Accepting request 693774 from home:jfehlig:branches:Virtualization

Properly fix failing tests.

- Fix and re-enable snapshot tests
  f66f70ac-snapshot-fix-use-after-free.patch

  2a07c990-api-CVE-2019-3886.patch,
  ae076bb4-remote-CVE-2019-3886.patch
- spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch
    ebe9c6ea-qemu-firmware-dirent.patch

OBS-URL: https://build.opensuse.org/request/show/693774
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=746
This commit is contained in:
James Fehlig 2019-04-12 15:52:39 +00:00 committed by Git OBS Bridge
parent da9af7a383
commit 376a708d02
7 changed files with 125 additions and 61 deletions

View File

@ -1,6 +1,6 @@
commit 69f94df6afe2ea8e2034903d6423c783e0c535e8
commit 2a07c990bd9143d7a0fe8d1b6b7c763c52185240
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed Apr 3 15:00:49 2019 +0100
Date: Wed Mar 27 10:59:58 2019 +0000
api: disallow virDomainGetHostname for read-only connections
@ -9,6 +9,7 @@ Date: Wed Apr 3 15:00:49 2019 +0100
forbidden on a read-only connection to libvirt.
Fixes CVE-2019-3886
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.2.0/src/libvirt-domain.c

View File

@ -1,6 +1,6 @@
commit 9737baf530d80eff19d46a5feb130d3064d47d64
commit ae076bb40e0e150aef41361b64001138d04d6c60
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed Apr 3 15:00:50 2019 +0100
Date: Wed Mar 27 11:22:49 2019 +0000
remote: enforce ACL write permission for getting guest time & hostname
@ -9,6 +9,7 @@ Date: Wed Apr 3 15:00:50 2019 +0100
permissions check must validate "write" permission not "read".
Fixes CVE-2019-3886
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.2.0/src/remote/remote_protocol.x

View File

@ -0,0 +1,43 @@
commit ebe9c6eab77e2da500c24430addfcd9f10b1676d
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Tue Apr 2 13:27:44 2019 +0100
qemu: don't rely on the non-portable d_type field in dirent
d_type is a non-portable extension to the struct dirent and even if it
exists, its value may be DT_UNKNOWN if the filesystem doesn't support
it. This is common with older versions of XFS which have ftype=0
feature.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.2.0/src/qemu/qemu_firmware.c
===================================================================
--- libvirt-5.2.0.orig/src/qemu/qemu_firmware.c
+++ libvirt-5.2.0/src/qemu/qemu_firmware.c
@@ -924,9 +924,7 @@ qemuFirmwareBuildFileList(virHashTablePt
while ((rc = virDirRead(dirp, &ent, dir)) > 0) {
VIR_AUTOFREE(char *) filename = NULL;
VIR_AUTOFREE(char *) path = NULL;
-
- if (ent->d_type != DT_REG && ent->d_type != DT_LNK)
- continue;
+ struct stat sb;
if (STRPREFIX(ent->d_name, "."))
continue;
@@ -937,6 +935,14 @@ qemuFirmwareBuildFileList(virHashTablePt
if (virAsprintf(&path, "%s/%s", dir, filename) < 0)
goto cleanup;
+ if (stat(path, &sb) < 0) {
+ virReportSystemError(errno, _("Unable to access %s"), path);
+ goto cleanup;
+ }
+
+ if (!S_ISREG(sb.st_mode) && !S_ISLNK(sb.st_mode))
+ continue;
+
if (virHashUpdateEntry(files, filename, path) < 0)
goto cleanup;

View File

@ -0,0 +1,56 @@
commit f66f70acbe22527423b781cb6178859309843706
Author: Eric Blake <eblake@redhat.com>
Date: Mon Apr 8 11:45:47 2019 -0500
snapshot: Fix use-after-free during snapshot delete
Commit b647d2195 introduced a use-after-free situation when the caller
is trying to delete a snapshot and its children: if the callback
function deletes the parent, it is no longer safe to query the parent
to learn which children also need to be deleted (where we previously
saved deleting the parent for last). To fix the problem, while still
maintaining support for topological visits of callback functions, we
have to stash off any information needed for later traversal prior to
using a callback function (virDomainMomentForEachChild already does
this, it is only virDomainMomentActOnDescendant that was running into
problems).
Sadly, the testsuite did not cover the problem at the time. Worse,
even though I later added commit 280a2b41e to catch problems like
this, and even though that test is indeed sufficient to detect the
problem when run under valgrind or suitable MALLOC_PERTURB_ settings,
I'm guilty of not running the test in such an environment. Thus,
v5.2.0 has a regression that could have been prevented had we used the
testsuite to its full power. On the bright side, deleting snapshots
requires ACL domain:snapshot, which is arguably as powerful as
domain:write, so I don't think this use-after-free forms a security
hole.
At some point, it would be nice to convert virDomainMomentObj into a
virObject, at which point, the solution is even simpler: add
virObjectRef/Unref around the callback. But as that will require
auditing even more places in the code, I went with the simplest patch
for the regression fix.
Fixes: b647d2195
Reported-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Tested-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Index: libvirt-5.2.0/src/conf/virdomainmomentobjlist.c
===================================================================
--- libvirt-5.2.0.orig/src/conf/virdomainmomentobjlist.c
+++ libvirt-5.2.0/src/conf/virdomainmomentobjlist.c
@@ -80,9 +80,11 @@ virDomainMomentActOnDescendant(void *pay
{
virDomainMomentObjPtr obj = payload;
struct moment_act_on_descendant *curr = data;
+ virDomainMomentObj tmp = *obj;
+ /* Careful: curr->iter can delete obj, hence the need for tmp */
(curr->iter)(payload, name, curr->data);
- curr->number += 1 + virDomainMomentForEachDescendant(obj,
+ curr->number += 1 + virDomainMomentForEachDescendant(&tmp,
curr->iter,
curr->data);
return 0;

View File

@ -1,11 +1,18 @@
-------------------------------------------------------------------
Thu Apr 11 23:00:48 UTC 2019 - James Fehlig <jfehlig@suse.com>
- Fix and re-enable snapshot tests
f66f70ac-snapshot-fix-use-after-free.patch
-------------------------------------------------------------------
Fri Apr 5 19:58:10 UTC 2019 - James Fehlig <jfehlig@suse.com>
- CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime
for read-only connections and users
CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch
2a07c990-api-CVE-2019-3886.patch,
ae076bb4-remote-CVE-2019-3886.patch
bsc#1131595
- spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch
- spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch
touches remote_protocol.x
-------------------------------------------------------------------
@ -25,7 +32,7 @@ Wed Apr 3 18:08:00 UTC 2019 - Jim Fehlig <jfehlig@suse.com>
5a64c202-xenconfig-support-max-grant-frames.patch
- Added patches:
ff376c62-tests-fix-mocking-stat-lstat.patch,
mprivozn-test-fix-proposal.patch
ebe9c6ea-qemu-firmware-dirent.patch
-------------------------------------------------------------------
Thu Mar 21 21:40:06 UTC 2019 - James Fehlig <jfehlig@suse.com>

View File

@ -338,12 +338,13 @@ Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
Patch0: ff376c62-tests-fix-mocking-stat-lstat.patch
Patch1: CVE-2019-3886-api.patch
Patch2: CVE-2019-3886-remote.patch
Patch1: ebe9c6ea-qemu-firmware-dirent.patch
Patch2: 2a07c990-api-CVE-2019-3886.patch
Patch3: ae076bb4-remote-CVE-2019-3886.patch
Patch4: f66f70ac-snapshot-fix-use-after-free.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
Patch102: mprivozn-test-fix-proposal.patch
# Need to go upstream
Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch
@ -877,9 +878,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
@ -1227,32 +1229,19 @@ mv %{buildroot}/%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
%check
cd tests
SKIP_C_TESTS=""
SKIP_SCRIPT_TESTS=""
SKIP_TESTS=""
# These tests don't current work in a mock build root
# virnetsockettest: needs unsupported linux-user syscalls
SKIP_C_TESTS="$SKIP_TESTS virnetsockettest"
SKIP_TESTS="$SKIP_TESTS virnetsockettest"
# virportallocatortest fails on aarch64 due to unsupported IPV6_V6ONLY flag
%ifarch aarch64
SKIP_C_TESTS="$SKIP_TESTS virportallocatortest"
SKIP_TESTS="$SKIP_TESTS virportallocatortest"
%endif
# Temporarily remove the snapshot tests until they stabilize
SKIP_SCRIPT_TESTS="$SKIP_SCRIPT_TESTS virsh-snapshot"
# Remove tests that dont work on 32-bit arch
#%ifarch %{ix86} armv7l
#SKIP_C_TESTS="$SKIP_C_TESTS qemufirmwaretest"
#%endif
for i in $SKIP_C_TESTS
for i in $SKIP_TESTS
do
rm -f $i
printf 'int main(void) { return 0; }' > $i.c
done
for i in $SKIP_SCRIPT_TESTS
do
rm -f $i
printf '#!/bin/sh\n exit 0\n' > $i
chmod +x $i
done
make %{?_smp_mflags}
if ! make %{?_smp_mflags} check VIR_TEST_DEBUG=1

View File

@ -1,33 +0,0 @@
Patch proposed by Michal on libvirt list
This patch fixes firmware test failures.
https://www.redhat.com/archives/libvir-list/2019-April/msg00156.html
Index: libvirt-5.2.0/src/qemu/qemu_firmware.c
===================================================================
--- libvirt-5.2.0.orig/src/qemu/qemu_firmware.c
+++ libvirt-5.2.0/src/qemu/qemu_firmware.c
@@ -924,8 +924,9 @@ qemuFirmwareBuildFileList(virHashTablePt
while ((rc = virDirRead(dirp, &ent, dir)) > 0) {
VIR_AUTOFREE(char *) filename = NULL;
VIR_AUTOFREE(char *) path = NULL;
+ struct stat sb;
- if (ent->d_type != DT_REG && ent->d_type != DT_LNK)
+ if (ent->d_type != DT_REG && ent->d_type != DT_LNK && ent->d_type != DT_UNKNOWN)
continue;
if (STRPREFIX(ent->d_name, "."))
@@ -937,6 +938,11 @@ qemuFirmwareBuildFileList(virHashTablePt
if (virAsprintf(&path, "%s/%s", dir, filename) < 0)
goto cleanup;
+ if (ent->d_type == DT_UNKNOWN &&
+ stat(path, &sb) >= 0 &&
+ ((sb.st_mode & S_IFMT) != S_IFREG && (sb.st_mode & S_IFMT) != S_IFLNK))
+ continue;
+
if (virHashUpdateEntry(files, filename, path) < 0)
goto cleanup;