rpms
/
libvirt
7
0
Fork 1
Code Issues Pull Requests Releases Activity

libvirt-10.0.0-7.el9

This commit is contained in:
Jiri Denemark 2024-04-22 16:41:16 +02:00 committed by root
parent 40c0ee63b9
commit 5f65d636c4
8 changed files with 537 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.libvirt.metadata Normal file
View File

@ -0,0 +1 @@
7a2e402bfb1ad295544de6cd527c4c04e85c5096 libvirt-10.0.0.tar.xz

46
libvirt-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch Normal file
View File

@ -0,0 +1,46 @@
From 68f2278d84fe560123c2ec34275380ed1086b706 Mon Sep 17 00:00:00 2001
Message-ID: <68f2278d84fe560123c2ec34275380ed1086b706.1713796876.git.jdenemar@redhat.com>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Tue, 27 Feb 2024 16:20:12 +0100
Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ever since this function was introduced in 2012 it could've tried
filling in an extra interface name. That was made worse in 2019 when
the caller functions started accepting NULL arrays of size 0.
This is assigned CVE-2024-1441.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8)
Conflicts:
- NEWS.rst: Removed the hunk
Resolves: https://issues.redhat.com/browse/RHEL-25081
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
src/interface/interface_backend_udev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
index fb6799ed94..4091483060 100644
--- a/src/interface/interface_backend_udev.c
+++ b/src/interface/interface_backend_udev.c
@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
g_autoptr(virInterfaceDef) def = NULL;
/* Ensure we won't exceed the size of our array */
- if (count > names_len)
+ if (count >= names_len)
break;
path = udev_list_entry_get_name(dev_entry);
--
2.44.0

139
libvirt-qemu-Fix-migration-with-custom-XML.patch Normal file
View File

@ -0,0 +1,139 @@
From 68a98ee089f39edeb2d07f6268cbbcb12629ee8b Mon Sep 17 00:00:00 2001
Message-ID: <68a98ee089f39edeb2d07f6268cbbcb12629ee8b.1713796876.git.jdenemar@redhat.com>
From: Jiri Denemark <jdenemar@redhat.com>
Date: Tue, 16 Apr 2024 12:57:22 +0200
Subject: [PATCH] qemu: Fix migration with custom XML
Ages ago origCPU in domain private data was introduced to provide
backward compatibility when migrating to an old libvirt, which did not
support fetching updated CPU definition from QEMU. Thus origCPU will
contain the original CPU definition before such update. But only if the
update actually changed anything. Let's always fill origCPU with the
original definition when starting a domain so that we can rely on it
being always set, even if it matches the updated definition.
This fixes migration or save operations with custom domain XML after
commit v10.1.0-88-g14d3517410, which expected origCPU to be always set
to the CPU definition from inactive XML to check features explicitly
requested by a user.
https://issues.redhat.com/browse/RHEL-30622
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Tested-by: Han Han <hhan@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 4331048257071211fb98c21453b187919d42dae7)
https://issues.redhat.com/browse/RHEL-32654
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
src/qemu/qemu_domain.c | 33 ++++++++++++++++++++-------------
src/qemu/qemu_process.c | 19 +++++++------------
2 files changed, 27 insertions(+), 25 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 1daa53dd1b..341c543280 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -10868,12 +10868,13 @@ virSaveCookieCallbacks virQEMUDriverDomainSaveCookie = {
* @vm: domain which is being started
* @cpu: CPU updated when the domain was running previously (before migration,
* snapshot, or save)
- * @origCPU: where to store the original CPU from vm->def in case @cpu was
- * used instead
+ * @origCPU: where to store the original CPU from vm->def
*
- * Replace the CPU definition with the updated one when QEMU is new enough to
- * allow us to check extra features it is about to enable or disable when
- * starting a domain. The original CPU is stored in @origCPU.
+ * Save the original CPU definition from inactive XML in @origCPU so that we
+ * can safely update it and still be able to check what exactly a user asked
+ * for. The domain definition will either contain a copy of the original CPU
+ * definition or a copy of @cpu in case the domain was already running and
+ * we're just restoring a saved state or preparing for incoming migration.
*
* Returns 0 on success, -1 on error.
*/
@@ -10886,18 +10887,24 @@ qemuDomainUpdateCPU(virDomainObj *vm,
*origCPU = NULL;
- if (!cpu || !vm->def->cpu ||
- !virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION) ||
- virCPUDefIsEqual(vm->def->cpu, cpu, false))
+ if (!vm->def->cpu)
return 0;
- if (!(cpu = virCPUDefCopy(cpu)))
- return -1;
+ if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CPU_MODEL_EXPANSION))
+ return 0;
+
+ /* nothing to do if only topology part of CPU def is used */
+ if (vm->def->cpu->mode == VIR_CPU_MODE_CUSTOM && !vm->def->cpu->model)
+ return 0;
+
+ VIR_DEBUG("Replacing CPU definition");
- VIR_DEBUG("Replacing CPU def with the updated one");
+ *origCPU = g_steal_pointer(&vm->def->cpu);
- *origCPU = vm->def->cpu;
- vm->def->cpu = cpu;
+ if (cpu)
+ vm->def->cpu = virCPUDefCopy(cpu);
+ else
+ vm->def->cpu = virCPUDefCopy(*origCPU);
return 0;
}
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 3563ad215c..b75599de68 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4402,8 +4402,6 @@ qemuProcessUpdateLiveGuestCPU(virDomainObj *vm,
virCPUData *disabled)
{
virDomainDef *def = vm->def;
- qemuDomainObjPrivate *priv = vm->privateData;
- g_autoptr(virCPUDef) orig = NULL;
int rc;
if (!enabled)
@@ -4414,19 +4412,11 @@ qemuProcessUpdateLiveGuestCPU(virDomainObj *vm,
!def->cpu->model))
return 0;
- orig = virCPUDefCopy(def->cpu);
-
- if ((rc = virCPUUpdateLive(def->os.arch, def->cpu, enabled, disabled)) < 0) {
+ if ((rc = virCPUUpdateLive(def->os.arch, def->cpu, enabled, disabled)) < 0)
return -1;
- } else if (rc == 0) {
- /* Store the original CPU in priv if QEMU changed it and we didn't
- * get the original CPU via migration, restore, or snapshot revert.
- */
- if (!priv->origCPU && !virCPUDefIsEqual(def->cpu, orig, false))
- priv->origCPU = g_steal_pointer(&orig);
+ if (rc == 0)
def->cpu->check = VIR_CPU_CHECK_FULL;
- }
return 0;
}
@@ -9144,6 +9134,11 @@ qemuProcessReconnect(void *opaque)
qemuDomainVcpuPersistOrder(obj->def);
+ /* Make sure the original CPU is always preserved in priv->origCPU. */
+ if (!priv->origCPU &&
+ qemuDomainUpdateCPU(obj, NULL, &priv->origCPU) < 0)
+ goto error;
+
if (qemuProcessRefreshCPU(driver, obj) < 0)
goto error;
--
2.44.0

42
libvirt-qemu-virtiofs-do-not-crash-if-cgroups-are-missing.patch Normal file
View File

@ -0,0 +1,42 @@
From 08318e2c7dd6d5ea76c2f7ddfa7e61519903744c Mon Sep 17 00:00:00 2001
Message-ID: <08318e2c7dd6d5ea76c2f7ddfa7e61519903744c.1713796876.git.jdenemar@redhat.com>
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Tue, 5 Mar 2024 14:55:26 +0100
Subject: [PATCH] qemu: virtiofs: do not crash if cgroups are missing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On domain startup, qemuSetupCgroupForExtDevices checks
if a cgroup controller is present and skips the setup if not.
Add a similar check to qemuVirtioFSSetupCgroup to prevent
crashing when hotplugging a virtiofs filesystem.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit a9da0092198ba2f278cea370f8251f2e29f57c7d)
https://issues.redhat.com/browse/RHEL-7386
Signed-off-by: Ján Tomko <jtomko@redhat.com>
---
src/qemu/qemu_virtiofs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index d539d0a192..15dea3bb57 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -353,6 +353,9 @@ qemuVirtioFSSetupCgroup(virDomainObj *vm,
pid_t pid = -1;
int rc;
+ if (!cgroup)
+ return 0;
+
if (!(pidfile = qemuVirtioFSCreatePidFilename(vm, fs->info.alias)))
return -1;
--
2.44.0

37
libvirt-qemu-virtiofs-error-out-if-getting-the-group-or-user-name-fails.patch Normal file
View File

@ -0,0 +1,37 @@
From 0859b9bf3efde1522aee3be9d007ff1967e14d44 Mon Sep 17 00:00:00 2001
Message-ID: <0859b9bf3efde1522aee3be9d007ff1967e14d44.1713796876.git.jdenemar@redhat.com>
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Thu, 7 Mar 2024 13:36:45 +0100
Subject: [PATCH] qemu: virtiofs: error out if getting the group or user name
fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit c9de7a1c3bca9f0732205f2c2b84526781dbf5e5)
https://issues.redhat.com/browse/RHEL-7386
Signed-off-by: Ján Tomko <jtomko@redhat.com>
---
src/qemu/qemu_virtiofs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index d80cddd3ba..78897d8177 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -388,6 +388,9 @@ qemuVirtioFSPrepareIdMap(virDomainFSDef *fs)
username = virGetUserName(euid);
groupname = virGetGroupName(egid);
+ if (!username || !groupname)
+ return -1;
+
fs->idmap.uidmap = g_new0(virDomainIdMapEntry, 2);
fs->idmap.gidmap = g_new0(virDomainIdMapEntry, 2);
--
2.44.0

39
libvirt-qemu-virtiofs-set-correct-label-when-creating-the-socket.patch Normal file
View File

@ -0,0 +1,39 @@
From 1be4ebe8c9e67ed4086d9ef4bce9ae6a63c753d9 Mon Sep 17 00:00:00 2001
Message-ID: <1be4ebe8c9e67ed4086d9ef4bce9ae6a63c753d9.1713796876.git.jdenemar@redhat.com>
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Wed, 6 Mar 2024 17:26:40 +0100
Subject: [PATCH] qemu: virtiofs: set correct label when creating the socket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use svirt_t instead of virtd_t, since virtd_t is not available in the
session mode and qemu with svirt_t won't be able to talk to unconfined_t
socket.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 4c5b2e1e0d0d0cbbf8c6ed28ce77d055d5974f7f)
https://issues.redhat.com/browse/RHEL-7386
Signed-off-by: Ján Tomko <jtomko@redhat.com>
---
src/qemu/qemu_virtiofs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index 15dea3bb57..d80cddd3ba 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -102,7 +102,7 @@ qemuVirtioFSOpenChardev(virQEMUDriver *driver,
chrdev->data.nix.listen = true;
chrdev->data.nix.path = g_strdup(socket_path);
- if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0)
+ if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
fd = qemuOpenChrChardevUNIXSocket(chrdev);
if (fd < 0) {
--
2.44.0

218
libvirt-remote-check-for-negative-array-lengths-before-allocation.patch Normal file
View File

@ -0,0 +1,218 @@
From 3841ddc4d4fe2f4f4aced0e6c259958cbcc1ab80 Mon Sep 17 00:00:00 2001
Message-ID: <3841ddc4d4fe2f4f4aced0e6c259958cbcc1ab80.1713796876.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 15 Mar 2024 10:47:50 +0000
Subject: [PATCH] remote: check for negative array lengths before allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While the C API entry points will validate non-negative lengths
for various parameters, the RPC server de-serialization code
will need to allocate memory for arrays before entering the C
API. These allocations will thus happen before the non-negative
length check is performed.
Passing a negative length to the g_new0 function will usually
result in a crash due to the negative length being treated as
a huge positive number.
This was found and diagnosed by ALT Linux Team with AFLplusplus.
CVE-2024-2494
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2)
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++
src/rpc/gendispatch.pl | 5 +++
2 files changed, 70 insertions(+)
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index aaabd1e56c..01dcac4b12 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -2291,6 +2291,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
goto cleanup;
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->ncpumaps < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
+ goto cleanup;
+ }
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+ goto cleanup;
+ }
if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
goto cleanup;
@@ -2811,6 +2831,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+ goto cleanup;
+ }
+
/* Allocate buffers to take the results */
if (args->maplen > 0)
cpumaps = g_new0(unsigned char, args->maplen);
@@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->maxinfo < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
+ goto cleanup;
+ }
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
+ goto cleanup;
+ }
if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
goto cleanup;
@@ -3096,6 +3129,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3216,6 +3257,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -5081,6 +5138,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -5301,6 +5362,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index 5ce988c5ae..c5842dc796 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") {
print "\n";
if ($single_ret_as_list) {
+ print " if (args->$single_ret_list_max_var < 0) {\n";
+ print " virReportError(VIR_ERR_RPC,\n";
+ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
+ print " goto cleanup;\n";
+ print " }\n";
print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
print " virReportError(VIR_ERR_RPC,\n";
print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
--
2.44.0

16
libvirt.spec
View File

@ -270,7 +270,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 10.0.0
Release: 5%{?dist}%{?extra_release}
Release: 7%{?dist}%{?extra_release}
License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
URL: https://libvirt.org/
@ -358,6 +358,12 @@ Patch76: libvirt-Add-vmx-features-to-SapphireRapids.patch
Patch77: libvirt-Add-vmx-features-to-Skylake.patch
Patch78: libvirt-Add-vmx-features-to-Snowridge.patch
Patch79: libvirt-Add-vmx-features-to-Westmere.patch
Patch80: libvirt-qemu-virtiofs-do-not-crash-if-cgroups-are-missing.patch
Patch81: libvirt-qemu-virtiofs-set-correct-label-when-creating-the-socket.patch
Patch82: libvirt-qemu-virtiofs-error-out-if-getting-the-group-or-user-name-fails.patch
Patch83: libvirt-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
Patch84: libvirt-remote-check-for-negative-array-lengths-before-allocation.patch
Patch85: libvirt-qemu-Fix-migration-with-custom-XML.patch
Requires: libvirt-daemon = %{version}-%{release}
@ -2661,6 +2667,14 @@ exit 0
%endif
%changelog
* Mon Apr 22 2024 Jiri Denemark <jdenemar@redhat.com> - 10.0.0-7
- qemu: virtiofs: do not crash if cgroups are missing
- qemu: virtiofs: set correct label when creating the socket
- qemu: virtiofs: error out if getting the group or user name fails
- Fix off-by-one error in udevListInterfacesByStatus (CVE-2024-1441)
- remote: check for negative array lengths before allocation (CVE-2024-2494)
- qemu: Fix migration with custom XML (RHEL-30622)
* Tue Mar 19 2024 Jiri Denemark <jdenemar@redhat.com> - 10.0.0-5
- cpu: x86: Add support for adding features to existing CPU models (RHEL-25995)
- qemu: domain: Check arch in qemuDomainMakeCPUMigratable (RHEL-25995)