Commit Graph

40892 Commits

Author SHA1 Message Date
Peter Krempa
de4d0103b6 virnetlibsshsession: Replace VIR_DISPOSE_STRING with virSecureEraseString
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:14 +01:00
Peter Krempa
2025001609 util: alloc: Remove VIR_AUTODISPOSE_STR
There are no users any more. The replacement is to use g_auto and
virSecureEraseString explicitly.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:14 +01:00
Peter Krempa
7979d85783 virNetLibsshAuthenticatePassword: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
a1709a68a5 cmdSecretGetValue: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
7f0780c0d2 virStorageBackendRBDOpenRADOSConn: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
3b1d2ff510 qemuBuildRBDSecinfoURI: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
In this instance attempting to be correct is really pointless since the
secret is formatted into another string which is not erased securely and
then put on the commandline.

Keep the secure handling for correctness.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
ffc13e76ac libxlMakeNetworkDiskSrc: Use virSecureEraseString instead of VIR_AUTODISPOSE_STR
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
39089a6faf util: virsecureerase: Introduce virSecureEraseString
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
bacf612607 util: viralloc: Remove VIR_DISPOSE(_N)
The macros are unused now and callers who care about clearing the memory
they use should use memset() appropriately.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
f08fea10fb tests: viralloc: Remove testDispose case
The VIR_DISPOSE* APIs will be phased out. Additionally the test isn't
really doing useful work in ensuring that the values are indeed cleared
thus there's no point in keeping it around.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
8bac46997f storageBackendCreateQemuImgSecretPath: Use virSecureErase instead of VIR_DISPOSE_N
Clear out the value using virSecureErase and free it with g_free so
that VIR_DISPOSE_N can be phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
91858434b4 virCryptoEncryptDataAESgnutls: Use virSecureErase instead of memset
Clear the key and IV structs using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
288d051494 virCryptoEncryptDataAESgnutls: Use virSecureErase instead of VIR_DISPOSE_N
Clear out the value using virSecureErase and free it with g_free so
that VIR_DISPOSE_N can be phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:13 +01:00
Peter Krempa
549305922a virStorageBackendRBDOpenRADOSConn: Use virSecureErase instead of VIR_DISPOSE_N
Switch the secret value to 'g_autofree' for handling of the memory and
clear it out using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
e6195ed80c virsh: cmdSecretGetValue: Use virSecureErase instead of VIR_DISPOSE_N
Switch the secret value to 'g_autofree' for handling of the memory and
clear it out using virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
ee88bce43d qemu: domain: Use virSecureErase for clearing secrets instead of VIR_DISPOSE_N
Phase out use of VIR_DISPOSE_N from the qemu driver. Use memset in the
appropriate cases.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
3217d445b9 libxlMakeNetworkDiskSrc: Avoid use of VIR_DISPOSE_N
Clear the secret right after use with virSecureErase.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
fabd172065 storage_backend_iscsi(_direct): Properly clear secrets
The code pretends that it cares about clearing the secret values, but
passes the secret value to a realloc, which may copy the value somewhere
else and doesn't sanitize the original location when it does so.

Since we want to construct a string from the value, let's copy it to a
new piece of memory which has the space for the 'NUL' byte ourselves, to
prevent a random realloc keeping the data around.

While at it, use virSecureErase instead of VIR_DISPOSE_N since it's
being phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
8d6353a066 virsh: cmdSecretSetValue: Rework handling of the secret value
Use a single buffer for the secret to make it easier to follow it's
lifecycle. For base64 decoding use a local temporary buffer which will
be cleared right away.

This also uses virSecureErase for clearing the bufer instead of
VIR_DISPOSE_N which is being phased out.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
43696418af util: Introduce virsecureerase module
The module will provide functions for disposing secrets stored in
memory.

Note that for now it's implemented using memset, which is not really
secure.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
5761f8ab54 virNetLibsshSessionAuthAddPrivKeyAuth: Refactor cleanup
Shuffle the code around to remove the need for temporary variables and
labels for cleaning them.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
34e522418f virNetLibsshSessionAuthAddPrivKeyAuth: Don't unlock unlocked 'sess' on error
The check whether @keyfile is non-NULL is before locking @sess, but uses
the 'error' label which unlocks '@sess'.

While touching the error path, update the error message to be on one
line.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
26fedf9218 cmdSecretSetValue: Make it obvious that --file, --base64 and --interactive are exlcusive
Convert the conditions to else if so that it's obvious that only one of
the cases will ever be used.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
ac4b55c99d qemuDomainMasterKeyCreate: Don't use VIR_DISPOSE_N on failure
When virRandomBytes fails we don't get any random bytes and even if we
did they don't have to be treated as secret as they weren't used in any
way.

Add a temporary variable with automatic freeing for the secret buffer
and assign it only on success.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
b57b6b4eea libxlMakeDomBuildInfo: Don't use VIR_DISPOSE_N for USB device list
The list isn't secret which would need being disposed of. Just expand
the array and return failure when adding the NULL terminator similarly
to how we expand the list for adding devices in a loop.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
Peter Krempa
9c9423a1e8 hypervFreeInvokeParams: Don't use VIR_DISPOSE_N for freeing 'params'
The struct doesn't contain any secrets to clear before freeing and even
if it did VIR_DISPOSE_N wouldn't help as the struct contains only
pointers thus the actual memory pointing to isn't sanitized.

Just free the params array pointer and then the struct itself.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-03 13:07:12 +01:00
gongwei
976bdfc8e7 conf: add realtime parameter for rtc
Pass the parameter clock rt to qemu to ensure that the
virtual machine is not synchronized with the host time

Signed-off-by: gongwei <gongwei@smartx.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-02-03 10:18:04 +01:00
Peter Krempa
d115019b6a util: virstring: Remove unused prototypes for virStr(n)dup
The headers weren't removed after use of VIR_STRDUP was removed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-02-02 15:10:47 +01:00
Tim Wiederhake
8b1755024b vircommand: Simplify virCommandAddArg
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
ae9f4d5e0c vircryptotest: Directly assign string to avoid memcpy
Found by clang-tidy's "bugprone-not-null-terminated-result" check.

clang-tidy's finding is a false positive in this case, as the
memset call guarantees null termination. The assignment can be
simplified though, and this happens to silence the warning.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
b62e51e540 tests: Prevent malloc with size 0
Found by clang-tidy's "clang-analyzer-optin.portability.UnixAPI" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
2cdbfbe7ac virhostuptime: Fix rounding in uptime calculation
"f + 0.5" does not round correctly for values very close to
".5" for every integer multiple, e.g. "0.499999975".

Found by clang-tidy's "bugprone-incorrect-roundings" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
795187fe0c udevProcessCCW: Initialize variable
`udevGetIntSysfsAttr` does not necessarily write to the third parameter,
even when it returns 0.

This was found by clang-tidy's
"clang-analyzer-core.UndefinedBinaryOperatorResult" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
1e2e8ac88f Replace bzero() with memset()
This was found by clang-tidy's
"clang-analyzer-security.insecureAPI.bzero" check.

bzero is marked as deprecated ("LEGACY") in POSIX.1-2001 and
removed in POSIX.1-2008.

Besides its deprecation, bzero can be unsafe to use under certain
circumstances, e.g. when used to zero-out memory containing secrects.
These calls can be optimized away by the compiler, if it concludes no
further access happens to the memory, thus leaving the secrets still
in memory. Hence its classification as "insecureAPI".

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
4f5c22b27c virsh-domain: Fix error handling of pthread_sigmask
pthread_sigmask() returns 0 on success and "a non-zero value
on failure", but not neccessarily a negative one.

Found by clang-tidy's "bugprone-posix-return" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
2870d99f1b qemu_tpm: Fix indentation in qemuTPMEmulatorBuildCommand
This was found by clang-tidy's "readability-misleading-indentation"
check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
a6675869fb xen: Fix indentation in xenParseXLSpice
This was found by clang-tidy's "readability-misleading-indentation"
check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
8b8d6a24f9 virfile: Remove redundant #ifndef
This section is guarded by "#ifndef WIN32" in line 2109--2808.

Found by clang-tidy's "readability-redundant-preprocessor" check.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:55 +01:00
Tim Wiederhake
7471dc5b86 commandhelper: Use automatic memory management in main
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
f00a6c2a5c commandhelper: Use automatic memory management in printInput
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
99502fa790 commandhelper: Use automatic memory management in printCwd
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
0793d15685 commandhelper: Use automatic memory management in printEnvironment
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
368afd0bb6 commandhelper: Use automatic memory management in parseArguments
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
a74d283a77 commandhelper: Make number of fds variable in parseArguments
Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
8cdbedfdbf commandhelper: Make number of fds variable in printInput
Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
ba326d08b4 commandhelper: Factor out printInput
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
c73f0343bb commandhelper: Factor out printCwd
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
0e3911f02f commandhelper: Factor out printDaemonization
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
6fedbe37a2 commandhelper: Factor out printFds
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00
Tim Wiederhake
7aa36ccacc commandhelper: Factor out printEnvironment
Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2021-02-02 15:00:54 +01:00