Commit Graph

14420 Commits

Author SHA1 Message Date
Eric Blake
dd3688e4d1 random: don't mix RAND_MAX with random_r
FreeBSD 10 recently changed their definition of RAND_MAX, to try
and cover the fact that their evenly distributed results of rand()
really are a smaller range than a full power of 2.  As a result,
I did some investigation, and learned:

1. POSIX requires random() to be evenly distributed across exactly
31 bits.  glibc also guarantees this for rand(), but the two are
unrelated, and POSIX only associates RAND_MAX with rand().
Avoiding RAND_MAX altogether thus avoids a build failure on
FreeBSD 10.

2. Concatenating random bits from a PRNG will NOT provide uniform
coverage over the larger value UNLESS the period of the original
PRNG is at least as large as the number of bits being concatenated.
Simple example: suppose that RAND_MAX were 1 with a period of 2**1
(which means that the PRNG merely alternates between 0 and 1).
Concatenating two successive rand() calls would then invariably
result in 01 or 10, which is a rather non-uniform distribution
(00 and 11 are impossible) and an even worse period (2**0, since
our second attempt will get the same number as our first attempt).
But a RAND_MAX of 1 with a period of 2**2 (alternating between
0, 1, 1, 0) provides sane coverage of all four values, if properly
tempered.  (Back-to-back calls would still only see half the values
if we don't do some tempering).  We therefore want to guarantee a
period of at least 2**64, preferably larger (as a tempering factor);
POSIX only makes this guarantee for random() with 256 bytes of info.

* src/util/virrandom.c (virRandomBits): Use constants that are
accurate for the PRNG we are using, not an unrelated PRNG.
(randomState): Ensure the period of our PRNG exceeds our usage.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-30 06:24:28 -06:00
Peter Krempa
8c725cc10d virsh-domain: rename print_job_progress to vshPrintJobProgress 2013-08-30 09:38:51 +02:00
Eric Blake
745aa55fbf security: provide supplemental groups even when parsing label (CVE-2013-4291)
Commit 29fe5d7 (released in 1.1.1) introduced a latent problem
for any caller of virSecurityManagerSetProcessLabel and where
the domain already had a uid:gid label to be parsed.  Such a
setup would collect the list of supplementary groups during
virSecurityManagerPreFork, but then ignores that information,
and thus fails to call setgroups() to adjust the supplementary
groups of the process.

Upstream does not use virSecurityManagerSetProcessLabel for
qemu (it uses virSecurityManagerSetChildProcessLabel instead),
so this problem remained latent until backporting the initial
commit into v0.10.2-maint (commit c061ff5, released in 0.10.2.7),
where virSecurityManagerSetChildProcessLabel has not been
backported.  As a result of using a different code path in the
backport, attempts to start a qemu domain that runs as qemu:qemu
will end up with supplementary groups unchanged from the libvirtd
parent process, rather than the desired supplementary groups of
the qemu user.  This can lead to failure to start a domain
(typical Fedora setup assigns user 107 'qemu' to both group 107
'qemu' and group 36 'kvm', so a disk image that is only readable
under kvm group rights is locked out).  Worse, it is a security
hole (the qemu process will inherit supplemental group rights
from the parent libvirtd process, which means it has access
rights to files owned by group 0 even when such files should
not normally be visible to user qemu).

LXC does not use the DAC security driver, so it is not vulnerable
at this time.  Still, it is better to plug the latent hole on
the master branch first, before cherry-picking it to the only
vulnerable branch v0.10.2-maint.

* src/security/security_dac.c (virSecurityDACGetIds): Always populate
groups and ngroups, rather than only when no label is parsed.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-29 08:43:03 -06:00
Daniel P. Berrange
a4d1cfdc59 Prohibit unbounded arrays in XDR protocols
The use of <> is a security issue for RPC parameters, since a
malicious client can set a huge array length causing arbitrary
memory allocation in the daemon.

It is also a robustness issue for RPC return values, because if
the stream is corrupted, it can cause the client to also allocate
arbitrary memory.

Use a syntax-check rule to prohibit any use of <>

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
47fb5672f2 Add bounds checking on virConnectListAllSecrets RPC call
The return values for the virConnectListAllSecrets call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
12034511a1 Add bounds checking on virConnectListAllNWFilters RPC call
The return values for the virConnectListAllNWFilters call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
1dcff6a7ea Add bounds checking on virConnectListAllNodeDevices RPC call
The return values for the virConnectListAllNodeDevices call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
8be2172897 Add bounds checking on virConnectListAllInterfaces RPC call
The return values for the virConnectListAllInterfaces call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
174f7dd5ba Add bounds checking on virConnectListAllNetworks RPC call
The return values for the virConnectListAllNetworks call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
046acaf37b Add bounds checking on virStoragePoolListAllVolumes RPC call
The return values for the virStoragePoolListAllVolumes call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
c853fa8feb Add bounds checking on virConnectListAllStoragePools RPC call
The return values for the virConnectListAllStoragePools call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
9e97128ba5 Add bounds checking on virConnectListAllDomains RPC call
The return values for the virConnectListAllDomains call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
a43d4f543c Add bounds checking on virDomain{SnapshotListAllChildren,ListAllSnapshots} RPC calls
The return values for the virDomain{SnapshotListAllChildren,ListAllSnapshots}
calls were not bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
6d7d0b1869 Add bounds checking on virDomainGetJobStats RPC call
The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Daniel P. Berrange
fd6f6a4861 Add bounds checking on virDomainMigrate*Params RPC calls (CVE-2013-4292)
The parameters for the virDomainMigrate*Params RPC calls were
not bounds checks, meaning a malicious client can cause libvirtd
to consume arbitrary memory

This issue was introduced in the 1.1.0 release of libvirt

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-29 15:36:13 +01:00
Guan Qiang
c26181495f python: Fix a PyList usage mistake
Fix PyList usage mistake in Function libvirt_lxc_virDomainLxcOpenNamespace.

https://bugzilla.redhat.com/show_bug.cgi?id=1002383

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-29 06:52:56 -06:00
Michal Privoznik
834a86eae5 autogen.sh: Correctly detect .git as a file
One of my previous patches 5cfe0d37cd tried to handle the case when
libvirt is a submodule of another project. In that case, the .git is
just a link to the parent .git directory (which the autogen.sh script
didn't count on). The fix was missing 'test' though.
2013-08-29 13:19:45 +02:00
Michal Privoznik
0f396366fe bridge_driver: Introduce networkObjFromNetwork
Similarly to qemu_driver.c, we can join often repeating code of looking
up network into one function: networkObjFromNetwork.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2013-08-29 11:03:33 +02:00
Peter Krempa
14da45c8e4 qemu_hotplug: Fix whitespace around addition in argument 2013-08-29 10:41:45 +02:00
Peter Krempa
50348e6edf qemu: Remove hostdev entry when freeing the depending network entry
When using a <interface type="network"> that points to a network with
hostdev forwarding mode a hostdev alias is created for the network. This
allias is inserted into the hostdev list, but is backed with a part of
the network object that it is connected to.

When a VM is being stopped qemuProcessStop() calls
networkReleaseActualDevice() which eventually frees the memory for the
hostdev object. Afterwards when the domain definition is being freed by
virDomainDefFree() an invalid pointer is accessed by
virDomainHostdevDefFree() and may cause a crash of the daemon.

This patch removes the entry in the hostdev list before freeing the
depending memory to avoid this issue.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1000973
2013-08-29 10:41:45 +02:00
Eric Blake
8aecd35126 virsh: detect programming errors with option parsing
Noticed while reviewing another patch that had an accidental
mismatch due to refactoring.  An audit of the code showed that
very few callers of vshCommandOpt were expecting a return of
-2, indicating programmer error, and of those that DID check,
they just propagated that status to yet another caller that
did not check.  Fix this by making the code blatantly warn
the programmer, rather than silently ignoring it and possibly
doing the wrong thing downstream.

I know that we frown on assert()/abort() inside libvirtd
(libraries should NEVER kill the program that linked them),
but as virsh is an app rather than the library, and as this
is not the first use of assert() in virsh, I think this
approach is okay.

* tools/virsh.h (vshCommandOpt): Drop declaration.
* tools/virsh.c (vshCommandOpt): Make static, and add a
parameter.  Abort on programmer errors rather than making callers
repeat that logic.
(vshCommandOptInt, vshCommandOptUInt, vshCommandOptUL)
(vshCommandOptString, vshCommandOptStringReq)
(vshCommandOptLongLong, vshCommandOptULongLong)
(vshCommandOptBool): Adjust callers.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-28 14:48:24 -06:00
Jiri Denemark
74c5156f9d virt-sanlock-cleanup; Fix augtool usage
Surprisingly, augtool get (or print) returns "path = value" while we are
only interested in the value. We need to remove the "path = " part from
the augtool's output. The following is an example of the augtool command
as used in virt-sanlock-cleanup script:

$ augtool get /files/etc/libvirt/qemu-sanlock.conf/disk_lease_dir
/files/etc/libvirt/qemu-sanlock.conf/disk_lease_dir = /var/lib/libvirt/sanlock
2013-08-28 13:50:10 +02:00
Martin Kletzander
ac43da705f virsh: Fix debugging
Commit a0b6a36f "fixed" what abfff210 broke (URI precedence), but
there was still one more thing missing to fix.  When using virsh
parameters to setup debugging, those weren't honored, because at the
time debugging was initializing, arguments weren't parsed yet.  To
make ewerything work as expected, we need to initialize the debugging
twice, once before debugging (so we can debug option parsing properly)
and then again after these options are parsed.

As a side effect, this patch also fixes a leak when virsh is ran with
multiple '-l' parameters.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2013-08-28 09:38:04 +02:00
Michal Privoznik
2ab0948d0c virsh-pool.c: Don't jump over variable declaration
Since 785ff34bf8 we are using the outputStr variable in cleanup label.
However, there is a possibility to jump to the label before the variable
has been declared:

virsh-pool.c: In function 'cmdPoolList':
virsh-pool.c:1121:25: error: jump skips variable initialization [-Werror=jump-misses-init]
                         goto asprintf_failure;
                         ^
virsh-pool.c:1308:1: note: label 'asprintf_failure' defined here
 asprintf_failure:
 ^
virsh-pool.c:1267:11: note: 'outputStr' declared here
     char *outputStr = NULL;
2013-08-28 09:33:15 +02:00
Ján Tomko
14d5328681 virsh: free the caps list properly if one of them is invalid
VIR_FREE(caps) is not enough to free an array allocated
by vshStringToArray.

==17== 4 bytes in 1 blocks are definitely lost in loss record 4 of 728
==17==    by 0x4EFFC44: virStrdup (virstring.c:554)
==17==    by 0x128B10: _vshStrdup (virsh.c:125)
==17==    by 0x129164: vshStringToArray (virsh.c:218)
==17==    by 0x157BB3: cmdNodeListDevices (virsh-nodedev.c:409)

https://bugzilla.redhat.com/show_bug.cgi?id=1001536
2013-08-28 08:05:56 +02:00
Ján Tomko
785ff34bf8 virsh: free the formatting string when listing pool details
==23== 41 bytes in 1 blocks are definitely lost in loss record 626 of 727
==23==    by 0x4F0099F: virAsprintfInternal (virstring.c:358)
==23==    by 0x15D2C9: cmdPoolList (virsh-pool.c:1268)

https://bugzilla.redhat.com/show_bug.cgi?id=1001536
2013-08-28 08:05:56 +02:00
Ján Tomko
f733eac058 virsh: free the list from ListAll APIs even for 0 items
virsh secret-list leak when no secrets are defined:

==27== 8 bytes in 1 blocks are definitely lost in loss record 6 of 726
==27==    by 0x4E941DD: virAllocN (viralloc.c:183)
==27==    by 0x5037F1A: remoteConnectListAllSecrets (remote_driver.c:3076)
==27==    by 0x5004EC6: virConnectListAllSecrets (libvirt.c:16298)
==27==    by 0x15F813: vshSecretListCollect (virsh-secret.c:397)
==27==    by 0x15F0E1: cmdSecretList (virsh-secret.c:532)

And so do some other *-list commands.

https://bugzilla.redhat.com/show_bug.cgi?id=1001536
2013-08-28 08:05:56 +02:00
Ján Tomko
66d124b454 virsh: free messages after logging them to a file
The messages were only freed on error.

==12== 1,100 bytes in 1 blocks are definitely lost in loss record 698 of 729
==12==    by 0x4E98C22: virBufferAsprintf (virbuffer.c:294)
==12==    by 0x12C950: vshOutputLogFile (virsh.c:2440)
==12==    by 0x12880B: vshError (virsh.c:2254)
==12==    by 0x131957: vshCommandOptDomainBy (virsh-domain.c:109)
==12==    by 0x14253E: cmdStart (virsh-domain.c:3333)

https://bugzilla.redhat.com/show_bug.cgi?id=1001536
2013-08-28 08:05:56 +02:00
Ján Tomko
2d9185a9f3 Test network update XML parsing
Add checks for updating sections of network definition via
virNetworkDefUpdateSection.

https://bugzilla.redhat.com/show_bug.cgi?id=989569
2013-08-28 08:05:46 +02:00
Ján Tomko
d8bd24a9ec Remove the space before the slash in network XML
This matches the style we use elsewhere and allows
nat-network-dns-srv-record{,-minimal}.xml to be tested in
network XML -> XML test.
2013-08-28 08:05:46 +02:00
Ján Tomko
63ee776f8c Build QEMU command line for pcihole64
QEMU commit 3984890 introduced the "pci-hole64-size" property,
to i440FX-pcihost and q35-pcihost with a default setting of 2 GB.

Translate <pcihole64>x<pcihole64/> to:
-global q35-pcihost.pci-hole64-size=x for q35 machines and
-global i440FX-pcihost.pci-hole64-size=x for i440FX-based machines.

Error out on other machine types or if the size was specified
but the pcihost device lacks 'pci-hole64-size' property.

https://bugzilla.redhat.com/show_bug.cgi?id=990418
2013-08-27 17:42:29 +02:00
Ján Tomko
01cda91809 Add pcihole64 element to root PCI controllers
<controller type='pci' index='0' model='pci-root'>
  <pcihole64 unit='KiB'>1048576</pcihole64>
</controller>

It can be used to adjust (or disable) the size of the 64-bit
PCI hole. The size attribute is in kilobytes (different unit
can be specified on input), but it gets rounded up to
the nearest GB by QEMU.

Disabling it will be needed for guests that crash with the
64-bit PCI hole (like Windows XP), see:
https://bugzilla.redhat.com/show_bug.cgi?id=990418
2013-08-27 17:42:29 +02:00
Ján Tomko
4582bc2e78 Allow controller XML parsing to use XPath context
virDomainParseScaledValue requires it.
2013-08-27 17:42:29 +02:00
Ján Tomko
87e3a05cba Move virDomainParseScaledValue earlier
Let virDomainControllerDefParseXML use it without
a forward declaration.
2013-08-27 17:42:29 +02:00
Aline Manera
796513d7cc Add ftp protocol support for cdrom disk
The ftp protocol is already recognized by qemu/KVM so add this support to
libvirt as well.
The xml should be as following:

     <disk type='network' device='cdrom'>
       <source protocol='ftp' name='/url/path'>
         <host name='host.name' port='21'/>
       </source>
     </disk>

Signed-off-by: Aline Manera <alinefm@br.ibm.com>
2013-08-27 14:50:24 +02:00
Aline Manera
3485ce4e9d Add http protocol support for cdrom disk
QEMU/KVM already allows a HTTP URL for the cdrom ISO image so add this support
to libvirt as well.
The xml should be as following:

    <disk type='network' device='cdrom'>
      <source protocol='http' name='/url/path'>
        <host name='host.name' port='80'/>
      </source>
    </disk>

Signed-off-by: Aline Manera <alinefm@br.ibm.com>
2013-08-27 14:50:24 +02:00
Ján Tomko
bab2eda6ad Always specify qcow2 compat level on qemu-img command line
qemu-img is going to switch the default for QCOW2
to QCOW2v3 (compat=1.1)

Extend the probing for qemu-img command line options to check
if -o compat is supported. If the volume definition specifies
the qcow2 format but no compat level and -o compat is supported,
specify -o compat=0.10 to create a QCOW2v2 image.

https://bugzilla.redhat.com/show_bug.cgi?id=997977
2013-08-27 12:45:58 +02:00
Guannan Ren
9eb444364e virsh: fix return value error of cpu-stats
virsh cpu-stats guest --start 0 --count 3
It outputs right but the return value is 1 rather than 0
echo $?
1

Found by running libvirt-autotest
./run -t libvirt --tests virsh_cpu_stats
2013-08-27 15:17:03 +08:00
Tomas Meszaros
a88924bc21 virsh: C99 style for info_domfstrim and opts_lxc_enter_namespace
Change info_domfstrim and opts_lxc_enter_namespace initialization style
to C99.
2013-08-26 10:23:16 -06:00
Michal Privoznik
a45ec678e9 qemuDomainAttachHostPciDevice: Fall back to mem balloon if there's no hard_limit
If there's no hard_limit set and domain uses VFIO we still must lock
the guest memory (prerequisite from qemu). Hence, we should compute
the amount to be locked from max_balloon.
2013-08-26 17:38:24 +02:00
Jiri Denemark
b02fd24f18 qemuhotplugtest: Add tests for virtio SCSI disk hotplug 2013-08-26 16:09:56 +02:00
Jiri Denemark
e191a3e699 qemuhotplugtest: Add tests for USB disk hotplug 2013-08-26 16:09:56 +02:00
Jiri Denemark
4aee8a70b8 qemuhotplugtest: Add tests for async virtio disk detach 2013-08-26 16:09:56 +02:00
Jiri Denemark
68d6f66e6e qemuhotplugtest: Add support for DEVICE_DELETED event 2013-08-26 16:09:55 +02:00
Jiri Denemark
419489e618 qemu: Let tests override waiting time for device unplug
We don't want tests to wait 5 seconds for an event which we know will
never come.
2013-08-26 16:09:55 +02:00
Jiri Denemark
b2f76cd20e qemu: Export qemuProcessHandleDeviceDeleted for tests 2013-08-26 16:09:55 +02:00
Jiri Denemark
201f01ab97 tests: Add support for passing driver to qemu monitor
The driver is then passed to monitor event handlers.
2013-08-26 16:09:55 +02:00
Jiri Denemark
a950b4f91d tests: Add support for passing vm to qemu monitor
Some tests need the monitor to operate on an already existing VM object
rather than on a new mock-up the monitor test normally creates.
2013-08-26 16:09:55 +02:00
Jiri Denemark
2074574821 qemuhotplugtest: Add tests for virtio disk hotplug 2013-08-26 16:09:55 +02:00
Jiri Denemark
2618dc2a45 qemuxml2argvtest: Add XML for testing device hotplug
This is a generic XML usable for hotplugging various types of devices.
2013-08-26 16:09:55 +02:00