From adeaf839fd19a44adfb0e12eca2deceabc53ea55 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 23 Sep 2013 14:35:01 -0400 Subject: [PATCH] Sync with v1.1.2-maint Rebuild for libswan soname bump (bz #1009701) CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332) CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667) CVE-2013-4297: Invalid free in NBDDeviceAssociate (bz #1006505, bz #1006511) Fix virsh block-commit abort (bz #1010056) --- ...t-QEMU_AUDIO_DRV-none-with-nographic.patch | 7 +- ...default-memballoon-in-PostParse-call.patch | 8 +- ...add-default-memballoon-device-on-ARM.patch | 7 +- ...emu-Fix-specifying-char-devs-for-ARM.patch | 7 +- ...ry-to-allocate-PCI-addresses-for-ARM.patch | 7 +- ...-Add-disk-bus-sd-wire-it-up-for-qemu.patch | 7 +- 0007-qemu-Fix-networking-for-ARM-guests.patch | 7 +- ...tio-mmio-transport-for-virtio-on-ARM.patch | 7 +- ...Associate-Avoid-use-of-uninitialized.patch | 26 ++ 0102-Fix-AM_LDFLAGS-typo.patch | 23 ++ ...ass-AM_LDFLAGS-to-driver-modules-too.patch | 88 +++++ ...d-with-latest-rawhide-kernel-headers.patch | 125 +++++++ ...-user-group-ID-values-in-virIdentity.patch | 154 +++++++++ ...identity-includes-process-start-time.patch | 68 ++++ ...using-3-arg-pkcheck-syntax-for-proce.patch | 178 ++++++++++ ...oteDispatchDomainMemoryStats-CVE-201.patch | 38 +++ ...ng-async-option-in-opts_block_commit.patch | 59 ++++ ...tity-code-which-is-pre-requisite-for.patch | 38 +++ ...-virNetSocketNewConnectSockFD-method.patch | 69 ++++ ...r-virNetServerClient-object-identity.patch | 305 ++++++++++++++++++ libvirt.spec | 42 ++- 21 files changed, 1228 insertions(+), 42 deletions(-) create mode 100644 0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch create mode 100644 0102-Fix-AM_LDFLAGS-typo.patch create mode 100644 0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch create mode 100644 0104-build-fix-build-with-latest-rawhide-kernel-headers.patch create mode 100644 0105-Also-store-user-group-ID-values-in-virIdentity.patch create mode 100644 0106-Ensure-system-identity-includes-process-start-time.patch create mode 100644 0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch create mode 100644 0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch create mode 100644 0109-virsh-add-missing-async-option-in-opts_block_commit.patch create mode 100644 0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch create mode 100644 0111-Add-a-virNetSocketNewConnectSockFD-method.patch create mode 100644 0112-Add-test-case-for-virNetServerClient-object-identity.patch diff --git a/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch b/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch index 68c4968..496ff08 100644 --- a/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch +++ b/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch @@ -1,7 +1,7 @@ -From cc80f2dc06d46cb32a5cd6d12c6c47ddf64e72b6 Mon Sep 17 00:00:00 2001 +From 0f30e63c7d763278204f99e10ba47b08457f1d41 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 2 Sep 2013 11:23:59 +0100 -Subject: [PATCH 1/8] qemu: Set QEMU_AUDIO_DRV=none with -nographic +Subject: [PATCH] qemu: Set QEMU_AUDIO_DRV=none with -nographic On my machine, a guest fails to boot if it has a sound card, but not graphical device/display is configured, because pulseaudio fails to @@ -3568,6 +3568,3 @@ index 29cf9c3..26038a0 100644 /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor \ unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \ /dev/HostVG/QEMUGuest1 -net none -serial none -parallel none --- -1.8.3.1 - diff --git a/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch b/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch index 8d5a98c..941ae8f 100644 --- a/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch +++ b/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch @@ -1,8 +1,7 @@ -From 79c38961565eb2d352f101cbd6806314894614cb Mon Sep 17 00:00:00 2001 +From 1bab38008dbfb16329e73b419fd9871e6f15990c Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:30 -0400 -Subject: [PATCH 2/8] domain_conf: Add default memballoon in PostParse - callbacks +Subject: [PATCH] domain_conf: Add default memballoon in PostParse callbacks This should be a no-op change for now. --- @@ -76,6 +75,3 @@ index cb64de6..6cb4f4f 100644 return 0; } --- -1.8.3.1 - diff --git a/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch b/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch index f41c9ee..b20b418 100644 --- a/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch +++ b/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch @@ -1,7 +1,7 @@ -From 5ed47b89c6cb59c9ec5169bcc99a67e9a75fb2af Mon Sep 17 00:00:00 2001 +From d85bc1315cc00800ed6d4a1baeda9a91c34e52c4 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:31 -0400 -Subject: [PATCH 3/8] qemu: Don't add default memballoon device on ARM +Subject: [PATCH] qemu: Don't add default memballoon device on ARM And add test cases for a basic working ARM guest. --- @@ -189,6 +189,3 @@ index fac83b2..92433ef 100644 if (virTestGetDebug()) { char *caps_str; --- -1.8.3.1 - diff --git a/0004-qemu-Fix-specifying-char-devs-for-ARM.patch b/0004-qemu-Fix-specifying-char-devs-for-ARM.patch index cd9c4e9..a7660d8 100644 --- a/0004-qemu-Fix-specifying-char-devs-for-ARM.patch +++ b/0004-qemu-Fix-specifying-char-devs-for-ARM.patch @@ -1,7 +1,7 @@ -From 20f2f4c07d8e8d4373094473114ae16909fe4005 Mon Sep 17 00:00:00 2001 +From c72361536b151a2b9bd839bd528671bafbd5dee2 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:32 -0400 -Subject: [PATCH 4/8] qemu: Fix specifying char devs for ARM +Subject: [PATCH] qemu: Fix specifying char devs for ARM QEMU ARM boards don't give us any way to explicitly wire in a -chardev, so use the old style -serial options. @@ -154,6 +154,3 @@ index dfe8142..abe0060 100644 if ((logfd = qemuDomainOpenLog(driver, vm, pos)) < 0) return -1; --- -1.8.3.1 - diff --git a/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch b/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch index 69ab3fa..e90071f 100644 --- a/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch +++ b/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch @@ -1,7 +1,7 @@ -From 5772cbdfb807842685d05665f285745ca79acc89 Mon Sep 17 00:00:00 2001 +From c8e47add2fe77905523f6112ceb6b844337f6d3f Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:33 -0400 -Subject: [PATCH 5/8] qemu: Don't try to allocate PCI addresses for ARM +Subject: [PATCH] qemu: Don't try to allocate PCI addresses for ARM --- src/qemu/qemu_command.c | 16 ++++++++++++++-- @@ -41,6 +41,3 @@ index a8e532c..87345c7 100644 } if (obj && obj->privateData) { --- -1.8.3.1 - diff --git a/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch b/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch index 9a1703a..e5ba752 100644 --- a/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch +++ b/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch @@ -1,7 +1,7 @@ -From 019eccdb20e824aabb12da3699664ba2625ef4b4 Mon Sep 17 00:00:00 2001 +From e534a73a71655d45a0b0af98b4b9b9176d701fb3 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:34 -0400 -Subject: [PATCH 6/8] domain_conf: Add disk bus=sd, wire it up for qemu +Subject: [PATCH] domain_conf: Add disk bus=sd, wire it up for qemu This corresponds to '-sd' and '-drive if=sd' on the qemu command line. Needed for many ARM boards which don't provide any other way to @@ -144,6 +144,3 @@ index 87345c7..6733709 100644 ignore_value(VIR_STRDUP(def->dst, "sda")); } else if (def->bus == VIR_DOMAIN_DISK_BUS_VIRTIO) { ignore_value(VIR_STRDUP(def->dst, "vda")); --- -1.8.3.1 - diff --git a/0007-qemu-Fix-networking-for-ARM-guests.patch b/0007-qemu-Fix-networking-for-ARM-guests.patch index 197ea92..cc9b8af 100644 --- a/0007-qemu-Fix-networking-for-ARM-guests.patch +++ b/0007-qemu-Fix-networking-for-ARM-guests.patch @@ -1,7 +1,7 @@ -From 7a73b81f1021c76d02fe54f927cd033fe949590f Mon Sep 17 00:00:00 2001 +From b09ab6961b8dd60691839f0b1a5f259925819425 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:35 -0400 -Subject: [PATCH 7/8] qemu: Fix networking for ARM guests +Subject: [PATCH] qemu: Fix networking for ARM guests Similar to the chardev bit, ARM boards depend on the old style '-net nic' for actually instantiating net devices. But we can't block out @@ -204,6 +204,3 @@ index cb6106f..6ecabbf 100644 virObjectUnref(driver.config); virObjectUnref(driver.caps); --- -1.8.3.1 - diff --git a/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch b/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch index d113b25..f60a794 100644 --- a/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch +++ b/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch @@ -1,7 +1,7 @@ -From 1ec41110747764f89f522e9e010326944da8d96d Mon Sep 17 00:00:00 2001 +From cddd76962c2a0fcbb8c80240d234b7d0d657324d Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 30 Aug 2013 12:41:36 -0400 -Subject: [PATCH 8/8] qemu: Support virtio-mmio transport for virtio on ARM +Subject: [PATCH] qemu: Support virtio-mmio transport for virtio on ARM Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a hardcoded virtio-mmio transport which enables attaching all virtio @@ -446,6 +446,3 @@ index 6ecabbf..ae8cc3b 100644 virObjectUnref(driver.config); virObjectUnref(driver.caps); --- -1.8.3.1 - diff --git a/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch b/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch new file mode 100644 index 0000000..5e8edf9 --- /dev/null +++ b/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch @@ -0,0 +1,26 @@ +From 580025d7a58ee4c07312d33aa78186dbe7e0d9ee Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Tue, 3 Sep 2013 18:56:06 +0200 +Subject: [PATCH] virFileNBDDeviceAssociate: Avoid use of uninitialized + variable + +The @qemunbd variable can be used uninitialized. + +(cherry picked from commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2) +--- + src/util/virfile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/virfile.c b/src/util/virfile.c +index 2b07ac9..7af0843 100644 +--- a/src/util/virfile.c ++++ b/src/util/virfile.c +@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char *file, + char **dev) + { + char *nbddev; +- char *qemunbd; ++ char *qemunbd = NULL; + virCommandPtr cmd = NULL; + int ret = -1; + const char *fmtstr = NULL; diff --git a/0102-Fix-AM_LDFLAGS-typo.patch b/0102-Fix-AM_LDFLAGS-typo.patch new file mode 100644 index 0000000..5bc3be1 --- /dev/null +++ b/0102-Fix-AM_LDFLAGS-typo.patch @@ -0,0 +1,23 @@ +From a0ed55a9ab7c90723490363febabd27fa59877c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Sun, 1 Sep 2013 09:53:03 +0200 +Subject: [PATCH] Fix AM_LDFLAGS typo (cherry picked from commit + fe502de3bcdd76a0d256206111945ca7e4f4388a) + +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 636bcbc..19dfb81 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1455,7 +1455,7 @@ libvirt_driver_nwfilter_la_CFLAGS = \ + -I$(top_srcdir)/src/access \ + -I$(top_srcdir)/src/conf \ + $(AM_CFLAGS) +-libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS) ++libvirt_driver_nwfilter_la_LDFLAGS = $(AM_LDFLAGS) + libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS) + if WITH_DRIVER_MODULES + libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la diff --git a/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch b/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch new file mode 100644 index 0000000..c014fe2 --- /dev/null +++ b/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch @@ -0,0 +1,88 @@ +From bd4e7f927fcc2edcba29e441973389ad845d648c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Sun, 1 Sep 2013 08:50:58 +0200 +Subject: [PATCH] Pass AM_LDFLAGS to driver modules too + +This gives us a RO got, otherwise Debian's lintian complains: + +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_vbox.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_xen.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so +W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so +W: libvirt-sanlock: hardening-no-relro usr/lib/libvirt/lock-driver/sanlock.so +(cherry picked from commit f1f0e53b0814aab3c093f1219da95c0f836cdf4a) +--- + src/Makefile.am | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 19dfb81..097682c 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1000,7 +1000,7 @@ libvirt_driver_xen_la_LIBADD = libvirt_driver_xen_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_xen.la + libvirt_driver_xen_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_xen_la_LDFLAGS = -module -avoid-version ++libvirt_driver_xen_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_xen.la + # Stateful, so linked to daemon instead +@@ -1050,7 +1050,7 @@ libvirt_driver_vbox_la_LIBADD = libvirt_driver_vbox_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_vbox.la + libvirt_driver_vbox_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version ++libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_vbox.la + # GPLv2-only license requries that it be linked into +@@ -1083,7 +1083,7 @@ libvirt_driver_libxl_la_LIBADD = libvirt_driver_libxl_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_libxl.la + libvirt_driver_libxl_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version ++libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_libxl.la + # Stateful, so linked to daemon instead +@@ -1108,7 +1108,7 @@ libvirt_driver_qemu_la_LIBADD = libvirt_driver_qemu_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_qemu.la + libvirt_driver_qemu_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version ++libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_qemu.la + # Stateful, so linked to daemon instead +@@ -1184,7 +1184,7 @@ libvirt_driver_uml_la_LIBADD = libvirt_driver_uml_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_uml.la + libvirt_driver_uml_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_uml_la_LDFLAGS = -module -avoid-version ++libvirt_driver_uml_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_uml.la + # Stateful, so linked to daemon instead +@@ -1361,7 +1361,7 @@ libvirt_driver_storage_la_LIBADD = libvirt_driver_storage_impl.la + if WITH_DRIVER_MODULES + mod_LTLIBRARIES += libvirt_driver_storage.la + libvirt_driver_storage_la_LIBADD += ../gnulib/lib/libgnu.la +-libvirt_driver_storage_la_LDFLAGS = -module -avoid-version ++libvirt_driver_storage_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + else + noinst_LTLIBRARIES += libvirt_driver_storage.la + # Stateful, so linked to daemon instead +@@ -2114,7 +2114,7 @@ if WITH_SANLOCK + lockdriver_LTLIBRARIES += sanlock.la + sanlock_la_SOURCES = $(LOCK_DRIVER_SANLOCK_SOURCES) + sanlock_la_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS) +-sanlock_la_LDFLAGS = -module -avoid-version ++sanlock_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS) + sanlock_la_LIBADD = -lsanlock_client \ + ../gnulib/lib/libgnu.la + diff --git a/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch b/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch new file mode 100644 index 0000000..3ebb3c7 --- /dev/null +++ b/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch @@ -0,0 +1,125 @@ +From bcba68498f698dedfdc83687c72e0e6dd7dc0e96 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Fri, 13 Sep 2013 10:11:26 -0600 +Subject: [PATCH] build: fix build with latest rawhide kernel headers + +Bother those kernel developers. In the latest rawhide, kernel +and glibc have now been unified so that and + no longer clash; but is still +not self-contained. Because of the latest header change, the +build is failing with: + +checking for linux/param.h... no +configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support + +with details: + +In file included from conftest.c:561:0: +/usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type + struct in6_addr flr_dst; + +We need a workaround to avoid our workaround :) + +* configure.ac (NETINET_LINUX_WORKAROUND): New test. +* src/util/virnetdevbridge.c (includes): Use it. + +Signed-off-by: Eric Blake +(cherry picked from commit e62e0094dcd0ca1484491a9cc62919473b647f11) +--- + configure.ac | 39 +++++++++++++++++++++++++++++---------- + src/util/virnetdevbridge.c | 24 ++++++++++++++---------- + 2 files changed, 43 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index f853e03..1956717 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1003,18 +1003,37 @@ dnl check for kernel headers required by src/bridge.c + dnl + if test "$with_linux" = "yes"; then + if test "$with_qemu" = "yes" || test "$with_lxc" = "yes" ; then ++ # Various kernel versions have headers that are not self-standing, but ++ # yet are incompatible with the corresponding glibc headers. In order ++ # to guarantee compilation across a wide range of versions (from RHEL 5 ++ # to rawhide), we first have to probe whether glibc and kernel can be ++ # used in tandem; and if not, provide workarounds that ensure that ++ # ABI-compatible IPv6 types are present for use by the kernel headers. ++ # These probes mirror the usage in virnetdevbridge.c ++ AC_CACHE_CHECK( ++ [whether and headers are compatible], ++ [lv_cv_netinet_linux_compatible], ++ [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ++ #include ++ #include ++ ]])], ++ [lv_cv_netinet_linux_compatible=yes], ++ [lv_cv_netinet_linux_compatible=no])]) ++ if test "x$lv_cv_netinet_linux_compatible" != xyes; then ++ AC_DEFINE([NETINET_LINUX_WORKAROUND], [1], ++ [define to 1 if Linux kernel headers require a workaround to avoid ++ compilation errors when mixed with glibc netinet headers]) ++ fi + AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],, + [AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])], +- [[/* The kernel folks broke their headers when used with particular +- * glibc versions; although the structs are ABI compatible, the +- * C type system doesn't like struct redefinitions. We work around +- * the problem here in the same manner as in virnetdevbridge.c. */ +- #include +- #define in6_addr in6_addr_ +- #define sockaddr_in6 sockaddr_in6_ +- #define ipv6_mreq ipv6_mreq_ +- #define in6addr_any in6addr_any_ +- #define in6addr_loopback in6addr_loopback_ ++ [[#include ++ #if NETINET_LINUX_WORKAROUND ++ # define in6_addr in6_addr_ ++ # define sockaddr_in6 sockaddr_in6_ ++ # define ipv6_mreq ipv6_mreq_ ++ # define in6addr_any in6addr_any_ ++ # define in6addr_loopback in6addr_loopback_ ++ #endif + #include + ]]) + fi +diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c +index e4daa27..1a3740a 100644 +--- a/src/util/virnetdevbridge.c ++++ b/src/util/virnetdevbridge.c +@@ -39,22 +39,26 @@ + #ifdef __linux__ + # include + # include /* HZ */ ++# if NETINET_LINUX_WORKAROUND + /* Depending on the version of kernel vs. glibc, there may be a collision + * between and kernel IPv6 structures. The different types + * are ABI compatible, but choke the C type system; work around it by + * using temporary redefinitions. */ +-# define in6_addr in6_addr_ +-# define sockaddr_in6 sockaddr_in6_ +-# define ipv6_mreq ipv6_mreq_ +-# define in6addr_any in6addr_any_ +-# define in6addr_loopback in6addr_loopback_ ++# define in6_addr in6_addr_ ++# define sockaddr_in6 sockaddr_in6_ ++# define ipv6_mreq ipv6_mreq_ ++# define in6addr_any in6addr_any_ ++# define in6addr_loopback in6addr_loopback_ ++# endif + # include + # include /* SYSFS_BRIDGE_ATTR */ +-# undef in6_addr +-# undef sockaddr_in6 +-# undef ipv6_mreq +-# undef in6addr_any +-# undef in6addr_loopback ++# if NETINET_LINUX_WORKAROUND ++# undef in6_addr ++# undef sockaddr_in6 ++# undef ipv6_mreq ++# undef in6addr_any ++# undef in6addr_loopback ++# endif + + # define JIFFIES_TO_MS(j) (((j)*1000)/HZ) + # define MS_TO_JIFFIES(ms) (((ms)*HZ)/1000) diff --git a/0105-Also-store-user-group-ID-values-in-virIdentity.patch b/0105-Also-store-user-group-ID-values-in-virIdentity.patch new file mode 100644 index 0000000..464648d --- /dev/null +++ b/0105-Also-store-user-group-ID-values-in-virIdentity.patch @@ -0,0 +1,154 @@ +From 2fb7c4d202da975a1498fd205cc3e1bc49595d3c Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Thu, 22 Aug 2013 16:00:01 +0100 +Subject: [PATCH] Also store user & group ID values in virIdentity + +Future improvements to the polkit code will require access to +the numeric user ID, not merely user name. + +Signed-off-by: Daniel P. Berrange +(cherry picked from commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176) +--- + src/rpc/virnetserverclient.c | 18 ++++++++++++++++++ + src/util/viridentity.c | 23 +++++++++++++++++++---- + src/util/viridentity.h | 2 ++ + 3 files changed, 39 insertions(+), 4 deletions(-) + +diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c +index 83d5cf1..19c4100 100644 +--- a/src/rpc/virnetserverclient.c ++++ b/src/rpc/virnetserverclient.c +@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) + char *processid = NULL; + char *processtime = NULL; + char *username = NULL; ++ char *userid = NULL; + char *groupname = NULL; ++ char *groupid = NULL; + #if WITH_SASL + char *saslname = NULL; + #endif +@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) + + if (!(username = virGetUserName(uid))) + goto cleanup; ++ if (virAsprintf(&userid, "%d", (int)uid) < 0) ++ goto cleanup; + if (!(groupname = virGetGroupName(gid))) + goto cleanup; ++ if (virAsprintf(&userid, "%d", (int)gid) < 0) ++ goto cleanup; + if (virAsprintf(&processid, "%llu", + (unsigned long long)pid) < 0) + goto cleanup; +@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) + VIR_IDENTITY_ATTR_UNIX_USER_NAME, + username) < 0) + goto error; ++ if (userid && ++ virIdentitySetAttr(ret, ++ VIR_IDENTITY_ATTR_UNIX_USER_ID, ++ userid) < 0) ++ goto error; + if (groupname && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, + groupname) < 0) + goto error; ++ if (groupid && ++ virIdentitySetAttr(ret, ++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, ++ groupid) < 0) ++ goto error; + if (processid && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, +@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) + + cleanup: + VIR_FREE(username); ++ VIR_FREE(userid); + VIR_FREE(groupname); ++ VIR_FREE(groupid); + VIR_FREE(processid); + VIR_FREE(processtime); + VIR_FREE(seccontext); +diff --git a/src/util/viridentity.c b/src/util/viridentity.c +index 781f660..03c375b 100644 +--- a/src/util/viridentity.c ++++ b/src/util/viridentity.c +@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr ident) + virIdentityPtr virIdentityGetSystem(void) + { + char *username = NULL; ++ char *userid = NULL; + char *groupname = NULL; ++ char *groupid = NULL; + char *seccontext = NULL; + virIdentityPtr ret = NULL; + #if WITH_SELINUX +@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void) + + if (!(username = virGetUserName(getuid()))) + goto cleanup; ++ if (virAsprintf(&userid, "%d", (int)getuid()) < 0) ++ goto cleanup; ++ + if (!(groupname = virGetGroupName(getgid()))) + goto cleanup; ++ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0) ++ goto cleanup; + + #if WITH_SELINUX + if (getcon(&con) < 0) { +@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void) + if (!(ret = virIdentityNew())) + goto cleanup; + +- if (username && +- virIdentitySetAttr(ret, ++ if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_USER_NAME, + username) < 0) + goto error; +- if (groupname && +- virIdentitySetAttr(ret, ++ if (virIdentitySetAttr(ret, ++ VIR_IDENTITY_ATTR_UNIX_USER_ID, ++ userid) < 0) ++ goto error; ++ if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, + groupname) < 0) + goto error; ++ if (virIdentitySetAttr(ret, ++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, ++ groupid) < 0) ++ goto error; + if (seccontext && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_SELINUX_CONTEXT, +@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void) + + cleanup: + VIR_FREE(username); ++ VIR_FREE(userid); + VIR_FREE(groupname); ++ VIR_FREE(groupid); + VIR_FREE(seccontext); + VIR_FREE(processid); + return ret; +diff --git a/src/util/viridentity.h b/src/util/viridentity.h +index 4bae8d6..a240c2d 100644 +--- a/src/util/viridentity.h ++++ b/src/util/viridentity.h +@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr; + + typedef enum { + VIR_IDENTITY_ATTR_UNIX_USER_NAME, ++ VIR_IDENTITY_ATTR_UNIX_USER_ID, + VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, ++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, + VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, + VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, + VIR_IDENTITY_ATTR_SASL_USER_NAME, diff --git a/0106-Ensure-system-identity-includes-process-start-time.patch b/0106-Ensure-system-identity-includes-process-start-time.patch new file mode 100644 index 0000000..522c422 --- /dev/null +++ b/0106-Ensure-system-identity-includes-process-start-time.patch @@ -0,0 +1,68 @@ +From fe544fd4c18d6982e652a1d5cd016816c609b72c Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Wed, 28 Aug 2013 15:22:05 +0100 +Subject: [PATCH] Ensure system identity includes process start time + +The polkit access driver will want to use the process start +time field. This was already set for network identities, but +not for the system identity. + +Signed-off-by: Daniel P. Berrange +(cherry picked from commit e65667c0c6e016d42abea077e31628ae43f57b74) +--- + src/util/viridentity.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/util/viridentity.c b/src/util/viridentity.c +index 03c375b..f681f85 100644 +--- a/src/util/viridentity.c ++++ b/src/util/viridentity.c +@@ -35,6 +35,7 @@ + #include "virthread.h" + #include "virutil.h" + #include "virstring.h" ++#include "virprocess.h" + + #define VIR_FROM_THIS VIR_FROM_IDENTITY + +@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void) + security_context_t con; + #endif + char *processid = NULL; ++ unsigned long long timestamp; ++ char *processtime = NULL; + + if (virAsprintf(&processid, "%llu", + (unsigned long long)getpid()) < 0) + goto cleanup; + ++ if (virProcessGetStartTime(getpid(), ×tamp) < 0) ++ goto cleanup; ++ ++ if (timestamp != 0 && ++ virAsprintf(&processtime, "%llu", timestamp) < 0) ++ goto cleanup; ++ + if (!(username = virGetUserName(getuid()))) + goto cleanup; + if (virAsprintf(&userid, "%d", (int)getuid()) < 0) +@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void) + VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, + processid) < 0) + goto error; ++ if (processtime && ++ virIdentitySetAttr(ret, ++ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, ++ processtime) < 0) ++ goto error; + + cleanup: + VIR_FREE(username); +@@ -206,6 +221,7 @@ cleanup: + VIR_FREE(groupid); + VIR_FREE(seccontext); + VIR_FREE(processid); ++ VIR_FREE(processtime); + return ret; + + error: diff --git a/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch b/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch new file mode 100644 index 0000000..4fd9327 --- /dev/null +++ b/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch @@ -0,0 +1,178 @@ +From dcba8ce65b0ee9f18dca6ac4bdbb57f5cbcc75c6 Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Wed, 28 Aug 2013 15:25:40 +0100 +Subject: [PATCH] Add support for using 3-arg pkcheck syntax for process + (CVE-2013-4311) + +With the existing pkcheck (pid, start time) tuple for identifying +the process, there is a race condition, where a process can make +a libvirt RPC call and in another thread exec a setuid application, +causing it to change to effective UID 0. This in turn causes polkit +to do its permission check based on the wrong UID. + +To address this, libvirt must get the UID the caller had at time +of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) +triple to the pkcheck program. + +This fix requires that libvirt is re-built against a version of +polkit that has the fix for its CVE-2013-4288, so that libvirt +can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' + +Signed-off-by: Colin Walters +Signed-off-by: Daniel P. Berrange +(cherry picked from commit 922b7fda77b094dbf022d625238262ea05335666) +--- + configure.ac | 8 ++++++++ + daemon/remote.c | 22 ++++++++++++++++++--- + libvirt.spec.in | 3 +-- + src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++----- + 4 files changed, 63 insertions(+), 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 1956717..8baf6fa 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1203,6 +1203,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then + AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) + if test "x$PKCHECK_PATH" != "x" ; then + AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) ++ AC_MSG_CHECKING([whether pkcheck supports uid value]) ++ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` ++ if test "x$pkcheck_supports_uid" = "xtrue"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) ++ else ++ AC_MSG_RESULT([no]) ++ fi + AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, + [use PolicyKit for UNIX socket access checks]) + AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, +diff --git a/daemon/remote.c b/daemon/remote.c +index 6ace7af..b5395dd 100644 +--- a/daemon/remote.c ++++ b/daemon/remote.c +@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, + int status = -1; + char *ident = NULL; + bool authdismissed = 0; ++ bool supportsuid = false; + char *pkout = NULL; + struct daemonClientPrivate *priv = + virNetServerClientGetPrivateData(client); + virCommandPtr cmd = NULL; ++ static bool polkitInsecureWarned; + + virMutexLock(&priv->lock); + action = virNetServerClientGetReadonly(client) ? +@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, + goto authfail; + } + ++ if (timestamp == 0) { ++ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", ++ (long long)callerPid); ++ goto authfail; ++ } ++ + VIR_INFO("Checking PID %lld running as %d", + (long long) callerPid, callerUid); + + virCommandAddArg(cmd, "--process"); +- if (timestamp != 0) { +- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); ++# ifdef PKCHECK_SUPPORTS_UID ++ supportsuid = true; ++# endif ++ if (supportsuid) { ++ virCommandAddArgFormat(cmd, "%lld,%llu,%lu", ++ (long long) callerPid, timestamp, (unsigned long) callerUid); + } else { +- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); ++ if (!polkitInsecureWarned) { ++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); ++ polkitInsecureWarned = true; ++ } ++ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); + } + virCommandAddArg(cmd, "--allow-user-interaction"); + +diff --git a/libvirt.spec.in b/libvirt.spec.in +index e94901a..b9c8c91 100644 +--- a/libvirt.spec.in ++++ b/libvirt.spec.in +@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel + %endif + %if %{with_polkit} + %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 +-# Only need the binary, not -devel +-BuildRequires: polkit >= 0.93 ++BuildRequires: polkit-devel >= 0.93 + %else + BuildRequires: PolicyKit-devel >= 0.6 + %endif +diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c +index 4c76e64..bb170b5 100644 +--- a/src/access/viraccessdriverpolkit.c ++++ b/src/access/viraccessdriverpolkit.c +@@ -72,8 +72,12 @@ static char * + virAccessDriverPolkitFormatProcess(const char *actionid) + { + virIdentityPtr identity = virIdentityGetCurrent(); +- const char *process = NULL; ++ const char *callerPid = NULL; ++ const char *callerTime = NULL; ++ const char *callerUid = NULL; + char *ret = NULL; ++ bool supportsuid = false; ++ static bool polkitInsecureWarned; + + if (!identity) { + virAccessError(VIR_ERR_ACCESS_DENIED, +@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const char *actionid) + actionid); + return NULL; + } +- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0) ++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0) ++ goto cleanup; ++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0) ++ goto cleanup; ++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0) + goto cleanup; + +- if (!process) { ++ if (!callerPid) { + virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No UNIX process ID available")); + goto cleanup; + } +- +- if (VIR_STRDUP(ret, process) < 0) ++ if (!callerTime) { ++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", ++ _("No UNIX process start time available")); ++ goto cleanup; ++ } ++ if (!callerUid) { ++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", ++ _("No UNIX caller UID available")); + goto cleanup; ++ } ++ ++#ifdef PKCHECK_SUPPORTS_UID ++ supportsuid = true; ++#endif ++ if (supportsuid) { ++ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0) ++ goto cleanup; ++ } else { ++ if (!polkitInsecureWarned) { ++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); ++ polkitInsecureWarned = true; ++ } ++ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0) ++ goto cleanup; ++ } + + cleanup: + virObjectUnref(identity); diff --git a/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch b/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch new file mode 100644 index 0000000..909bfc4 --- /dev/null +++ b/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch @@ -0,0 +1,38 @@ +From 3bee40f9bd3b3c11d782b79eb90f46087d3ab9be Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Tue, 3 Sep 2013 16:52:06 +0100 +Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) + +The 'stats' variable was not initialized to NULL, so if some +early validation of the RPC call fails, it is possible to jump +to the 'cleanup' label and VIR_FREE an uninitialized pointer. +This is a security flaw, since the API can be called from a +readonly connection which can trigger the validation checks. + +This was introduced in release v0.9.1 onwards by + + commit 158ba8730e44b7dd07a21ab90499996c5dec080a + Author: Daniel P. Berrange + Date: Wed Apr 13 16:21:35 2011 +0100 + + Merge all returns paths from dispatcher into single path + +Signed-off-by: Daniel P. Berrange +(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0) +--- + daemon/remote.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemon/remote.c b/daemon/remote.c +index b5395dd..afd9fb5 100644 +--- a/daemon/remote.c ++++ b/daemon/remote.c +@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED, + remote_domain_memory_stats_ret *ret) + { + virDomainPtr dom = NULL; +- struct _virDomainMemoryStat *stats; ++ struct _virDomainMemoryStat *stats = NULL; + int nr_stats; + size_t i; + int rv = -1; diff --git a/0109-virsh-add-missing-async-option-in-opts_block_commit.patch b/0109-virsh-add-missing-async-option-in-opts_block_commit.patch new file mode 100644 index 0000000..d6e8f4b --- /dev/null +++ b/0109-virsh-add-missing-async-option-in-opts_block_commit.patch @@ -0,0 +1,59 @@ +From f19543baee399bf6b3d91da38fa0b7025f233dee Mon Sep 17 00:00:00 2001 +From: Simone Gotti +Date: Thu, 19 Sep 2013 15:08:29 +0200 +Subject: [PATCH] virsh: add missing "async" option in opts_block_commit + +After commit 8aecd351266a66efa59b7f7be77bf66693d99ce0 it'll detect +that a required option is not defined and it will assert and exit with: + +virsh.c:1364: vshCommandOpt: Assertion `valid->name' failed. + +Problem has been latent since commit ed23b106. + +Signed-off-by: Eric Blake +(cherry picked from commit fe64499dd14315b2d9d62cdf421bd3c97a46b7ac) +--- + tools/virsh-domain.c | 4 ++++ + tools/virsh.pod | 7 +++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c +index 568d61d..da6ab87 100644 +--- a/tools/virsh-domain.c ++++ b/tools/virsh-domain.c +@@ -1544,6 +1544,10 @@ static const vshCmdOptDef opts_block_commit[] = { + .type = VSH_OT_INT, + .help = N_("with --wait, abort if copy exceeds timeout (in seconds)") + }, ++ {.name = "async", ++ .type = VSH_OT_BOOL, ++ .help = N_("with --wait, don't wait for cancel to finish") ++ }, + {.name = NULL} + }; + +diff --git a/tools/virsh.pod b/tools/virsh.pod +index 0ae5178..2864f3d 100644 +--- a/tools/virsh.pod ++++ b/tools/virsh.pod +@@ -737,7 +737,7 @@ I) will accept the MAC address printed by this command. + + =item B I I [I] + {[I] | [I<--shallow>]} [I] [I<--delete>] +-[I<--wait> [I<--verbose>] [I<--timeout> B]] ++[I<--wait> [I<--verbose>] [I<--timeout> B] [I<--async>]] + + Reduce the length of a backing image chain, by committing changes at the + top of the chain (snapshot or delta files) into backing images. By +@@ -756,7 +756,10 @@ operation can be checked with B. However, if I<--wait> is + specified, then this command will block until the operation completes, + or cancel the operation if the optional I in seconds elapses + or SIGINT is sent (usually with C). Using I<--verbose> along +-with I<--wait> will produce periodic status updates. ++with I<--wait> will produce periodic status updates. If job cancellation ++is triggered, I<--async> will return control to the user as fast as ++possible, otherwise the command may continue to block a little while ++longer until the job is done cleaning up. + + I specifies fully-qualified path of the disk; it corresponds + to a unique target name () or source file ( +Date: Mon, 23 Sep 2013 12:46:25 +0100 +Subject: [PATCH] Fix typo in identity code which is pre-requisite for + CVE-2013-4311 + +The fix for CVE-2013-4311 had a pre-requisite enhancement +to the identity code + + commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 + Author: Daniel P. Berrange + Date: Thu Aug 22 16:00:01 2013 +0100 + + Also store user & group ID values in virIdentity + +This had a typo which caused the group ID to overwrite the +user ID string. This meant any checks using this would have +the wrong ID value. This only affected the ACL code, not the +initial polkit auth. It also leaked memory. + +Signed-off-by: Daniel P. Berrange +--- + src/rpc/virnetserverclient.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c +index 19c4100..0b9ab52 100644 +--- a/src/rpc/virnetserverclient.c ++++ b/src/rpc/virnetserverclient.c +@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) + goto cleanup; + if (!(groupname = virGetGroupName(gid))) + goto cleanup; +- if (virAsprintf(&userid, "%d", (int)gid) < 0) ++ if (virAsprintf(&groupid, "%d", (int)gid) < 0) + goto cleanup; + if (virAsprintf(&processid, "%llu", + (unsigned long long)pid) < 0) diff --git a/0111-Add-a-virNetSocketNewConnectSockFD-method.patch b/0111-Add-a-virNetSocketNewConnectSockFD-method.patch new file mode 100644 index 0000000..7cf7f56 --- /dev/null +++ b/0111-Add-a-virNetSocketNewConnectSockFD-method.patch @@ -0,0 +1,69 @@ +From 9e7cec4d755341cfb4c27c16aa59b22135612f0e Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Mon, 23 Sep 2013 12:46:26 +0100 +Subject: [PATCH] Add a virNetSocketNewConnectSockFD method + +To allow creation of a virNetSocketPtr instance from a pre-opened +socketpair FD, add a virNetSocketNewConnectSockFD method. + +Signed-off-by: Daniel P. Berrange +--- + src/libvirt_private.syms | 1 + + src/rpc/virnetsocket.c | 18 ++++++++++++++++++ + src/rpc/virnetsocket.h | 2 ++ + 3 files changed, 21 insertions(+) + +diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms +index 35f0f1b..873d93d 100644 +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -1008,6 +1008,7 @@ virNetSocketLocalAddrString; + virNetSocketNewConnectCommand; + virNetSocketNewConnectExternal; + virNetSocketNewConnectLibSSH2; ++virNetSocketNewConnectSockFD; + virNetSocketNewConnectSSH; + virNetSocketNewConnectTCP; + virNetSocketNewConnectUNIX; +diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c +index ae81512..b311aae 100644 +--- a/src/rpc/virnetsocket.c ++++ b/src/rpc/virnetsocket.c +@@ -884,6 +884,24 @@ int virNetSocketNewConnectExternal(const char **cmdargv, + } + + ++int virNetSocketNewConnectSockFD(int sockfd, ++ virNetSocketPtr *retsock) ++{ ++ virSocketAddr localAddr; ++ ++ localAddr.len = sizeof(localAddr.data); ++ if (getsockname(sockfd, &localAddr.data.sa, &localAddr.len) < 0) { ++ virReportSystemError(errno, "%s", _("Unable to get local socket name")); ++ return -1; ++ } ++ ++ if (!(*retsock = virNetSocketNew(&localAddr, NULL, true, sockfd, -1, -1))) ++ return -1; ++ ++ return 0; ++} ++ ++ + virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object) + { + virSocketAddr localAddr; +diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h +index ca9ae91..86bc2f6 100644 +--- a/src/rpc/virnetsocket.h ++++ b/src/rpc/virnetsocket.h +@@ -97,6 +97,8 @@ int virNetSocketNewConnectLibSSH2(const char *host, + int virNetSocketNewConnectExternal(const char **cmdargv, + virNetSocketPtr *addr); + ++int virNetSocketNewConnectSockFD(int sockfd, ++ virNetSocketPtr *retsock); + + virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object); + diff --git a/0112-Add-test-case-for-virNetServerClient-object-identity.patch b/0112-Add-test-case-for-virNetServerClient-object-identity.patch new file mode 100644 index 0000000..1b07c7e --- /dev/null +++ b/0112-Add-test-case-for-virNetServerClient-object-identity.patch @@ -0,0 +1,305 @@ +From 7e1b75ca5d4127a86ff1eaa0dfe37b485eeb0a7a Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Mon, 23 Sep 2013 12:46:27 +0100 +Subject: [PATCH] Add test case for virNetServerClient object identity code + +Start a test case for the virNetServerClient object, which +initially checks the creation of a virIdentityPtr object. + +Signed-off-by: Daniel P. Berrange +--- + cfg.mk | 2 +- + tests/Makefile.am | 14 +++- + tests/virnetserverclientmock.c | 64 +++++++++++++++++ + tests/virnetserverclienttest.c | 159 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 237 insertions(+), 2 deletions(-) + create mode 100644 tests/virnetserverclientmock.c + create mode 100644 tests/virnetserverclienttest.c + +diff --git a/cfg.mk b/cfg.mk +index 9a9616c..7f817ef 100644 +--- a/cfg.mk ++++ b/cfg.mk +@@ -939,7 +939,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \ + ^(bootstrap.conf$$|src/util/virstring\.[ch]$$|examples/domain-events/events-c/event-test\.c$$|tests/vircgroupmock\.c$$) + + exclude_file_name_regexp--sc_prohibit_strdup = \ +- ^(docs/|examples/|python/|src/util/virstring\.c$$) ++ ^(docs/|examples/|python/|src/util/virstring\.c|tests/virnetserverclientmock.c$$) + + exclude_file_name_regexp--sc_prohibit_close = \ + (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/vircgroupmock\.c)$$) +diff --git a/tests/Makefile.am b/tests/Makefile.am +index c800179..ae99b38 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -114,7 +114,7 @@ test_programs = virshtest sockettest \ + nodeinfotest virbuftest \ + commandtest seclabeltest \ + virhashtest virnetmessagetest virnetsockettest \ +- viratomictest \ ++ viratomictest virnetserverclienttest \ + utiltest shunloadtest \ + virtimetest viruritest virkeyfiletest \ + virauthconfigtest \ +@@ -281,6 +281,7 @@ EXTRA_DIST += $(test_scripts) + + test_libraries = libshunload.la \ + libvirportallocatormock.la \ ++ virnetserverclientmock.la \ + vircgroupmock.la \ + $(NULL) + if WITH_QEMU +@@ -611,6 +612,17 @@ virnetsockettest_SOURCES = \ + virnetsockettest.c testutils.h testutils.c + virnetsockettest_LDADD = $(LDADDS) + ++virnetserverclienttest_SOURCES = \ ++ virnetserverclienttest.c \ ++ testutils.h testutils.c ++virnetserverclienttest_LDADD = $(LDADDS) ++ ++virnetserverclientmock_la_SOURCES = \ ++ virnetserverclientmock.c ++virnetserverclientmock_la_CFLAGS = $(AM_CFLAGS) ++virnetserverclientmock_la_LDFLAGS = -module -avoid-version \ ++ -rpath /evil/libtool/hack/to/force/shared/lib/creation ++ + if WITH_GNUTLS + virnettlscontexttest_SOURCES = \ + virnettlscontexttest.c \ +diff --git a/tests/virnetserverclientmock.c b/tests/virnetserverclientmock.c +new file mode 100644 +index 0000000..caef1e3 +--- /dev/null ++++ b/tests/virnetserverclientmock.c +@@ -0,0 +1,64 @@ ++/* ++ * Copyright (C) 2013 Red Hat, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library. If not, see ++ * . ++ * ++ * Author: Daniel P. Berrange ++ */ ++ ++#include ++ ++#include "rpc/virnetsocket.h" ++#include "virutil.h" ++#include "internal.h" ++ ++int virEventAddTimeout(int frequency ATTRIBUTE_UNUSED, ++ virEventTimeoutCallback cb ATTRIBUTE_UNUSED, ++ void *opaque ATTRIBUTE_UNUSED, ++ virFreeCallback ff ATTRIBUTE_UNUSED) ++{ ++ return 0; ++} ++ ++int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED, ++ uid_t *uid, ++ gid_t *gid, ++ pid_t *pid, ++ unsigned long long *timestamp) ++{ ++ *uid = 666; ++ *gid = 7337; ++ *pid = 42; ++ *timestamp = 12345678; ++ return 0; ++} ++ ++char *virGetUserName(uid_t uid ATTRIBUTE_UNUSED) ++{ ++ return strdup("astrochicken"); ++} ++ ++char *virGetGroupName(gid_t gid ATTRIBUTE_UNUSED) ++{ ++ return strdup("fictionalusers"); ++} ++ ++int virNetSocketGetSELinuxContext(virNetSocketPtr sock ATTRIBUTE_UNUSED, ++ char **context) ++{ ++ if (!(*context = strdup("foo_u:bar_r:wizz_t:s0-s0:c0.c1023"))) ++ return -1; ++ return 0; ++} +diff --git a/tests/virnetserverclienttest.c b/tests/virnetserverclienttest.c +new file mode 100644 +index 0000000..1ddff3e +--- /dev/null ++++ b/tests/virnetserverclienttest.c +@@ -0,0 +1,159 @@ ++/* ++ * Copyright (C) 2013 Red Hat, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library. If not, see ++ * . ++ * ++ * Author: Daniel P. Berrange ++ */ ++ ++#include ++ ++#include "testutils.h" ++#include "virerror.h" ++#include "rpc/virnetserverclient.h" ++ ++#define VIR_FROM_THIS VIR_FROM_RPC ++ ++#ifdef HAVE_SOCKETPAIR ++static int testIdentity(const void *opaque ATTRIBUTE_UNUSED) ++{ ++ int sv[2]; ++ int ret = -1; ++ virNetSocketPtr sock = NULL; ++ virNetServerClientPtr client = NULL; ++ virIdentityPtr ident = NULL; ++ const char *gotUsername = NULL; ++ const char *gotUserID = NULL; ++ const char *gotGroupname = NULL; ++ const char *gotGroupID = NULL; ++ const char *gotSELinuxContext = NULL; ++ ++ if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) { ++ virReportSystemError(errno, "%s", ++ "Cannot create socket pair"); ++ return -1; ++ } ++ ++ if (virNetSocketNewConnectSockFD(sv[0], &sock) < 0) { ++ virDispatchError(NULL); ++ goto cleanup; ++ } ++ sv[0] = -1; ++ ++ if (!(client = virNetServerClientNew(sock, 0, false, 1, ++# ifdef WITH_GNUTLS ++ NULL, ++# endif ++ NULL, NULL, NULL, NULL))) { ++ virDispatchError(NULL); ++ goto cleanup; ++ } ++ ++ if (!(ident = virNetServerClientGetIdentity(client))) { ++ fprintf(stderr, "Failed to create identity\n"); ++ goto cleanup; ++ } ++ ++ if (virIdentityGetAttr(ident, ++ VIR_IDENTITY_ATTR_UNIX_USER_NAME, ++ &gotUsername) < 0) { ++ fprintf(stderr, "Missing username in identity\n"); ++ goto cleanup; ++ } ++ if (STRNEQ_NULLABLE("astrochicken", gotUsername)) { ++ fprintf(stderr, "Want username 'astrochicken' got '%s'\n", ++ NULLSTR(gotUsername)); ++ goto cleanup; ++ } ++ ++ if (virIdentityGetAttr(ident, ++ VIR_IDENTITY_ATTR_UNIX_USER_ID, ++ &gotUserID) < 0) { ++ fprintf(stderr, "Missing user ID in identity\n"); ++ goto cleanup; ++ } ++ if (STRNEQ_NULLABLE("666", gotUserID)) { ++ fprintf(stderr, "Want username '666' got '%s'\n", ++ NULLSTR(gotUserID)); ++ goto cleanup; ++ } ++ ++ if (virIdentityGetAttr(ident, ++ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, ++ &gotGroupname) < 0) { ++ fprintf(stderr, "Missing groupname in identity\n"); ++ goto cleanup; ++ } ++ if (STRNEQ_NULLABLE("fictionalusers", gotGroupname)) { ++ fprintf(stderr, "Want groupname 'fictionalusers' got '%s'\n", ++ NULLSTR(gotGroupname)); ++ goto cleanup; ++ } ++ ++ if (virIdentityGetAttr(ident, ++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID, ++ &gotGroupID) < 0) { ++ fprintf(stderr, "Missing group ID in identity\n"); ++ goto cleanup; ++ } ++ if (STRNEQ_NULLABLE("7337", gotGroupID)) { ++ fprintf(stderr, "Want groupname '7337' got '%s'\n", ++ NULLSTR(gotGroupID)); ++ goto cleanup; ++ } ++ ++ if (virIdentityGetAttr(ident, ++ VIR_IDENTITY_ATTR_SELINUX_CONTEXT, ++ &gotSELinuxContext) < 0) { ++ fprintf(stderr, "Missing SELinux context in identity\n"); ++ goto cleanup; ++ } ++ if (STRNEQ_NULLABLE("foo_u:bar_r:wizz_t:s0-s0:c0.c1023", gotSELinuxContext)) { ++ fprintf(stderr, "Want groupname 'foo_u:bar_r:wizz_t:s0-s0:c0.c1023' got '%s'\n", ++ NULLSTR(gotGroupID)); ++ goto cleanup; ++ } ++ ++ ret = 0; ++ cleanup: ++ virObjectUnref(sock); ++ virObjectUnref(client); ++ virObjectUnref(ident); ++ VIR_FORCE_CLOSE(sv[0]); ++ VIR_FORCE_CLOSE(sv[1]); ++ return ret; ++} ++ ++ ++static int ++mymain(void) ++{ ++ int ret = 0; ++ ++ ++ if (virtTestRun("Identity", 1, ++ testIdentity, NULL) < 0) ++ ret = -1; ++ ++ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; ++} ++#else ++static int ++mymain(void) ++{ ++ return AM_TEST_SKIP; ++} ++#endif ++VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virnetserverclientmock.so") diff --git a/libvirt.spec b/libvirt.spec index 476ae1e..8087176 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -13,6 +13,9 @@ # touch configure.ac or Makefile.am. %{!?enable_autotools:%define enable_autotools 0} +# Drop after libvirt-1.1.3 is rebased +%define enable_autotools 1 + # A client only build will create a libvirt.so only containing # the generic RPC driver, and test driver and no libvirtd # Default to a full server + client build @@ -366,7 +369,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.1.2 -Release: 2%{?dist}%{?extra_release} +Release: 3%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -387,6 +390,20 @@ Patch0006: 0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch Patch0007: 0007-qemu-Fix-networking-for-ARM-guests.patch Patch0008: 0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch +# Sync with v1.1.2-maint +Patch0101: 0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch +Patch0102: 0102-Fix-AM_LDFLAGS-typo.patch +Patch0103: 0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch +Patch0104: 0104-build-fix-build-with-latest-rawhide-kernel-headers.patch +Patch0105: 0105-Also-store-user-group-ID-values-in-virIdentity.patch +Patch0106: 0106-Ensure-system-identity-includes-process-start-time.patch +Patch0107: 0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch +Patch0108: 0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch +Patch0109: 0109-virsh-add-missing-async-option-in-opts_block_commit.patch +Patch0110: 0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch +Patch0111: 0111-Add-a-virNetSocketNewConnectSockFD-method.patch +Patch0112: 0112-Add-test-case-for-virNetServerClient-object-identity.patch + %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} %if %{with_network} @@ -608,6 +625,7 @@ BuildRequires: audit-libs-devel BuildRequires: systemtap-sdt-devel %endif + %if %{with_storage_fs} # For mount/umount in FS driver BuildRequires: util-linux @@ -1172,6 +1190,20 @@ of recent versions of Linux (and other OSes). %patch0007 -p1 %patch0008 -p1 +# Sync with v1.1.2-maint +%patch0101 -p1 +%patch0102 -p1 +%patch0103 -p1 +%patch0104 -p1 +%patch0105 -p1 +%patch0106 -p1 +%patch0107 -p1 +%patch0108 -p1 +%patch0109 -p1 +%patch0110 -p1 +%patch0111 -p1 +%patch0112 -p1 + %build %if ! %{with_xen} %define _without_xen --without-xen @@ -2125,6 +2157,14 @@ fi %endif %changelog +* Mon Sep 23 2013 Cole Robinson - 1.1.2-3 +- Sync with v1.1.2-maint +- Rebuild for libswan soname bump (bz #1009701) +- CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332) +- CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667) +- CVE-2013-4297: Invalid free in NBDDeviceAssociate (bz #1006505, bz #1006511) +- Fix virsh block-commit abort (bz #1010056) + * Wed Sep 18 2013 Daniel P. Berrange - 1.1.2-2 - Rebuild for soname break in openswman package