Commit Graph

9820 Commits

Author SHA1 Message Date
Peter Krempa
750280023c CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk
Live definition was used to look up the disk index while persistent one
was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the
correct def and report a nice error.

Unfortunately it's accessible via read-only connection, though it can
only crash libvirtd in the cases where the guest is hot-plugging disks
without reflecting those changes to the persistent definition.  So
avoiding hotplug, or doing hotplug where persistent is always modified
alongside live definition, will avoid the out-of-bounds access.

Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724
Reported-by: Luyao Huang <lhuang@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>

(cherry picked from commit 3e745e8f77)

Conflicts:
	src/qemu/qemu_driver.c - context due to fewer functions
2014-09-17 22:39:26 -06:00
Daniel P. Berrange
022b34cee7 LSN-2014-0003: Don't expand entities when parsing XML
If the XML_PARSE_NOENT flag is passed to libxml2, then any
entities in the input document will be fully expanded. This
allows the user to read arbitrary files on the host machine
by creating an entity pointing to a local file. Removing
the XML_PARSE_NOENT flag means that any entities are left
unchanged by the parser, or expanded to "" by the XPath
APIs.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit d6b27d3e4c)
2014-05-06 14:32:09 +01:00
Michal Privoznik
800eb5ace5 virNetClientSetTLSSession: Restore original signal mask
Currently, we use pthread_sigmask(SIG_BLOCK, ...) prior to calling
poll(). This is okay, as we don't want poll() to be interrupted.
However, then - immediately as we fall out from the poll() - we try to
restore the original sigmask - again using SIG_BLOCK. But as the man
page says, SIG_BLOCK adds signals to the signal mask:

SIG_BLOCK
      The set of blocked signals is the union of the current set and the set argument.

Therefore, when restoring the original mask, we need to completely
overwrite the one we set earlier and hence we should be using:

SIG_SETMASK
      The set of blocked signals is set to the argument set.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 3d4b4f5ac6)
2014-03-20 08:51:50 -06:00
Eric Blake
2da26d325a build: use proper pod for nested bulleted VIRSH_DEBUG list
Newer pod (hello rawhide) complains if you attempt to mix bullets
and non-bullets in the same list:

virsh.pod around line 3177: Expected text after =item, not a bullet

As our intent was to nest an inner list, we make that explicit to
keep pod happy.

* tools/virsh.pod (ENVIRONMENT): Use correct pod syntax.

(cherry picked from commit 00d69b4af1)
2014-03-20 08:51:50 -06:00
Guido Günther
0595648d96 Prepare for 0.9.12.3 2014-01-16 10:50:23 +01:00
Jiri Denemark
c385db5994 Really don't crash if a connection closes early
https://bugzilla.redhat.com/show_bug.cgi?id=1047577

When writing commit 173c291, I missed the fact virNetServerClientClose
unlocks the client object before actually clearing client->sock and thus
it is possible to hit a window when client->keepalive is NULL while
client->sock is not NULL. I was thinking client->sock == NULL was a
better check for a closed connection but apparently we have to go with
client->keepalive == NULL to actually fix the crash.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit 066c8ef6c1)
2014-01-16 08:55:08 +01:00
Jiri Denemark
ffdb640963 Don't crash if a connection closes early
https://bugzilla.redhat.com/show_bug.cgi?id=1047577

When a client closes its connection to libvirtd early during
virConnectOpen, more specifically just after making
REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if
VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting for
the result, libvirtd may crash due to a race in keep-alive
initialization. Once receiving the REMOTE_PROC_CONNECT_SUPPORTS_FEATURE
call, the daemon's event loop delegates it to a worker thread. In case
the event loop detects EOF on the connection and calls
virNetServerClientClose before the worker thread starts to handle
REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call, client->keepalive will be
disposed by the time virNetServerClientStartKeepAlive gets called from
remoteDispatchConnectSupportsFeature. Because the flow is common for
both authenticated and read-only connections, even unprivileged clients
may cause the daemon to crash.

To avoid the crash, virNetServerClientStartKeepAlive needs to check if
the connection is still open before starting keep-alive protocol.

Every libvirt release since 0.9.8 is affected by this bug.

(cherry picked from commit 173c291473)

Conflicts:
	src/rpc/virnetserverclient.c - older locking style
2014-01-16 08:54:39 +01:00
Jiri Denemark
2786686eb5 qemu: Fix job usage in virDomainGetBlockIoTune
CVE-2013-6458

Every API that is going to begin a job should do that before fetching
data from vm->def.

Conflicts:
	src/qemu/qemu_driver.c

(cherry picked from commit 3b56425938)
2014-01-11 13:40:28 +01:00
Jiri Denemark
3e7d9e54e9 qemu: Fix job usage in qemuDomainBlockJobImpl
CVE-2013-6458

Every API that is going to begin a job should do that before fetching
data from vm->def.

Conflicts:
        src/qemu/qemu_driver.c

(cherry picked from commit f93d2caa07)
2014-01-11 13:40:28 +01:00
Jiri Denemark
4dd29d3bdf qemu: Avoid using stale data in virDomainGetBlockInfo
CVE-2013-6458

Generally, every API that is going to begin a job should do that before
fetching data from vm->def. However, qemuDomainGetBlockInfo does not
know whether it will have to start a job or not before checking vm->def.
To avoid using disk alias that might have been freed while we were
waiting for a job, we use its copy. In case the disk was removed in the
meantime, we will fail with "cannot find statistics for device '...'"
error message.

Conflicts:
	src/qemu/qemu_driver.c

(cherry picked from commit b799259583)
2014-01-11 13:40:27 +01:00
Jiri Denemark
c430c002dd qemu: Do not access stale data in virDomainBlockStats
CVE-2013-6458
https://bugzilla.redhat.com/show_bug.cgi?id=1043069

When virDomainDetachDeviceFlags is called concurrently to
virDomainBlockStats: libvirtd may crash because qemuDomainBlockStats
finds a disk in vm->def before getting a job on a domain and uses the
disk pointer after getting the job. However, the domain in unlocked
while waiting on a job condition and thus data behind the disk pointer
may disappear. This happens when thread 1 runs
virDomainDetachDeviceFlags and enters monitor to actually remove the
disk. Then another thread starts running virDomainBlockStats, finds the
disk in vm->def, and while it's waiting on the job condition (owned by
the first thread), the first thread finishes the disk removal. When the
second thread gets the job, the memory pointed to be the disk pointer is
already gone.

That said, every API that is going to begin a job should do that before
fetching data from vm->def.

Conflicts:
	src/qemu/qemu_driver.c

(cherry picked from commit db86da5ca2)
2014-01-11 13:40:27 +01:00
Daniel P. Berrange
4616ff521e Introduce virReportError macro for general error reporting
Nearly every source file does something like

  #define VIR_FROM_THIS VIR_FROM_FOO
  #define virFooReportErorr(code, ...) \
     virReportErrorHelper(VIR_FROM_THIS, code,  __FILE__,    \
                          __FUNCTION__, __LINE__, \
                          __VA_ARGS__)

This creates needless duplication and inconsistent error
reporting function names in each file. It is trivial to
just have virterror_internal.h provide a virReportError
macro that is equivalent

* src/util/virterror_internal.h: Define virReportError(code, ...)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit 7e94acd4fc)
2014-01-11 13:40:24 +01:00
Eric Blake
5adafc831d string: test VIR_STRDUP
The surest way to avoid regressions is to test documented behavior :)

* tests/virstringtest.c (testStrdup): New test case.

Signed-off-by: Eric Blake <eblake@redhat.com>

(cherry picked from commit 504b4a8dae)
2014-01-11 13:28:17 +01:00
Eric Blake
6c06d86d9a string: make VIR_STRDUP easier to use
While reviewing proposed VIR_STRDUP conversions, I've already noticed
several places that do:

if (str && VIR_STRDUP(dest, str) < 0)

which can be simplified by allowing str to be NULL (something that
strdup() doesn't allow).  Meanwhile, code that wants to ensure a
non-NULL dest regardless of the source can check for <= 0.

Also, make it part of the VIR_STRDUP contract that macro arguments
are evaluated exactly once.

* src/util/virstring.h (VIR_STRDUP, VIR_STRDUP_QUIET, VIR_STRNDUP)
(VIR_STRNDUP_QUIET): Improve contract.
* src/util/virstring.c (virStrdup, virStrndup): Change return
conventions.
* docs/hacking.html.in: Document this.
* HACKING: Regenerate.

Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	HACKING
	docs/hacking.html.in

(cherry picked from commit 6b74a9f5d9)
2014-01-11 13:27:10 +01:00
Michal Privoznik
9d4a1af78c virstring: Introduce VIR_STRDUP and VIR_STRNDUP
The code adaptation is not done right now, but in subsequent patches.
Hence I am not implementing syntax-check rule as it would break
compilation. Developers are strongly advised to use these new macros.
They are similar to VIR_ALLOC() logic: VIR_STRDUP(dst, src) returns zero
on success, -1 otherwise. In case you don't want to report OOM error,
use the _QUIET variant of a macro.

Conflicts:
	src/libvirt_private.syms
	src/util/virstring.h

(cherry picked from commit c3abb5c459)
2014-01-11 13:26:28 +01:00
Zhou Yimin
c0b4111219 remote: fix regression in event deregistration
Introduced by 7b87a3
When I quit the process which only register VIR_DOMAIN_EVENT_ID_REBOOT,
I got error like:
"libvirt: XML-RPC error : internal error: domain event 0 not registered".
Then I add the following code, it fixed.

Signed-off-by: Zhou Yimin <zhouyimin@huawei.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 9712c2510e)

Conflicts:
	src/remote/remote_driver.c - context
2013-10-18 09:54:07 -06:00
Eric Blake
c7f51ff247 Merge commit 'v0.9.12.1' into v0.9.12-maint
Done by 'git merge -s ours v0.9.12.1', so that the maint branch
will contain all release tags.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-10-04 06:31:59 -06:00
Guido Günther
73aab23535 Prepare for 0.9.12.2 2013-10-01 21:05:48 +02:00
Guido Günther
3865383450 Distribute viratomic.h
Since cbcb1983af we need viratomic.h in
the distributed tarball as well. This fixes "make distcheck".
2013-10-01 17:49:06 +02:00
Guido Günther
ea095a4aac Prepare 0.9.12.1 2013-09-27 15:45:30 +02:00
Daniel P. Berrange
2f34eae93a Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba8730e
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e7f400a110)

Conflicts:
	daemon/remote.c - context
2013-09-18 21:10:27 -06:00
Daniel P. Berrange
078627104d Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.

To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.

This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'

Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 922b7fda77)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	configure.ac - context
	libvirt.spec.in - context of indentation
	src/access/viraccessdriverpolkit.c - not present on this branch
2013-09-18 21:10:27 -06:00
Daniel P. Berrange
cbcb1983af Include process start time when doing polkit checks
Since PIDs can be reused, polkit prefers to be given
a (PID,start time) pair. If given a PID on its own,
it will attempt to lookup the start time in /proc/pid/stat,
though this is subject to races.

It is safer if the client app resolves the PID start
time itself, because as long as the app has the client
socket open, the client PID won't be reused.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 979e9c56a7)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	src/libvirt_private.syms - not backported
	src/locking/lock_daemon.c - not backported
	src/rpc/virnetserverclient.c
	src/rpc/virnetsocket.c
	src/rpc/virnetsocket.h
	src/util/viridentity.h - not backported
	src/util/virprocess.c
	src/util/virprocess.h
	src/util/virstring.c
	src/util/virstring.h

Most conflicts were contextual (this patch adds new functions,
but upstream intermediate patches not backported here also added
new features, and the resolution was picking out just the portions
needed by this commit).  virnetsocket.c also had slightly
different locking semantics.
2013-09-18 21:10:27 -06:00
Daniel P. Berrange
6cc4fe2c6b Move virProcess{Kill, Abort, TranslateStatus} into virprocess.{c, h}
Continue consolidation of process functions by moving some
helpers out of command.{c,h} into virprocess.{c,h}

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 9467ab6074)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	src/lxc/lxc_controller.c
	src/util/command.c
	src/util/virprocess.c
	tests/testutils.c
2013-09-18 21:10:23 -06:00
Daniel P. Berrange
ea877ca7af Move virProcessKill into virprocess.{h, c}
There are a number of process related functions spread
across multiple files. Start to consolidate them by
creating a virprocess.{c,h} file

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e5e2b65cf8)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	src/qemu/qemu_monitor.c
	src/util/util.h
2013-09-18 21:10:20 -06:00
Daniel P. Berrange
c50e029f97 Rename virCommandTranslateStatus to virProcessTranslateStatus
The virCommand prefix was inappropriate because the API
does not use any virCommandPtr object instance. This
API closely related to waitpid/exit, so use virProcess
as the prefix

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 49ecf8b41f)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	src/util/command.c
2013-09-18 21:10:20 -06:00
Daniel P. Berrange
89a181053b Rename virPid{Abort, Wait} to virProcess{Abort, Wait}
Change "Pid" to "Process" to align with the virProcessKill
API naming prefix

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 0fb58ef5cd)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	src/util/util.c
	src/lxc/lxc_container.c
	src/lxc/lxc_controller.c
2013-09-18 21:10:20 -06:00
Daniel P. Berrange
ffbf1df457 Rename virKillProcess to virProcessKill
Changing naming to follow the convention of "object" followed
by "action"

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit cf470068a1)
2013-09-18 21:10:20 -06:00
Daniel P. Berrange
1bcb4c727f Introduce APIs for splitting/joining strings
This introduces a few new APIs for dealing with strings.
One to split a char * into a char **, another to join a
char ** into a char *, and finally one to free a char **

There is a simple test suite to validate the edge cases
too. No more need to use the horrible strtok_r() API,
or hand-written code for splitting strings.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 76c1fd33c8)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	tests/Makefile.am - several intermediate tests not backported
2013-09-18 21:10:20 -06:00
Daniel P. Berrange
ec5190af86 Fix TLS tests with gnutls 3
When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 0204d6d7a0)
2013-09-18 21:06:24 -06:00
Eric Blake
c4f884dfec build: avoid confusing make with raw name 'undefine'
Make has a builtin operator 'undefine', and coupled with latest
automake.git, this test name ended up confusing make into thinking
the file name was meant to be used as the make operator.  Renaming
the file avoids the confusion.

* tests/undefine: Rename...
* tests/virsh-undefine: ...to this.
* tests/Makefile.am (test_scripts): Use new name.
Reported by Jim Meyering.

(cherry picked from commit a20f06d9d9)
2013-09-18 21:06:24 -06:00
Jiri Denemark
42010c2861 virsh: Fix POD syntax
The first two hunks fix "Unterminated I<...> sequence" error and the
last one fixes "’=item’ outside of any ’=over’" error.

(cherry picked from commit 61299a1c98)
Signed-off-by: Eric Blake <eblake@redhat.com>

Conflicts:
	tools/virsh.pod - drop hunks not present this far back
2013-09-18 21:06:24 -06:00
Eric Blake
901af5f469 build: more workarounds for if_bridge.h
This is a second attempt at fixing the problem first attempted
in commit 2df8d99; basically undoing the fact that it was
reverted in commit 43cee32f, plus fixing two more issues: the
code in configure.ac has to EXACTLY match virnetdevbridge.c
with regards to declaring in6 types before using if_bridge.h,
and the fact that RHEL 5 has even more conflicts:

In file included from util/virnetdevbridge.c:49:
/usr/include/linux/in6.h:47: error: conflicting types for 'in6addr_any'
/usr/include/netinet/in.h:206: error: previous declaration of 'in6addr_any' was here
/usr/include/linux/in6.h:49: error: conflicting types for 'in6addr_loopback'
/usr/include/netinet/in.h:207: error: previous declaration of 'in6addr_loopback' was here

The rest of this commit message borrows from the original try
of 2df8d99:

A fresh checkout on a RHEL 6 machine with these packages:
kernel-headers-2.6.32-405.el6.x86_64
glibc-2.12-1.128.el6.x86_64
failed to configure with this message:
checking for linux/if_bridge.h... no
configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support

Digging in config.log, we see that the problem is identical to
what we fixed earlier in commit d12c2811:

configure:98831: checking for linux/if_bridge.h
configure:98853: gcc -std=gnu99 -c -g -O2  conftest.c >&5
In file included from /usr/include/linux/if_bridge.h:17,
                 from conftest.c:559:
/usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq'
configure:98860: $? = 1

I had not hit it earlier because I was using incremental builds,
where config.cache had shielded me from the kernel-headers breakage.

* configure.ac (if_bridge.h): Avoid conflicting type definitions.
* src/util/virnetdevbridge.c (includes): Also sanitize for RHEL 5.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 70024dc919)

Done in one patch rather than a series for bisectability reasons
(as intermediate patches suffer from various problems on various
platforms), and because the intermediate patches include a revert,
but it is pointless to backport two patches where one undoes the
other.  Intermediate patches include: 9a2f36e, c308a9a, 1bf661c,
d12c281, 2df8d99, 43cee32 (phew, that's a mouthful).

Conflicts:
	configure.ac - skip the churn of all intermediate patches
	src/util/virnetdevbridge.c - ditto
2013-09-18 16:55:49 -06:00
Eric Blake
9b3cc03193 build: allow building with newer glibc-headers and -O0
glibc 2.15 (on Fedora 17) coupled with explicit disabling of
optimization during development dies a painful death:

In file included from /usr/include/limits.h:27:0,
                 from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:169,
                 from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/syslimits.h:7,
                 from /usr/lib/gcc/x86_64-redhat-linux/4.7.0/include/limits.h:34,
                 from util/bitmap.c:26:
/usr/include/features.h:314:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
cc1: all warnings being treated as errors

Work around this by only conditionally defining _FORTIFY_SOURCE,
in the case where glibc can actually use it.  The trick is using
AH_VERBATIM instead of AC_DEFINE.

* m4/virt-compile-warnings.m4 (LIBVIRT_COMPILE_WARNINGS): Squelch
_FORTIFY_SOURCE when needed to avoid glibc #warnings.

(cherry picked from commit 2af63b1c34)
2013-09-18 16:50:56 -06:00
Daniel P. Berrange
d70ca364d4 Fix race condition when destroying guests
When running virDomainDestroy, we need to make sure that no other
background thread cleans up the domain while we're doing our work.
This can happen if we release the domain object while in the
middle of work, because the monitor might detect EOF in this window.
For this reason we have a 'beingDestroyed' flag to stop the monitor
from doing its normal cleanup. Unfortunately this flag was only
being used to protect qemuDomainBeginJob, and not qemuProcessKill

This left open a race condition where either libvirtd could crash,
or alternatively report bogus error messages about the domain already
having been destroyed to the caller

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 81621f3e6e)

Conflicts:
	src/qemu/qemu_driver.c
2013-09-12 17:35:31 +02:00
Daniel P. Berrange
9143006c0a Don't ignore return value of qemuProcessKill
When calling qemuProcessKill from the virDomainDestroy impl
in QEMU, do not ignore the return value. This ensures that
if QEMU fails to respond to SIGKILL, the caller will know
about the failure.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit f1b4021b38)
2013-09-12 17:35:31 +02:00
Peter Krempa
1baa2fabad conf: Remove console stream callback only when freeing console helper
Commit ba226d334a tried to fix crash of
the daemon when a domain with an open console was destroyed. The fix was
wrong as it tried to remove the callback also when the stream was
aborted, where at that point the fd stream driver was already freed and
removed.

This patch clears the callbacks with a helper right before the hash is
freed, so that it doesn't interfere with other codepaths where the
stream object is freed.

(cherry picked from commit 45edefc7a7)
2013-09-12 17:35:31 +02:00
Peter Krempa
b01c3ae891 conf: Remove callback from stream when freeing entries in console hash
When a domain has a active console connection and is destroyed the
callback is called on private data that no longer exist causing a
segfault.

(cherry picked from commit ba226d334a)
2013-09-12 17:35:31 +02:00
Luca Tettamanti
3afbdfc3c4 storage: Need to also VIR_FREE(reg)
Commit-id 'afc4631b' added the regfree(reg) to free resources alloc'd
during regcomp; however, reg still needed to be VIR_FREE()'d. The call
to regfree() also didn't account for possible NULL value.  Reformatted
the call to be closer to usage.
(cherry picked from commit 71da3b66a8)

Backported to 0.9.12 with afc4631b and its revert skipped.

Signed-off-by: Luca Tettamanti <ltettamanti acunu com>
2013-09-12 17:35:27 +02:00
Jiri Denemark
6a3787f98f qemu: Add support for -no-user-config
Thanks to this new option we are now able to use modern CPU models (such
as Westmere) defined in external configuration file.

The qemu-1.1{,-device} data files for qemuhelptest are filled in with
qemu-1.1-rc2 output for now. I will update those files with real
qemu-1.1 output once it is released.

(cherry picked from commit 63b4243624)
2013-09-12 09:27:09 +02:00
Peter Krempa
ba92d4a9ca rpc: Fix crash on error paths of message dispatching
This patch resolves CVE-2013-0170:
https://bugzilla.redhat.com/show_bug.cgi?id=893450

When reading and dispatching of a message failed the message was freed
but wasn't removed from the message queue.

After that when the connection was about to be closed the pointer for
the message was still present in the queue and it was passed to
virNetMessageFree which tried to call the callback function from an
uninitialized pointer.

This patch removes the message from the queue before it's freed.

* rpc/virnetserverclient.c: virNetServerClientDispatchRead:
    - avoid use after free of RPC messages

(cherry picked from commit 46532e3e8e)
2013-09-12 09:27:09 +02:00
Peter Krempa
904fa209ae qemu: Fix off-by-one error while unescaping monitor strings
While unescaping the commands the commands passed through to the monitor
function qemuMonitorUnescapeArg() initialized lenght of the input string
to strlen()+1 which is fine for alloc but not for iteration of the
string.

This patch fixes the off-by-one error and drops the pointless check for
a single trailing slash that is automaticaly handled by the default
branch of switch.

(cherry picked from commit 0f4660c878)
2013-09-12 09:27:08 +02:00
Jiri Denemark
27977c7b13 Revert "rpc: Discard non-blocking calls only when necessary"
This reverts commit b1e374a7ac, which was
rather bad since I failed to consider all sides of the issue. The main
things I didn't consider properly are:

- a thread which sends a non-blocking call waits for the thread with
  the buck to process the call
- the code doesn't expect non-blocking calls to remain in the queue
  unless they were already partially sent

Thus, the reverted patch actually breaks more than what it fixes and
clients (which may even be libvirtd during p2p migrations) will likely
end up in a deadlock.

(cherry picked from commit 63643f67ab)
2013-09-12 09:27:08 +02:00
Eric Blake
16908590de build: fix virnetlink on glibc 2.11
We were being lazy - virnetlink.c was getting uint32_t as a
side-effect from glibc 2.14's <unistd.h>, but older glibc 2.11
does not provide uint32_t from <unistd.h>.  In fact, POSIX states
that <unistd.h> need only provide intptr_t, not all of <stdint.h>,
so the bug really is ours.  Reported by Jonathan Alescio.

* src/util/virnetlink.h: Include <stdint.h>.

(cherry picked from commit e8314e78f9)
2013-09-12 09:27:08 +02:00
Martin Kletzander
addf5e1b31 security: Fix libvirtd crash possibility
Fix for CVE-2012-4423.

When generating RPC protocol messages, it's strictly needed to have a
continuous line of numbers or RPC messages. However in case anyone
tries backporting some functionality and will skip a number, there is
a possibility to make the daemon segfault with newer virsh (version of
the library, rpc call, etc.) even unintentionally.

The problem is that the skipped numbers will get func filled with
NULLs, but there is no check whether these are set before the daemon
tries to run them. This patch very simply enhances one check and fixes
that.

(cherry picked from commit b7ff9e6960)
2013-09-11 14:44:34 +02:00
Jiri Denemark
11568ec854 daemon: Fix crash in virTypedParameterArrayClear
Daemon uses the following pattern when dispatching APIs with typed
parameters:

    VIR_ALLOC_N(params, nparams);
    virDomain*(dom, params, &nparams, flags);
    virTypedParameterArrayClear(params, nparams);

In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.

Let's make sure params stays NULL when nparams is 0.

(cherry picked from commit 6039a2cb49)
2013-09-11 14:44:34 +02:00
Daniel Veillard
a25d5cfd80 Release of libvirt-0.9.12
* configure.ac docs/news.html.in libvirt.spec.in: updates for the release
* po/*.po: pushed new sources and synchronized new languages translations
2012-05-14 10:52:04 +08:00
Matthias Bolte
3b9a12958d esx: Fix memory leaks in error paths related to transferred ownership
Appending an item to a list transfers ownership of that item to the
list owner. But an error can occur in between item allocation and
appending it to the list. In this case the item has to be freed
explicitly. This was not done in some special cases resulting in
possible memory leaks.

Reported by Coverity.
2012-05-13 16:20:35 +02:00
Peter Krempa
c833526924 qemu: Don't skip detection of virtual cpu's on non KVM targets
This patch lifts the limit of calling thread detection code only on KVM
guests. With upstream qemu the thread mappings are reported also on
non-KVM machines.

QEMU adopted the thread_id information from the kvm branch.

To remain compatible with older upstream versions of qemu the check is
attempted but the failure to detect threads (or even run the monitor
command - on older versions without SMP support) is treated non-fatal
and the code reports one vCPU with pid of the hypervisor (in same
fashion this was done on non-KVM guests).
2012-05-11 16:40:05 +02:00
Peter Krempa
3163682b58 qemu: Re-detect virtual cpu threads after cpu hot (un)plug.
After a cpu hotplug the qemu driver did not refresh information about
virtual processors used by qemu and their corresponding threads. This
patch forces a re-detection as is done on start of QEMU.

This ensures that correct information is reported by the
virDomainGetVcpus API and "virsh vcpuinfo".

A failure to obtain the thread<->vcpu mapping is treated non-fatal and
the mapping is not updated in a case of failure as not all versions of
QEMU report this in the info cpus command.
2012-05-11 16:40:05 +02:00