diff --git a/bitmap-alloc.patch b/bitmap-alloc.patch new file mode 100644 index 0000000..2a25011 --- /dev/null +++ b/bitmap-alloc.patch @@ -0,0 +1,29 @@ +commit ce49cfb48ad5e9cac79819d0ccde4394c237af25 +Author: Eric Blake +Date: Wed Jun 2 09:03:57 2010 -0600 + + bitmap: reject zero-size bitmap + + * src/util/bitmap.c (virBitmapAlloc): Tighten sanity check. + +diff --git a/src/util/bitmap.c b/src/util/bitmap.c +index 69094a5..44edb49 100644 +--- a/src/util/bitmap.c ++++ b/src/util/bitmap.c +@@ -1,6 +1,7 @@ + /* + * bitmap.h: Simple bitmap operations + * ++ * Copyright (C) 2010 Red Hat, Inc. + * Copyright (C) 2010 Novell, Inc. + * + * This library is free software; you can redistribute it and/or +@@ -58,7 +59,7 @@ virBitmapPtr virBitmapAlloc(size_t size) + virBitmapPtr bitmap; + size_t sz; + +- if (SIZE_MAX - VIR_BITMAP_BITS_PER_UNIT < size) ++ if (SIZE_MAX - VIR_BITMAP_BITS_PER_UNIT < size || size == 0) + return NULL; + + sz = (size + VIR_BITMAP_BITS_PER_UNIT - 1) / diff --git a/bitmap-fixes.patch b/bitmap-fixes.patch new file mode 100644 index 0000000..96d3bd4 --- /dev/null +++ b/bitmap-fixes.patch @@ -0,0 +1,59 @@ +If VM startup fails early enough (can't find a referenced USB device), +libvirtd will crash trying to clear the VNC port bit, since port = 0, +which overflows us out of the bitmap bounds. + +Fix this by being more defensive in the bitmap operations, and only +clearing a previously set VNC port. + +v2: Add safety check to all relevant bitmap ops. + +Signed-off-by: Cole Robinson +--- + src/qemu/qemu_driver.c | 2 +- + src/util/bitmap.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +Index: libvirt-0.8.1/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-0.8.1.orig/src/qemu/qemu_driver.c ++++ libvirt-0.8.1/src/qemu/qemu_driver.c +@@ -3635,7 +3635,7 @@ retry: + if ((vm->def->ngraphics == 1) && + vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && + vm->def->graphics[0]->data.vnc.autoport && +- vm->def->graphics[0]->data.vnc.port != -1) { ++ vm->def->graphics[0]->data.vnc.port >= QEMU_VNC_PORT_MIN) { + if (virBitmapClearBit(driver->reservedVNCPorts, + vm->def->graphics[0]->data.vnc.port - \ + QEMU_VNC_PORT_MIN) < 0) { +Index: libvirt-0.8.1/src/util/bitmap.c +=================================================================== +--- libvirt-0.8.1.orig/src/util/bitmap.c ++++ libvirt-0.8.1/src/util/bitmap.c +@@ -101,7 +101,7 @@ void virBitmapFree(virBitmapPtr bitmap) + */ + int virBitmapSetBit(virBitmapPtr bitmap, size_t b) + { +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] |= (1 << VIR_BITMAP_BIT_OFFSET(b)); +@@ -119,7 +119,7 @@ int virBitmapSetBit(virBitmapPtr bitmap, + */ + int virBitmapClearBit(virBitmapPtr bitmap, size_t b) + { +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] &= ~(1 << VIR_BITMAP_BIT_OFFSET(b)); +@@ -141,7 +141,7 @@ int virBitmapGetBit(virBitmapPtr bitmap, + { + uint32_t bit; + +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bit = bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] & diff --git a/libvirt.changes b/libvirt.changes index 00abc4b..996d48f 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Jun 4 13:16:31 MDT 2010 - jfehlig@novell.com +- Allocate buffer to hold xend content + bnc#609738 + xend-buff-size.patch + +- Add upstream fixes to bitmap code that was introduced to fix + bnc#594024 + bitmap-alloc.patch + bitmap-fixes.patch + ------------------------------------------------------------------- Tue Jun 1 13:52:21 MDT 2010 - jfehlig@novell.com diff --git a/libvirt.spec b/libvirt.spec index 0f1992a..ca707b1 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -146,6 +146,10 @@ Patch0: remote-rm-unused-field.patch Patch1: vnc-race-1.patch Patch2: vnc-race-2.patch Patch3: vnc-race-3.patch +Patch4: bitmap-alloc.patch +Patch5: bitmap-fixes.patch +Patch6: xend-content-buf.patch +Patch7: xend-content-buf-fix.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: socat.patch @@ -263,6 +267,10 @@ Authors: %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %patch100 -p1 %patch101 -p1 %patch102 diff --git a/xen-name-for-devid.patch b/xen-name-for-devid.patch index b324c5a..c1d3798 100644 --- a/xen-name-for-devid.patch +++ b/xen-name-for-devid.patch @@ -17,7 +17,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c =================================================================== --- libvirt-0.8.1.orig/src/xen/xend_internal.c +++ libvirt-0.8.1/src/xen/xend_internal.c -@@ -91,6 +91,7 @@ xenDaemonFormatSxprOnePCI(virDomainHostd +@@ -92,6 +92,7 @@ xenDaemonFormatSxprOnePCI(virDomainHostd static int virDomainXMLDevID(virDomainPtr domain, @@ -25,7 +25,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c virDomainDeviceDefPtr dev, char *class, char *ref, -@@ -4164,7 +4165,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr +@@ -4178,7 +4179,7 @@ xenDaemonAttachDeviceFlags(virDomainPtr sexpr = virBufferContentAndReset(&buf); @@ -34,7 +34,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c /* device doesn't exist, define it */ ret = xend_op(domain->conn, domain->name, "op", "device_create", "config", sexpr, NULL); -@@ -4281,7 +4282,7 @@ xenDaemonUpdateDeviceFlags(virDomainPtr +@@ -4295,7 +4296,7 @@ xenDaemonUpdateDeviceFlags(virDomainPtr sexpr = virBufferContentAndReset(&buf); @@ -43,7 +43,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c virXendError(VIR_ERR_OPERATION_INVALID, "%s", _("requested device does not exist")); goto cleanup; -@@ -4373,7 +4374,7 @@ xenDaemonDetachDeviceFlags(virDomainPtr +@@ -4387,7 +4388,7 @@ xenDaemonDetachDeviceFlags(virDomainPtr def, xml, VIR_DOMAIN_XML_INACTIVE))) goto cleanup; @@ -52,7 +52,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c goto cleanup; if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) { -@@ -6121,6 +6122,7 @@ error: +@@ -6135,6 +6136,7 @@ error: */ static int virDomainXMLDevID(virDomainPtr domain, @@ -60,7 +60,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c virDomainDeviceDefPtr dev, char *class, char *ref, -@@ -6129,27 +6131,33 @@ virDomainXMLDevID(virDomainPtr domain, +@@ -6143,27 +6145,33 @@ virDomainXMLDevID(virDomainPtr domain, xenUnifiedPrivatePtr priv = domain->conn->privateData; char *xref; char *tmp; diff --git a/xen-pv-cdrom.patch b/xen-pv-cdrom.patch index 9b90452..bfa1faf 100644 --- a/xen-pv-cdrom.patch +++ b/xen-pv-cdrom.patch @@ -2,7 +2,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c =================================================================== --- libvirt-0.8.1.orig/src/xen/xend_internal.c +++ libvirt-0.8.1/src/xen/xend_internal.c -@@ -5531,7 +5531,10 @@ xenDaemonFormatSxprDisk(virConnectPtr co +@@ -5545,7 +5545,10 @@ xenDaemonFormatSxprDisk(virConnectPtr co } else if (def->device == VIR_DOMAIN_DISK_DEVICE_CDROM) { virBufferVSprintf(buf, "(dev '%s:cdrom')", def->dst); } else { diff --git a/xen-tap2-support.patch b/xen-tap2-support.patch index 8f05493..de9ad21 100644 --- a/xen-tap2-support.patch +++ b/xen-tap2-support.patch @@ -2,7 +2,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c =================================================================== --- libvirt-0.8.1.orig/src/xen/xend_internal.c +++ libvirt-0.8.1/src/xen/xend_internal.c -@@ -1596,7 +1596,8 @@ xenDaemonParseSxprDisks(virDomainDefPtr +@@ -1610,7 +1610,8 @@ xenDaemonParseSxprDisks(virDomainDefPtr but blktap disks ended up in a differently named (device (tap ....)) block.... */ if (sexpr_lookup(node, "device/vbd") || @@ -12,7 +12,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c char *offset; const char *src = NULL; const char *dst = NULL; -@@ -1607,10 +1608,14 @@ xenDaemonParseSxprDisks(virDomainDefPtr +@@ -1621,10 +1622,14 @@ xenDaemonParseSxprDisks(virDomainDefPtr src = sexpr_node(node, "device/vbd/uname"); dst = sexpr_node(node, "device/vbd/dev"); mode = sexpr_node(node, "device/vbd/mode"); diff --git a/xend-content-buf-fix.patch b/xend-content-buf-fix.patch new file mode 100644 index 0000000..784aecb --- /dev/null +++ b/xend-content-buf-fix.patch @@ -0,0 +1,79 @@ +commit b1eb7f2e987d21b1711e86e5cb63a69abfce82f1 +Author: Jim Fehlig +Date: Fri Jun 4 10:04:03 2010 -0600 + + Fixes for commit 211dd1e9 + + Fixes for issues in commit 211dd1e9 noted by by Jim Meyering. + + 1. Allocate content buffer of size content_length + 1 to ensure + NUL-termination. + 2. Limit content buffer size to 64k + 3. Fix whitespace issue + + V2: + - Add comment to clarify allocation of content buffer + - Add ATTRIBUTE_NONNULL where appropriate + - User NULLSTR macro + +diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c +index 0c1a738..51cad92 100644 +--- a/src/xen/xend_internal.c ++++ b/src/xen/xend_internal.c +@@ -68,6 +68,7 @@ + # define XEND_CONFIG_MIN_VERS_PVFB_NEWCONF 3 + #endif + ++#define XEND_RCV_BUF_MAX_LEN 65536 + + #ifndef PROXY + static int +@@ -310,7 +311,7 @@ istartswith(const char *haystack, const char *needle) + * Returns the HTTP return code and @content is set to the + * allocated memory containing HTTP content. + */ +-static int ++static int ATTRIBUTE_NONNULL (2) + xend_req(int fd, char **content) + { + char buffer[4096]; +@@ -330,7 +331,19 @@ xend_req(int fd, char **content) + if (content_length > 0) { + ssize_t ret; + +- if (VIR_ALLOC_N(*content, content_length) < 0 ) { ++ if (content_length > XEND_RCV_BUF_MAX_LEN) { ++ virXendError(VIR_ERR_INTERNAL_ERROR, ++ _("Xend returned HTTP Content-Length of %d, " ++ "which exceeds maximum of %d"), ++ content_length, ++ XEND_RCV_BUF_MAX_LEN); ++ return -1; ++ } ++ ++ /* Allocate one byte beyond the end of the largest buffer we will read. ++ Combined with the fact that VIR_ALLOC_N zeros the returned buffer, ++ this guarantees that "content" will always be NUL-terminated. */ ++ if (VIR_ALLOC_N(*content, content_length + 1) < 0 ) { + virReportOOMError(); + return -1; + } +@@ -353,7 +366,7 @@ xend_req(int fd, char **content) + * + * Returns the HTTP return code or -1 in case or error. + */ +-static int ++static int ATTRIBUTE_NONNULL(3) + xend_get(virConnectPtr xend, const char *path, + char **content) + { +@@ -379,8 +392,7 @@ xend_get(virConnectPtr xend, const char *path, + ((ret != 404) || (!STRPREFIX(path, "/xend/domain/")))) { + virXendError(VIR_ERR_GET_FAILED, + _("%d status from xen daemon: %s:%s"), +- ret, path, +- content ? *content: "NULL"); ++ ret, path, NULLSTR(*content)); + } + + return ret; diff --git a/xend-content-buf.patch b/xend-content-buf.patch new file mode 100644 index 0000000..70b887c --- /dev/null +++ b/xend-content-buf.patch @@ -0,0 +1,244 @@ +commit 211dd1e9c54a9ba92e2e648acacbc18981374073 +Author: Jim Fehlig +Date: Wed Jun 2 18:07:17 2010 -0600 + + Allocate buffer to hold xend response + + There are cases when a response from xend can exceed 4096 bytes, in + which case anything beyond 4096 is ignored. This patch changes the + current fixed-size, stack-allocated buffer to a dynamically allocated + buffer based on Content-Length in HTTP header. + +diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c +index e763bad..0c1a738 100644 +--- a/src/xen/xend_internal.c ++++ b/src/xen/xend_internal.c +@@ -302,17 +302,19 @@ istartswith(const char *haystack, const char *needle) + * xend_req: + * @fd: the file descriptor + * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Read the HTTP response from a Xen Daemon request. ++ * If the response contains content, memory is allocated to ++ * hold the content. + * +- * Returns the HTTP return code. ++ * Returns the HTTP return code and @content is set to the ++ * allocated memory containing HTTP content. + */ + static int +-xend_req(int fd, char *content, size_t n_content) ++xend_req(int fd, char **content) + { + char buffer[4096]; +- int content_length = -1; ++ int content_length = 0; + int retcode = 0; + + while (sreads(fd, buffer, sizeof(buffer)) > 0) { +@@ -325,19 +327,17 @@ xend_req(int fd, char *content, size_t n_content) + retcode = atoi(buffer + 9); + } + +- if (content_length > -1) { ++ if (content_length > 0) { + ssize_t ret; + +- if ((unsigned int) content_length > (n_content + 1)) +- content_length = n_content - 1; ++ if (VIR_ALLOC_N(*content, content_length) < 0 ) { ++ virReportOOMError(); ++ return -1; ++ } + +- ret = sread(fd, content, content_length); ++ ret = sread(fd, *content, content_length); + if (ret < 0) + return -1; +- +- content[ret] = 0; +- } else { +- content[0] = 0; + } + + return retcode; +@@ -348,7 +348,6 @@ xend_req(int fd, char *content, size_t n_content) + * @xend: pointer to the Xen Daemon structure + * @path: the path used for the HTTP request + * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Do an HTTP GET RPC with the Xen Daemon + * +@@ -356,7 +355,7 @@ xend_req(int fd, char *content, size_t n_content) + */ + static int + xend_get(virConnectPtr xend, const char *path, +- char *content, size_t n_content) ++ char **content) + { + int ret; + int s = do_connect(xend); +@@ -373,14 +372,15 @@ xend_get(virConnectPtr xend, const char *path, + "Accept-Encoding: identity\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" "\r\n"); + +- ret = xend_req(s, content, n_content); ++ ret = xend_req(s, content); + close(s); + + if (((ret < 0) || (ret >= 300)) && + ((ret != 404) || (!STRPREFIX(path, "/xend/domain/")))) { + virXendError(VIR_ERR_GET_FAILED, + _("%d status from xen daemon: %s:%s"), +- ret, path, content); ++ ret, path, ++ content ? *content: "NULL"); + } + + return ret; +@@ -392,8 +392,6 @@ xend_get(virConnectPtr xend, const char *path, + * @xend: pointer to the Xen Daemon structure + * @path: the path used for the HTTP request + * @ops: the information sent for the POST +- * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Do an HTTP POST RPC with the Xen Daemon, this usually makes changes at the + * Xen level. +@@ -401,10 +399,10 @@ xend_get(virConnectPtr xend, const char *path, + * Returns the HTTP return code or -1 in case or error. + */ + static int +-xend_post(virConnectPtr xend, const char *path, const char *ops, +- char *content, size_t n_content) ++xend_post(virConnectPtr xend, const char *path, const char *ops) + { + char buffer[100]; ++ char *err_buf = NULL; + int ret; + int s = do_connect(xend); + +@@ -425,26 +423,28 @@ xend_post(virConnectPtr xend, const char *path, const char *ops, + swrites(s, "\r\n\r\n"); + swrites(s, ops); + +- ret = xend_req(s, content, n_content); ++ ret = xend_req(s, &err_buf); + close(s); + + if ((ret < 0) || (ret >= 300)) { + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); +- } else if ((ret == 202) && (strstr(content, "failed") != NULL)) { ++ _("xend_post: error from xen daemon: %s"), err_buf); ++ } else if ((ret == 202) && err_buf && (strstr(err_buf, "failed") != NULL)) { + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); ++ _("xend_post: error from xen daemon: %s"), err_buf); + ret = -1; +- } else if (((ret >= 200) && (ret <= 202)) && (strstr(content, "xend.err") != NULL)) { ++ } else if (((ret >= 200) && (ret <= 202)) && err_buf && ++ (strstr(err_buf, "xend.err") != NULL)) { + /* This is to catch case of things like 'virsh dump Domain-0 foo' + * which returns a success code, but the word 'xend.err' + * in body to indicate error :-( + */ + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); ++ _("xend_post: error from xen daemon: %s"), err_buf); + ret = -1; + } + ++ VIR_FREE(err_buf); + return ret; + } + #endif /* ! PROXY */ +@@ -487,8 +487,6 @@ http2unix(int ret) + * xend_op_ext: + * @xend: pointer to the Xen Daemon structure + * @path: path for the object +- * @error: buffer for the error output +- * @n_error: size of @error + * @key: the key for the operation + * @ap: input values to pass to the operation + * +@@ -497,8 +495,7 @@ http2unix(int ret) + * Returns 0 in case of success, -1 in case of failure. + */ + static int +-xend_op_ext(virConnectPtr xend, const char *path, char *error, +- size_t n_error, const char *key, va_list ap) ++xend_op_ext(virConnectPtr xend, const char *path, const char *key, va_list ap) + { + const char *k = key, *v; + virBuffer buf = VIR_BUFFER_INITIALIZER; +@@ -524,7 +521,7 @@ xend_op_ext(virConnectPtr xend, const char *path, char *error, + } + + content = virBufferContentAndReset(&buf); +- ret = http2unix(xend_post(xend, path, content, error, n_error)); ++ ret = http2unix(xend_post(xend, path, content)); + VIR_FREE(content); + + return ret; +@@ -535,8 +532,6 @@ xend_op_ext(virConnectPtr xend, const char *path, char *error, + * xend_op: + * @xend: pointer to the Xen Daemon structure + * @name: the domain name target of this operation +- * @error: buffer for the error output +- * @n_error: size of @error + * @key: the key for the operation + * @ap: input values to pass to the operation + * @...: input values to pass to the operation +@@ -550,14 +545,13 @@ static int ATTRIBUTE_SENTINEL + xend_op(virConnectPtr xend, const char *name, const char *key, ...) + { + char buffer[1024]; +- char error[1024]; + va_list ap; + int ret; + + snprintf(buffer, sizeof(buffer), "/xend/domain/%s", name); + + va_start(ap, key); +- ret = xend_op_ext(xend, buffer, error, sizeof(error), key, ap); ++ ret = xend_op_ext(xend, buffer, key, ap); + va_end(ap); + + return ret; +@@ -581,21 +575,29 @@ static struct sexpr *sexpr_get(virConnectPtr xend, const char *fmt, ...) + static struct sexpr * + sexpr_get(virConnectPtr xend, const char *fmt, ...) + { +- char buffer[4096]; ++ char *buffer = NULL; + char path[1024]; + va_list ap; + int ret; ++ struct sexpr *res = NULL; + + va_start(ap, fmt); + vsnprintf(path, sizeof(path), fmt, ap); + va_end(ap); + +- ret = xend_get(xend, path, buffer, sizeof(buffer)); ++ ret = xend_get(xend, path, &buffer); + ret = http2unix(ret); + if (ret == -1) +- return NULL; ++ goto cleanup; ++ ++ if (buffer == NULL) ++ goto cleanup; ++ ++ res = string2sexpr(buffer); + +- return string2sexpr(buffer); ++cleanup: ++ VIR_FREE(buffer); ++ return res; + } + + /** diff --git a/xend-disk-order.patch b/xend-disk-order.patch index 90c5247..9360ab0 100644 --- a/xend-disk-order.patch +++ b/xend-disk-order.patch @@ -2,7 +2,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c =================================================================== --- libvirt-0.8.1.orig/src/xen/xend_internal.c +++ libvirt-0.8.1/src/xen/xend_internal.c -@@ -1602,20 +1602,24 @@ xenDaemonParseSxprDisks(virDomainDefPtr +@@ -1616,20 +1616,24 @@ xenDaemonParseSxprDisks(virDomainDefPtr const char *src = NULL; const char *dst = NULL; const char *mode = NULL; @@ -27,7 +27,7 @@ Index: libvirt-0.8.1/src/xen/xend_internal.c } if (VIR_ALLOC(disk) < 0) -@@ -1740,7 +1744,12 @@ xenDaemonParseSxprDisks(virDomainDefPtr +@@ -1754,7 +1758,12 @@ xenDaemonParseSxprDisks(virDomainDefPtr if (VIR_REALLOC_N(def->disks, def->ndisks+1) < 0) goto no_memory;