import libguestfs-1.44.0-9.module+el8.7.0+16689+53d59bc2

2022-11-08 01:40:47 -05:00 · 2022-11-08 01:40:47 -05:00 · f8538d2090
commit f8538d2090
parent 55b111a4aa
6 changed files with 364 additions and 6 deletions
--- a/SOURCES/0020-appliance-Use-cpu-max.patch
+++ b/SOURCES/0020-appliance-Use-cpu-max.patch
@ -0,0 +1,86 @@
 From fbb053fc71c0c072acb3fbf6e5fbbfc3b0667fd2 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 28 Jan 2021 12:20:49 +0000
 Subject: [PATCH] appliance: Use -cpu max.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 QEMU has a newish feature (from about 2017 / qemu 2.9) called -cpu max
 which is supposed to select the best CPU, ideal for libguestfs.
 After this change, on x86-64:
               KVM                          TCG
 Direct         -cpu max                     -cpu max
 (non-libvirt)
 Libvirt   <cpu mode="host-passthrough">     <cpu mode="host-model">
            <model fallback="allow"/>         <model fallback="allow"/>
          </cpu>                            </cpu>
 Thanks: Daniel Berrangé
 (cherry picked from commit 30f74f38bd6e42e783ba80895f4d6826abddd417)
 ---
 lib/appliance-cpu.c  | 16 ++++++++--------
 lib/launch-libvirt.c |  9 +++++++++
 2 files changed, 17 insertions(+), 8 deletions(-)
 diff --git a/lib/appliance-cpu.c b/lib/appliance-cpu.c
 index 5ef9f5c72..54ac6e2e3 100644
 --- a/lib/appliance-cpu.c
 +++ b/lib/appliance-cpu.c
@@ -38,6 +38,11 @@
  *
  * The literal string C<"host"> means use C<-cpu host>.
  *
 + * =item C<"max">
 + *
 + * The literal string C<"max"> means use C<-cpu max> (the best
 + * possible).  This requires awkward translation for libvirt.
 + *
  * =item some string
  *
  * Some string such as C<"cortex-a57"> means use C<-cpu cortex-a57>.
@@ -80,14 +85,9 @@ guestfs_int_get_cpu_model (int kvm)
   /* See discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1605071 */
   return NULL;
 #else
 -  /* On most architectures, it is faster to pass the CPU host model to
 -   * the appliance, allowing maximum speed for things like checksums
 -   * and encryption.  Only do this with KVM.  It is broken in subtle
 -   * ways on TCG, and fairly pointless when you're emulating anyway.
 +  /* On most architectures we can use "max" to get the best possible CPU.
 +   * For recent qemu this should work even on TCG.
    */
 -  if (kvm)
 -    return "host";
 -  else
 -    return NULL;
 +  return "max";
 #endif
 }
 diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
 index f6bb39d99..e3ff1ffe0 100644
 --- a/lib/launch-libvirt.c
 +++ b/lib/launch-libvirt.c
@@ -1169,6 +1169,15 @@ construct_libvirt_xml_cpu (guestfs_h *g,
           attribute ("fallback", "allow");
         } end_element ();
       }
 +      else if (STREQ (cpu_model, "max")) {
 +        if (params->data->is_kvm)
 +          attribute ("mode", "host-passthrough");
 +        else
 +          attribute ("mode", "host-model");
 +        start_element ("model") {
 +          attribute ("fallback", "allow");
 +        } end_element ();
 +      }
       else
         single_element ("model", cpu_model);
     } end_element ();
 -- 
 2.31.1
--- a/SOURCES/0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch
+++ b/SOURCES/0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch
@ -0,0 +1,48 @@
 From 7dde1007525ec235e769351be15ca5de34eeda4a Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 18 Mar 2021 12:32:26 +0000
 Subject: [PATCH] appliance: Use <cpu mode="maximum"/> for -cpu max on libvirt.
 Note this requires libvirt >= 7.1.0 which was only released in March 2021.
 With an older libvirt you will see this error:
  Original error from libvirt: unsupported configuration: Invalid mode attribute 'maximum' [code=67 int1=-1]
 In theory we could check if this is supported by looking at the
 libvirt capabilities and fall back, but this commit does not do that,
 in the expectation that most people will be using the default backend
 (direct) and on Fedora/RHEL we will add an explicit minimum version
 dependency to the package.
 qemu support has been around quite a bit longer (at least since 2017).
 Fixes: commit 30f74f38bd6e42e783ba80895f4d6826abddd417
 (cherry picked from commit 13ceb6a87b2869909a6a0e3c8caa962b72e4cb0e)
 ---
 lib/launch-libvirt.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)
 diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
 index e3ff1ffe0..db619910f 100644
 --- a/lib/launch-libvirt.c
 +++ b/lib/launch-libvirt.c
@@ -1170,13 +1170,8 @@ construct_libvirt_xml_cpu (guestfs_h *g,
         } end_element ();
       }
       else if (STREQ (cpu_model, "max")) {
 -        if (params->data->is_kvm)
 -          attribute ("mode", "host-passthrough");
 -        else
 -          attribute ("mode", "host-model");
 -        start_element ("model") {
 -          attribute ("fallback", "allow");
 -        } end_element ();
 +        /* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */
 +        attribute ("mode", "maximum");
       }
       else
         single_element ("model", cpu_model);
 -- 
 2.31.1
--- a/SOURCES/0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch
+++ b/SOURCES/0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch
@ -0,0 +1,92 @@
 From bb19cc0cdd43619ccf830e1e608f79e46f8ddf86 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 12 May 2022 08:36:37 +0100
 Subject: [PATCH] lib: Disable 5-level page tables when using -cpu max
 In https://bugzilla.redhat.com/show_bug.cgi?id=2082806 we've been
 tracking an insidious qemu bug which intermittently prevents the
 libguestfs appliance from starting.  The symptoms are that SeaBIOS
 starts and displays its messages, but the kernel isn't reached.  We
 found that the kernel does in fact start, but when it tries to set up
 page tables and jump to protected mode it gets a triple fault which
 causes the emulated CPU in qemu to reset (qemu exits).
 This seems to only affect TCG (not KVM).
 Yesterday I found that this is caused by using -cpu max which enables
 the "la57" feature (5-level page tables[0]), and that we can make the
 problem go away using -cpu max,la57=off.  Note that I still don't
 fully understand the qemu bug, so this is only a workaround.
 I chose to disable 5-level page tables for both TCG and KVM, partly to
 make the patch simpler, and partly because I guess it's not a feature
 (ie. 57 bit linear addresses) that is useful for the libguestfs
 appliance case, where we have limited physical memory and no need to
 run any programs with huge address spaces.
 I tested this by running both the direct & libvirt paths overnight.  I
 expect that this patch will fail with old qemu/libvirt which doesn't
 understand the "la57" feature, but this is only intended as a
 temporary workaround.
 [0] Article about 5-level page tables as background:
 https://lwn.net/Articles/717293/
 Thanks: Laszlo Ersek
 Fixes: https://answers.launchpad.net/ubuntu/+source/libguestfs/+question/701625
 [RHEL 8.7: Patch is not upstream.  This is the initial patch as posted
 to the mailing list here:
 https://listman.redhat.com/archives/libguestfs/2022-May/028853.html]
 ---
 lib/launch-direct.c  | 15 +++++++++++++--
 lib/launch-libvirt.c |  7 +++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
 diff --git a/lib/launch-direct.c b/lib/launch-direct.c
 index de17d2167..6b28e4724 100644
 --- a/lib/launch-direct.c
 +++ b/lib/launch-direct.c
@@ -534,8 +534,19 @@ launch_direct (guestfs_h *g, void *datav, const char *arg)
   } end_list ();
   cpu_model = guestfs_int_get_cpu_model (has_kvm && !force_tcg);
 -  if (cpu_model)
 -    arg ("-cpu", cpu_model);
 +  if (cpu_model) {
 +#if defined(__x86_64__)
 +    /* Temporary workaround for RHBZ#2082806 */
 +    if (STREQ (cpu_model, "max")) {
 +      start_list ("-cpu") {
 +        append_list (cpu_model);
 +        append_list ("la57=off");
 +      } end_list ();
 +    }
 +    else
 +#endif
 +      arg ("-cpu", cpu_model);
 +  }
   if (g->smp > 1)
     arg_format ("-smp", "%d", g->smp);
 diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
 index db619910f..bad4a54ea 100644
 --- a/lib/launch-libvirt.c
 +++ b/lib/launch-libvirt.c
@@ -1172,6 +1172,13 @@ construct_libvirt_xml_cpu (guestfs_h *g,
       else if (STREQ (cpu_model, "max")) {
         /* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */
         attribute ("mode", "maximum");
 +#if defined(__x86_64__)
 +        /* Temporary workaround for RHBZ#2082806 */
 +        start_element ("feature") {
 +          attribute ("policy", "disable");
 +          attribute ("name", "la57");
 +        } end_element ();
 +#endif
       }
       else
         single_element ("model", cpu_model);
 -- 
 2.31.1
--- a/SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch
+++ b/SOURCES/0023-docs-guestfs-security-document-CVE-2022-2211.patch
@ -0,0 +1,103 @@
 From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Tue, 28 Jun 2022 13:54:16 +0200
 Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211
 Short log for the common submodule, commit range
 f8de5508fe75..35467027f657:
 Laszlo Ersek (2):
      mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
      options: fix buffer overflow in get_keys() [CVE-2022-2211]
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
 Signed-off-by: Laszlo Ersek <lersek@redhat.com>
 Message-Id: <20220628115418.5376-2-lersek@redhat.com>
 Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
 Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53.
 For the cherry pick I only added one submodule commit:
 options: fix buffer overflow in get_keys() [CVE-2022-2211]
 ---
 common                    |  2 +-
 docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 Submodule common be09523d6..1174b443a:
 diff --git a/common/options/keys.c b/common/options/keys.c
 index 798315c..d27a712 100644
 --- a/common/options/keys.c
 +++ b/common/options/keys.c
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
 char **
 get_keys (struct key_store *ks, const char *device, const char *uuid)
 {
 -  size_t i, j, len;
 +  size_t i, j, nmemb;
   char **r;
   char *s;
   /* We know the returned list must have at least one element and not
    * more than ks->nr_keys.
    */
 -  len = 1;
 -  if (ks)
 -    len = MIN (1, ks->nr_keys);
 -  r = calloc (len+1, sizeof (char *));
 +  nmemb = 1;
 +  if (ks && ks->nr_keys > nmemb)
 +    nmemb = ks->nr_keys;
 +
 +  /* make room for the terminating NULL */
 +  if (nmemb == (size_t)-1)
 +    error (EXIT_FAILURE, 0, _("size_t overflow"));
 +  nmemb++;
 +
 +  r = calloc (nmemb, sizeof (char *));
   if (r == NULL)
     error (EXIT_FAILURE, errno, "calloc");
 diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
 index 9ceef5623..efa35b29d 100644
 --- a/docs/guestfs-security.pod
 +++ b/docs/guestfs-security.pod
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
 The solution is to update qemu to a version containing the fix (see
 L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
 +=head2 CVE-2022-2211
 +
 +L<https://bugzilla.redhat.com/CVE-2022-2211>
 +
 +The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
 +those I<--key> options from the command line into a new array that match
 +a particular block device that's being decrypted for inspection. The
 +function intends to size the result array such that potentially all
 +I<--key> options, plus a terminating C<NULL> element, fit into it. The
 +code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
 +only one element is allocated before the C<NULL> terminator.
 +
 +Passing precisely two I<--key ID:...> options on the command line for
 +the encrypted block device C<ID> causes C<get_keys> to overwrite the
 +terminating C<NULL>, leading to an out-of-bounds read in
 +C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
 +
 +Passing more than two I<--key ID:...> options on the command line for
 +the encrypted block device C<ID> causes C<get_keys> itself to perform
 +out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
 +later on.
 +
 +This issue affects -- broadly speaking -- all libguestfs-based utilities
 +that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
 +C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
 +C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
 +C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
 +
 =head1 SEE ALSO
 L<guestfs(3)>,
 -- 
 2.31.1
--- a/SOURCES/copy-patches.sh
+++ b/SOURCES/copy-patches.sh
@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh
-rhel_version=8.6.0
+rhel_version=8.7.0
 # Check we're in the right directory.
 if [ ! -f libguestfs.spec ]; then
--- a/SPECS/libguestfs.spec
+++ b/SPECS/libguestfs.spec
@ -32,7 +32,7 @@ Summary:       Access and modify virtual machine disk images
 Name:          libguestfs
 Epoch:         1
 Version:       1.44.0
-Release:       5%{?dist}
+Release:       9%{?dist}
 License:       LGPLv2+
 ExclusiveArch: x86_64 %{power64} aarch64 s390x
@ -45,7 +45,7 @@ Source1:       http://libguestfs.org/download/%{source_directory}/%{name}-%{vers
 %endif
 # RHEL 8 git repository is:
-# https://github.com/libguestfs/libguestfs/tree/rhel-8.6.0
+# https://github.com/libguestfs/libguestfs/tree/rhel-8.7.0
 # Use 'copy-patches.sh' to copy the patches from the git repo
 # to the current directory.
@ -69,6 +69,10 @@ Patch0016:     0016-test-data-phony-guests-Fix-phony-RPM-database-fix-vi.patch
 Patch0017:     0017-launch-libvirt-place-our-virtio-net-pci-device-in-sl.patch
 Patch0018:     0018-lib-extract-NETWORK_ADDRESS-and-NETWORK_PREFIX-as-ma.patch
 Patch0019:     0019-launch-libvirt-add-virtio-net-via-the-standard-inter.patch
 Patch0020:     0020-appliance-Use-cpu-max.patch
 Patch0021:     0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch
 Patch0022:     0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch
 Patch0023:     0023-docs-guestfs-security-document-CVE-2022-2211.patch
 # Replacement README file.
 Source4:       README-replacement.in
@ -129,7 +133,8 @@ BuildRequires: systemd-units
 BuildRequires: netpbm-progs
 BuildRequires: icoutils
 # RHBZ#1710713 (RHBZ#1661940)
-BuildRequires: libvirt-daemon-kvm >= 5.3.0
+# libvirt must support -cpu max
 BuildRequires: libvirt-daemon-kvm >= 8.0.0
 BuildRequires: libacl-devel
 BuildRequires: libcap-devel
 # https://bugzilla.redhat.com/show_bug.cgi?id=1836094
@ -227,7 +232,7 @@ BuildRequires: iputils
 %if !0%{?rhel}
 BuildRequires: jfsutils
 %endif
-BuildRequires: kernel
+BuildRequires: (kernel without kernel-debug-core)
 BuildRequires: kmod
 BuildRequires: kpartx
 BuildRequires: less
@ -297,6 +302,12 @@ BuildRequires: zfs-fuse
 # to replace it with (eg) a fixed appliance.
 Requires:      (%{name}-appliance = %{epoch}:%{version}-%{release} or %{name}-noappliance)
 # libguestfs-benchmarking was accidentally present in RHEL AV 8.5 and
 # removed in RHEL 8.6+.  Add an Obsoletes to smooth the upgrade path
 # for anyone who had this package installed.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2091597
 Obsoletes: %{name}-benchmarking < %{epoch}:%{version}-%{release}
 # The daemon dependencies are not included automatically, because it
 # is buried inside the appliance, so list them here.
 Requires:      augeas-libs%{?_isa}
@ -329,7 +340,8 @@ Requires:      /usr/bin/qemu-img
 # For libvirt backend.
 # RHBZ#1500870, RHBZ#1501239, RHBZ#1508299
-Requires:      libvirt-daemon-kvm >= 5.3.0
+# libvirt must support -cpu max
 Requires:      libvirt-daemon-kvm >= 8.0.0
 %ifarch aarch64
 Requires:      edk2-aarch64
 %endif
@ -1182,6 +1194,23 @@ rm ocaml/html/.gitignore
 %changelog
 * Tue Jul 05 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-9
 - Fix CVE-2022-2211 Denial of Service in --key parameter
  resolves: rhbz#2101280
 * Tue Jun 07 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-8
 - Obsolete old libguestfs-benchmarking subpackage
  resolves: rhbz#2091597
 * Thu May 12 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-7
 - Disable 5-level page tables when using -cpu max
  resolves: rhbz#2084566
  related: rhbz#2075424
 * Thu Apr 14 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-6
 - Backport support for -cpu max to allow RHEL 9 guests to be modified
  resolves: rhbz#2075424
 * Fri Dec 24 2021 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-5
 - Fix libguestfs failure with qemu 6.2, libvirt 7.10
  resolves: rhbz#2035177