to replace it with (eg) a fixed appliance. Requires: (%{name}-appliance = %{epoch}:%{version}-%{release} or %{name}-noappliance) +# libguestfs-benchmarking was accidentally present in RHEL AV 8.5 and +# removed in RHEL 8.6+. Add an Obsoletes to smooth the upgrade path +# for anyone who had this package installed. +# https://bugzilla.redhat.com/show_bug.cgi?id=2091597 +Obsoletes: %{name}-benchmarking < %{epoch}:%{version}-%{release} + # The daemon dependencies are not included automatically, because it # is buried inside the appliance, so list them here. Requires: augeas-libs%{?_isa} @@ -335,7 +346,8 @@ Requires: /usr/bin/qemu-img # For libvirt backend. # RHBZ#1500870, RHBZ#1501239, RHBZ#1508299 -Requires: libvirt-daemon-kvm >= 5.3.0 +# libvirt must support -cpu max +Requires: libvirt-daemon-kvm >= 8.0.0 %ifarch aarch64 Requires: edk2-aarch64 %endif @@ -1189,10 +1201,26 @@ rm ocaml/html/.gitignore %changelog -* Tue May 10 2022 Eduard Abdullin - 1:1.44.0-5.alma +* Tue Nov 08 2022 Eduard Abdullin - 1:1.44.0-9.alma - Fix build for AlmaLinux - Avoid permission denied for yum/dnf cache +* Tue Jul 05 2022 Richard W.M. Jones - 1:1.44.0-9 +- Fix CVE-2022-2211 Denial of Service in --key parameter + resolves: rhbz#2101280 +* Tue Jun 07 2022 Richard W.M. Jones - 1:1.44.0-8 +- Obsolete old libguestfs-benchmarking subpackage + resolves: rhbz#2091597 + +* Thu May 12 2022 Richard W.M. Jones - 1:1.44.0-7 +- Disable 5-level page tables when using -cpu max + resolves: rhbz#2084566 + related: rhbz#2075424 + +* Thu Apr 14 2022 Richard W.M. Jones - 1:1.44.0-6 +- Backport support for -cpu max to allow RHEL 9 guests to be modified + resolves: rhbz#2075424 + * Fri Dec 24 2021 Richard W.M. Jones - 1:1.44.0-5 - Fix libguestfs failure with qemu 6.2, libvirt 7.10 resolves: rhbz#2035177