From 0068ec2b5dbf198b7208019cf70d2d6f46891d09ae0d8f434106a24e103ebca2 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 9 Aug 2010 00:19:46 +0000 Subject: [PATCH] Accepting request 44796 from Virtualization checked in (request 44796) OBS-URL: https://build.opensuse.org/request/show/44796 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=62 --- bitmap-alloc.patch | 29 ++++ bitmap-fixes.patch | 59 ++++++++ libvirt-0.8.1.tar.bz2 | 3 + libvirt-0.8.3.tar.bz2 | 3 - libvirt.changes | 17 --- libvirt.spec | 35 +++-- remote-rm-unused-field.patch | 50 +++++++ vnc-race-1.patch | 281 +++++++++++++++++++++++++++++++++++ vnc-race-2.patch | 29 ++++ vnc-race-3.patch | 130 ++++++++++++++++ xend-content-buf-fix.patch | 79 ++++++++++ xend-content-buf.patch | 244 ++++++++++++++++++++++++++++++ 12 files changed, 923 insertions(+), 36 deletions(-) create mode 100644 bitmap-alloc.patch create mode 100644 bitmap-fixes.patch create mode 100644 libvirt-0.8.1.tar.bz2 delete mode 100644 libvirt-0.8.3.tar.bz2 create mode 100644 remote-rm-unused-field.patch create mode 100644 vnc-race-1.patch create mode 100644 vnc-race-2.patch create mode 100644 vnc-race-3.patch create mode 100644 xend-content-buf-fix.patch create mode 100644 xend-content-buf.patch diff --git a/bitmap-alloc.patch b/bitmap-alloc.patch new file mode 100644 index 0000000..2a25011 --- /dev/null +++ b/bitmap-alloc.patch @@ -0,0 +1,29 @@ +commit ce49cfb48ad5e9cac79819d0ccde4394c237af25 +Author: Eric Blake +Date: Wed Jun 2 09:03:57 2010 -0600 + + bitmap: reject zero-size bitmap + + * src/util/bitmap.c (virBitmapAlloc): Tighten sanity check. + +diff --git a/src/util/bitmap.c b/src/util/bitmap.c +index 69094a5..44edb49 100644 +--- a/src/util/bitmap.c ++++ b/src/util/bitmap.c +@@ -1,6 +1,7 @@ + /* + * bitmap.h: Simple bitmap operations + * ++ * Copyright (C) 2010 Red Hat, Inc. + * Copyright (C) 2010 Novell, Inc. + * + * This library is free software; you can redistribute it and/or +@@ -58,7 +59,7 @@ virBitmapPtr virBitmapAlloc(size_t size) + virBitmapPtr bitmap; + size_t sz; + +- if (SIZE_MAX - VIR_BITMAP_BITS_PER_UNIT < size) ++ if (SIZE_MAX - VIR_BITMAP_BITS_PER_UNIT < size || size == 0) + return NULL; + + sz = (size + VIR_BITMAP_BITS_PER_UNIT - 1) / diff --git a/bitmap-fixes.patch b/bitmap-fixes.patch new file mode 100644 index 0000000..96d3bd4 --- /dev/null +++ b/bitmap-fixes.patch @@ -0,0 +1,59 @@ +If VM startup fails early enough (can't find a referenced USB device), +libvirtd will crash trying to clear the VNC port bit, since port = 0, +which overflows us out of the bitmap bounds. + +Fix this by being more defensive in the bitmap operations, and only +clearing a previously set VNC port. + +v2: Add safety check to all relevant bitmap ops. + +Signed-off-by: Cole Robinson +--- + src/qemu/qemu_driver.c | 2 +- + src/util/bitmap.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +Index: libvirt-0.8.1/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-0.8.1.orig/src/qemu/qemu_driver.c ++++ libvirt-0.8.1/src/qemu/qemu_driver.c +@@ -3635,7 +3635,7 @@ retry: + if ((vm->def->ngraphics == 1) && + vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && + vm->def->graphics[0]->data.vnc.autoport && +- vm->def->graphics[0]->data.vnc.port != -1) { ++ vm->def->graphics[0]->data.vnc.port >= QEMU_VNC_PORT_MIN) { + if (virBitmapClearBit(driver->reservedVNCPorts, + vm->def->graphics[0]->data.vnc.port - \ + QEMU_VNC_PORT_MIN) < 0) { +Index: libvirt-0.8.1/src/util/bitmap.c +=================================================================== +--- libvirt-0.8.1.orig/src/util/bitmap.c ++++ libvirt-0.8.1/src/util/bitmap.c +@@ -101,7 +101,7 @@ void virBitmapFree(virBitmapPtr bitmap) + */ + int virBitmapSetBit(virBitmapPtr bitmap, size_t b) + { +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] |= (1 << VIR_BITMAP_BIT_OFFSET(b)); +@@ -119,7 +119,7 @@ int virBitmapSetBit(virBitmapPtr bitmap, + */ + int virBitmapClearBit(virBitmapPtr bitmap, size_t b) + { +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] &= ~(1 << VIR_BITMAP_BIT_OFFSET(b)); +@@ -141,7 +141,7 @@ int virBitmapGetBit(virBitmapPtr bitmap, + { + uint32_t bit; + +- if (b > bitmap->size - 1) ++ if (bitmap->size <= b) + return -1; + + bit = bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] & diff --git a/libvirt-0.8.1.tar.bz2 b/libvirt-0.8.1.tar.bz2 new file mode 100644 index 0000000..f77a719 --- /dev/null +++ b/libvirt-0.8.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:037256df745a96ba141dbfc4e4197e8bc16c51f21c834f4f89c599c379792698 +size 7706670 diff --git a/libvirt-0.8.3.tar.bz2 b/libvirt-0.8.3.tar.bz2 deleted file mode 100644 index 77c2193..0000000 --- a/libvirt-0.8.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:759f4957e6f2b905857897a84e36cbe73f7dc3a5150637430ff086c3e2b414b4 -size 8250164 diff --git a/libvirt.changes b/libvirt.changes index d5dd114..195e9d8 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,20 +1,3 @@ -------------------------------------------------------------------- -Fri Aug 6 21:53:21 MDT 2010 - jfehlig@novell.com - -- Update to libvirt 0.8.3 - - Support vSphere 4.1 - - Qemu arbitrary monitor commands - - Qemu Monitor API entry point - - lots of improvements and bug fixes - -------------------------------------------------------------------- -Fri Jul 9 14:35:04 MDT 2010 - jfehlig@novell.com - -- VUL-0: multiple issues in libvirt - CVE-2010-223x-000[1-0].patch, CVE-2010-223x-0010.patch, - CVE-2010-2242-nat.patch - bnc#618155 - ------------------------------------------------------------------- Fri Jun 25 09:02:38 MDT 2010 - jfehlig@novell.com diff --git a/libvirt.spec b/libvirt.spec index 9428e71..5206d57 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,5 +1,5 @@ # -# spec file for package libvirt (Version 0.8.3) +# spec file for package libvirt (Version 0.8.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -44,7 +44,6 @@ %define with_udev 0 %define with_hal 0 %define with_yajl 0 -%define with_macvtap 0 # Xen is available only on i386 x86_64 %ifnarch %ix86 x86_64 @@ -97,9 +96,6 @@ BuildRequires: avahi-devel %if %{with_selinux} BuildRequires: libselinux-devel %endif -%if %{with_apparmor} -BuildRequires: libapparmor-devel -%endif %if %{with_numactl} BuildRequires: libnuma-devel %endif @@ -111,17 +107,14 @@ BuildRequires: PolicyKit-devel >= 0.6 %if %{with_phyp} BuildRequires: libssh2-devel %endif -%if %{with_macvtap} -BuildRequires: libnl-devel -%endif # Only for directory ownership: BuildRequires: gtk-doc Url: http://libvirt.org/ License: LGPLv2.1+ Group: Development/Libraries/C and C++ AutoReqProv: yes -Version: 0.8.3 -Release: 1 +Version: 0.8.1 +Release: 3 Summary: A C toolkit to interract with the virtualization capabilities of Linux # The client side, i.e. shared libs and virsh are in a subpackage Requires: %{name}-client = %{version}-%{release} @@ -145,6 +138,14 @@ Requires: PolicyKit >= 0.6 Source0: %{name}-%{version}.tar.bz2 Source1: libvirtd.init # Upstream patches +Patch0: remote-rm-unused-field.patch +Patch1: vnc-race-1.patch +Patch2: vnc-race-2.patch +Patch3: vnc-race-3.patch +Patch4: bitmap-alloc.patch +Patch5: bitmap-fixes.patch +Patch6: xend-content-buf.patch +Patch7: xend-content-buf-fix.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch102: clone.patch @@ -257,6 +258,14 @@ Authors: %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %patch100 -p1 %patch102 %patch103 -p1 @@ -317,9 +326,6 @@ Authors: %if ! %{with_yajl} %define _without_yajl --without-yajl %endif -%if ! %{with_macvtap} -%define _without_macvtap --without-macvtap -%endif autoreconf -f -i export CFLAGS="$RPM_OPT_FLAGS" %configure --disable-static --with-pic \ @@ -341,7 +347,6 @@ export CFLAGS="$RPM_OPT_FLAGS" %{?_without_hal} \ %{?_without_udev} \ %{?_without_yajl} \ - %{?_without_macvtap} \ --without-xen-proxy \ --libexecdir=%{_libdir}/%{name} \ --with-init-script=none \ @@ -467,7 +472,6 @@ rm -rf $RPM_BUILD_ROOT %if 0%{with_storage_disk} %{_libdir}/%{name}/libvirt_parthelper %endif -%doc %{_mandir}/man8/libvirtd.8* %files client -f %{name}.lang %defattr(-, root, root) @@ -496,7 +500,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/libvirt/schemas/storageencryption.rng %{_datadir}/libvirt/cpu_map.xml %{_datadir}/libvirt/schemas/nwfilter.rng -%{_datadir}/libvirt/schemas/domainsnapshot.rng %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf %files devel diff --git a/remote-rm-unused-field.patch b/remote-rm-unused-field.patch new file mode 100644 index 0000000..0a5f271 --- /dev/null +++ b/remote-rm-unused-field.patch @@ -0,0 +1,50 @@ +commit 34a7f3f6be9c63ac3d4c4604c1fb2482a4e5053b +Author: Matthew Booth +Date: Fri May 7 16:38:05 2010 +0200 + + Remove unused nwfilter field from struct remote_error + + Change 965466c1 added a new field to struct remote_error, which broke + the RPC protocol. Fortunately the new field is unused, so this change + simply removes it again. + + * src/remote/remote_protocol.(c|h|x): Remove remote_nwfilter from struct + remote_error + +diff --git a/src/remote/remote_protocol.c b/src/remote/remote_protocol.c +index 187281d..972bf52 100644 +--- a/src/remote/remote_protocol.c ++++ b/src/remote/remote_protocol.c +@@ -227,8 +227,6 @@ xdr_remote_error (XDR *xdrs, remote_error *objp) + return FALSE; + if (!xdr_remote_network (xdrs, &objp->net)) + return FALSE; +- if (!xdr_remote_nwfilter (xdrs, &objp->nwfilter)) +- return FALSE; + return TRUE; + } + +diff --git a/src/remote/remote_protocol.h b/src/remote/remote_protocol.h +index 6f01da7..a600af6 100644 +--- a/src/remote/remote_protocol.h ++++ b/src/remote/remote_protocol.h +@@ -143,7 +143,6 @@ struct remote_error { + int int1; + int int2; + remote_network net; +- remote_nwfilter nwfilter; + }; + typedef struct remote_error remote_error; + +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 8000ee0..1ce488c 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -266,7 +266,6 @@ struct remote_error { + int int1; + int int2; + remote_network net; +- remote_nwfilter nwfilter; + }; + + /* Authentication types available thus far.... */ diff --git a/vnc-race-1.patch b/vnc-race-1.patch new file mode 100644 index 0000000..32d7aca --- /dev/null +++ b/vnc-race-1.patch @@ -0,0 +1,281 @@ +commit 2f32d7afd5bd71f79c0e756c87813702065c6d1a +Author: Jim Fehlig +Date: Thu May 20 22:23:48 2010 -0600 + + Add simple bitmap operations to utils + + V2: + - Move bitmap impl to src/util/bitmap.[ch] + - Use CHAR_BIT instead of explicit '8' + - Use size_t instead of unsigned int + - Fix calculation of bitmap size in virBitmapAlloc + - Ensure bit is within range of map in the set, clear, and get + operations + - Use bool in virBitmapGetBit + - Add virBitmapFree to free-like funcs in cfg.mk + + V3: + - Check for overflow in virBitmapAlloc + - Fix copy and paste bug in virBitmapAlloc + - Use size_t in prototypes + - Add ATTRIBUTE_NONNULL in prototypes where appropriate + and remove NULL check from impl + + V4: + - Add ATTRIBUTE_RETURN_CHECK in prototypes where appropriate. + +Index: libvirt-0.8.1/src/Makefile.am +=================================================================== +--- libvirt-0.8.1.orig/src/Makefile.am ++++ libvirt-0.8.1/src/Makefile.am +@@ -50,6 +50,7 @@ augeastest_DATA = + # helper APIs for various purposes + UTIL_SOURCES = \ + util/authhelper.c util/authhelper.h \ ++ util/bitmap.c util/bitmap.h \ + util/bridge.c util/bridge.h \ + util/buf.c util/buf.h \ + util/conf.c util/conf.h \ +Index: libvirt-0.8.1/src/libvirt_private.syms +=================================================================== +--- libvirt-0.8.1.orig/src/libvirt_private.syms ++++ libvirt-0.8.1/src/libvirt_private.syms +@@ -4,6 +4,14 @@ + # + + ++# bitmap.h ++virBitmapAlloc; ++virBitmapFree; ++virBitmapSetBit; ++virBitmapClearBit; ++virBitmapGetBit; ++ ++ + # buf.h + virBufferVSprintf; + virBufferEscapeString; +Index: libvirt-0.8.1/src/util/bitmap.c +=================================================================== +--- /dev/null ++++ libvirt-0.8.1/src/util/bitmap.c +@@ -0,0 +1,151 @@ ++/* ++ * bitmap.h: Simple bitmap operations ++ * ++ * Copyright (C) 2010 Novell, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Author: Jim Fehlig ++ */ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "bitmap.h" ++#include "memory.h" ++ ++ ++struct _virBitmap { ++ size_t size; ++ uint32_t *map; ++}; ++ ++ ++#define VIR_BITMAP_BITS_PER_UNIT (sizeof(uint32_t) * CHAR_BIT) ++#define VIR_BITMAP_UNIT_OFFSET(b) ((b) / VIR_BITMAP_BITS_PER_UNIT) ++#define VIR_BITMAP_BIT_OFFSET(b) ((b) % VIR_BITMAP_BITS_PER_UNIT) ++ ++ ++/** ++ * virBitmapAlloc: ++ * @size: number of bits ++ * ++ * Allocate a bitmap capable of containing @size bits. ++ * ++ * Returns a pointer to the allocated bitmap or NULL if ++ * memory cannot be allocated. ++ */ ++virBitmapPtr virBitmapAlloc(size_t size) ++{ ++ virBitmapPtr bitmap; ++ size_t sz; ++ ++ if (SIZE_MAX - VIR_BITMAP_BITS_PER_UNIT < size) ++ return NULL; ++ ++ sz = (size + VIR_BITMAP_BITS_PER_UNIT - 1) / ++ VIR_BITMAP_BITS_PER_UNIT; ++ ++ if (VIR_ALLOC(bitmap) < 0) ++ return NULL; ++ ++ if (VIR_ALLOC_N(bitmap->map, sz) < 0) { ++ VIR_FREE(bitmap); ++ return NULL; ++ } ++ ++ return bitmap; ++} ++ ++/** ++ * virBitmapFree: ++ * @bitmap: previously allocated bitmap ++ * ++ * Free @bitmap previously allocated by virBitmapAlloc. ++ */ ++void virBitmapFree(virBitmapPtr bitmap) ++{ ++ if (bitmap) { ++ VIR_FREE(bitmap->map); ++ VIR_FREE(bitmap); ++ } ++} ++ ++/** ++ * virBitmapSetBit: ++ * @bitmap: Pointer to bitmap ++ * @b: bit position to set ++ * ++ * Set bit position @b in @bitmap ++ * ++ * Returns 0 on if bit is successfully set, -1 on error. ++ */ ++int virBitmapSetBit(virBitmapPtr bitmap, size_t b) ++{ ++ if (b > bitmap->size - 1) ++ return -1; ++ ++ bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] |= (1 << VIR_BITMAP_BIT_OFFSET(b)); ++ return 0; ++} ++ ++/** ++ * virBitmapClearBit: ++ * @bitmap: Pointer to bitmap ++ * @b: bit position to clear ++ * ++ * Clear bit position @b in @bitmap ++ * ++ * Returns 0 on if bit is successfully clear, -1 on error. ++ */ ++int virBitmapClearBit(virBitmapPtr bitmap, size_t b) ++{ ++ if (b > bitmap->size - 1) ++ return -1; ++ ++ bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] &= ~(1 << VIR_BITMAP_BIT_OFFSET(b)); ++ return 0; ++} ++ ++/** ++ * virBitmapGetBit: ++ * @bitmap: Pointer to bitmap ++ * @b: bit position to get ++ * @result: bool pointer to receive bit setting ++ * ++ * Get setting of bit position @b in @bitmap and store in @result ++ * ++ * On success, @result will contain the setting of @b and 0 is ++ * returned. On failure, -1 is returned and @result is unchanged. ++ */ ++int virBitmapGetBit(virBitmapPtr bitmap, size_t b, bool *result) ++{ ++ uint32_t bit; ++ ++ if (b > bitmap->size - 1) ++ return -1; ++ ++ bit = bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] & ++ (1 << VIR_BITMAP_BIT_OFFSET(b)); ++ ++ *result = bit != 0; ++ return 0; ++} +Index: libvirt-0.8.1/src/util/bitmap.h +=================================================================== +--- /dev/null ++++ libvirt-0.8.1/src/util/bitmap.h +@@ -0,0 +1,63 @@ ++/* ++ * bitmap.h: Simple bitmap operations ++ * ++ * Copyright (C) 2010 Novell, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Author: Jim Fehlig ++ */ ++ ++#ifndef __BITMAP_H__ ++# define __BITMAP_H__ ++ ++#include "internal.h" ++ ++#include ++#include ++ ++ ++typedef struct _virBitmap virBitmap; ++typedef virBitmap *virBitmapPtr; ++ ++/* ++ * Allocate a bitmap capable of containing @size bits. ++ */ ++virBitmapPtr virBitmapAlloc(size_t size) ATTRIBUTE_RETURN_CHECK; ++ ++/* ++ * Free previously allocated bitmap ++ */ ++void virBitmapFree(virBitmapPtr bitmap); ++ ++/* ++ * Set bit position @b in @bitmap ++ */ ++int virBitmapSetBit(virBitmapPtr bitmap, size_t b) ++ ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK; ++ ++/* ++ * Clear bit position @b in @bitmap ++ */ ++int virBitmapClearBit(virBitmapPtr bitmap, size_t b) ++ ATTRIBUTE_NONNULL(1) ATTRIBUTE_RETURN_CHECK; ++ ++/* ++ * Get setting of bit position @b in @bitmap and store in @result ++ */ ++int virBitmapGetBit(virBitmapPtr bitmap, size_t b, bool *result) ++ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3) ATTRIBUTE_RETURN_CHECK; ++ ++#endif diff --git a/vnc-race-2.patch b/vnc-race-2.patch new file mode 100644 index 0000000..67a9d16 --- /dev/null +++ b/vnc-race-2.patch @@ -0,0 +1,29 @@ +commit c020f6203e3735a531135bc4321415ce5520fbde +Author: Jim Fehlig +Date: Thu May 20 22:25:16 2010 -0600 + + Add defines for QEMU_VNC_PORT_{MIN,MAX} and use them + +Index: libvirt-0.8.1/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-0.8.1.orig/src/qemu/qemu_driver.c ++++ libvirt-0.8.1/src/qemu/qemu_driver.c +@@ -89,6 +89,9 @@ + + #define VIR_FROM_THIS VIR_FROM_QEMU + ++#define QEMU_VNC_PORT_MIN 5900 ++#define QEMU_VNC_PORT_MAX 65535 ++ + /* Only 1 job is allowed at any time + * A job includes *all* monitor commands, even those just querying + * information, not merely actions */ +@@ -2607,7 +2610,7 @@ qemuInitPCIAddresses(struct qemud_driver + static int qemudNextFreeVNCPort(struct qemud_driver *driver ATTRIBUTE_UNUSED) { + int i; + +- for (i = 5900 ; i < 65535 ; i++) { ++ for (i = QEMU_VNC_PORT_MIN; i < QEMU_VNC_PORT_MAX; i++) { + int fd; + int reuse = 1; + struct sockaddr_in addr; diff --git a/vnc-race-3.patch b/vnc-race-3.patch new file mode 100644 index 0000000..e083557 --- /dev/null +++ b/vnc-race-3.patch @@ -0,0 +1,130 @@ +commit ba196952f57f2cb22be75fa5a4f363035a111103 +Author: Jim Fehlig +Date: Fri May 21 07:52:09 2010 -0600 + + Fix race in finding available vnc port + + The qemu driver contains a subtle race in the logic to find next + available vnc port. Currently it iterates through all available ports + and returns the first for which bind(2) succeeds. However it is possible + that a previously issued port has not yet been bound by qemu, resulting + in the same port used for a subsequent domain. + + This patch addresses the race by using a simple bitmap to "reserve" the + ports allocated by libvirt. + + V2: + - Put port bitmap in struct qemud_driver + - Initialize bitmap in qemudStartup + + V3: + - Check for failure of virBitmapGetBit + - Additional check for port != -1 before calling virbitmapClearBit + + V4: + - Check for failure of virBitmap{Set,Clear}Bit + +Index: libvirt-0.8.1/src/qemu/qemu_conf.h +=================================================================== +--- libvirt-0.8.1.orig/src/qemu/qemu_conf.h ++++ libvirt-0.8.1/src/qemu/qemu_conf.h +@@ -39,6 +39,7 @@ + # include "pci.h" + # include "cpu_conf.h" + # include "driver.h" ++# include "bitmap.h" + + # define qemudDebug(fmt, ...) do {} while(0) + +@@ -153,6 +154,8 @@ struct qemud_driver { + char *saveImageFormat; + + pciDeviceList *activePciHostdevs; ++ ++ virBitmapPtr reservedVNCPorts; + }; + + typedef struct _qemuDomainPCIAddressSet qemuDomainPCIAddressSet; +Index: libvirt-0.8.1/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-0.8.1.orig/src/qemu/qemu_driver.c ++++ libvirt-0.8.1/src/qemu/qemu_driver.c +@@ -1479,6 +1479,11 @@ qemudStartup(int privileged) { + virEventAddTimeout(-1, qemuDomainEventFlush, qemu_driver, NULL)) < 0) + goto error; + ++ /* Allocate bitmap for vnc port reservation */ ++ if ((qemu_driver->reservedVNCPorts = ++ virBitmapAlloc(QEMU_VNC_PORT_MAX - QEMU_VNC_PORT_MIN)) == NULL) ++ goto out_of_memory; ++ + if (privileged) { + if (virAsprintf(&qemu_driver->logDir, + "%s/log/libvirt/qemu", LOCAL_STATE_DIR) == -1) +@@ -1775,6 +1780,7 @@ qemudShutdown(void) { + virCapabilitiesFree(qemu_driver->caps); + + virDomainObjListDeinit(&qemu_driver->domains); ++ virBitmapFree(qemu_driver->reservedVNCPorts); + + VIR_FREE(qemu_driver->securityDriverName); + VIR_FREE(qemu_driver->logDir); +@@ -2607,13 +2613,22 @@ qemuInitPCIAddresses(struct qemud_driver + return ret; + } + +-static int qemudNextFreeVNCPort(struct qemud_driver *driver ATTRIBUTE_UNUSED) { ++static int qemudNextFreeVNCPort(struct qemud_driver *driver) { + int i; + + for (i = QEMU_VNC_PORT_MIN; i < QEMU_VNC_PORT_MAX; i++) { + int fd; + int reuse = 1; + struct sockaddr_in addr; ++ bool used = false; ++ ++ if (virBitmapGetBit(driver->reservedVNCPorts, ++ i - QEMU_VNC_PORT_MIN, &used) < 0) ++ VIR_DEBUG("virBitmapGetBit failed on bit %d", i - QEMU_VNC_PORT_MIN); ++ ++ if (used) ++ continue; ++ + addr.sin_family = AF_INET; + addr.sin_port = htons(i); + addr.sin_addr.s_addr = htonl(INADDR_ANY); +@@ -2629,6 +2644,12 @@ static int qemudNextFreeVNCPort(struct q + if (bind(fd, (struct sockaddr*)&addr, sizeof(addr)) == 0) { + /* Not in use, lets grab it */ + close(fd); ++ /* Add port to bitmap of reserved ports */ ++ if (virBitmapSetBit(driver->reservedVNCPorts, ++ i - QEMU_VNC_PORT_MIN) < 0) { ++ VIR_DEBUG("virBitmapSetBit failed on bit %d", ++ i - QEMU_VNC_PORT_MIN); ++ } + return i; + } + close(fd); +@@ -3608,6 +3629,21 @@ retry: + + qemudRemoveDomainStatus(driver, vm); + ++ /* Remove VNC port from port reservation bitmap, but only if it was ++ reserved by the driver (autoport=yes) ++ */ ++ if ((vm->def->ngraphics == 1) && ++ vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && ++ vm->def->graphics[0]->data.vnc.autoport && ++ vm->def->graphics[0]->data.vnc.port != -1) { ++ if (virBitmapClearBit(driver->reservedVNCPorts, ++ vm->def->graphics[0]->data.vnc.port - \ ++ QEMU_VNC_PORT_MIN) < 0) { ++ VIR_DEBUG("virBitmapClearBit failed on bit %d", ++ vm->def->graphics[0]->data.vnc.port - QEMU_VNC_PORT_MIN); ++ } ++ } ++ + vm->pid = -1; + vm->def->id = -1; + vm->state = VIR_DOMAIN_SHUTOFF; diff --git a/xend-content-buf-fix.patch b/xend-content-buf-fix.patch new file mode 100644 index 0000000..784aecb --- /dev/null +++ b/xend-content-buf-fix.patch @@ -0,0 +1,79 @@ +commit b1eb7f2e987d21b1711e86e5cb63a69abfce82f1 +Author: Jim Fehlig +Date: Fri Jun 4 10:04:03 2010 -0600 + + Fixes for commit 211dd1e9 + + Fixes for issues in commit 211dd1e9 noted by by Jim Meyering. + + 1. Allocate content buffer of size content_length + 1 to ensure + NUL-termination. + 2. Limit content buffer size to 64k + 3. Fix whitespace issue + + V2: + - Add comment to clarify allocation of content buffer + - Add ATTRIBUTE_NONNULL where appropriate + - User NULLSTR macro + +diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c +index 0c1a738..51cad92 100644 +--- a/src/xen/xend_internal.c ++++ b/src/xen/xend_internal.c +@@ -68,6 +68,7 @@ + # define XEND_CONFIG_MIN_VERS_PVFB_NEWCONF 3 + #endif + ++#define XEND_RCV_BUF_MAX_LEN 65536 + + #ifndef PROXY + static int +@@ -310,7 +311,7 @@ istartswith(const char *haystack, const char *needle) + * Returns the HTTP return code and @content is set to the + * allocated memory containing HTTP content. + */ +-static int ++static int ATTRIBUTE_NONNULL (2) + xend_req(int fd, char **content) + { + char buffer[4096]; +@@ -330,7 +331,19 @@ xend_req(int fd, char **content) + if (content_length > 0) { + ssize_t ret; + +- if (VIR_ALLOC_N(*content, content_length) < 0 ) { ++ if (content_length > XEND_RCV_BUF_MAX_LEN) { ++ virXendError(VIR_ERR_INTERNAL_ERROR, ++ _("Xend returned HTTP Content-Length of %d, " ++ "which exceeds maximum of %d"), ++ content_length, ++ XEND_RCV_BUF_MAX_LEN); ++ return -1; ++ } ++ ++ /* Allocate one byte beyond the end of the largest buffer we will read. ++ Combined with the fact that VIR_ALLOC_N zeros the returned buffer, ++ this guarantees that "content" will always be NUL-terminated. */ ++ if (VIR_ALLOC_N(*content, content_length + 1) < 0 ) { + virReportOOMError(); + return -1; + } +@@ -353,7 +366,7 @@ xend_req(int fd, char **content) + * + * Returns the HTTP return code or -1 in case or error. + */ +-static int ++static int ATTRIBUTE_NONNULL(3) + xend_get(virConnectPtr xend, const char *path, + char **content) + { +@@ -379,8 +392,7 @@ xend_get(virConnectPtr xend, const char *path, + ((ret != 404) || (!STRPREFIX(path, "/xend/domain/")))) { + virXendError(VIR_ERR_GET_FAILED, + _("%d status from xen daemon: %s:%s"), +- ret, path, +- content ? *content: "NULL"); ++ ret, path, NULLSTR(*content)); + } + + return ret; diff --git a/xend-content-buf.patch b/xend-content-buf.patch new file mode 100644 index 0000000..70b887c --- /dev/null +++ b/xend-content-buf.patch @@ -0,0 +1,244 @@ +commit 211dd1e9c54a9ba92e2e648acacbc18981374073 +Author: Jim Fehlig +Date: Wed Jun 2 18:07:17 2010 -0600 + + Allocate buffer to hold xend response + + There are cases when a response from xend can exceed 4096 bytes, in + which case anything beyond 4096 is ignored. This patch changes the + current fixed-size, stack-allocated buffer to a dynamically allocated + buffer based on Content-Length in HTTP header. + +diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c +index e763bad..0c1a738 100644 +--- a/src/xen/xend_internal.c ++++ b/src/xen/xend_internal.c +@@ -302,17 +302,19 @@ istartswith(const char *haystack, const char *needle) + * xend_req: + * @fd: the file descriptor + * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Read the HTTP response from a Xen Daemon request. ++ * If the response contains content, memory is allocated to ++ * hold the content. + * +- * Returns the HTTP return code. ++ * Returns the HTTP return code and @content is set to the ++ * allocated memory containing HTTP content. + */ + static int +-xend_req(int fd, char *content, size_t n_content) ++xend_req(int fd, char **content) + { + char buffer[4096]; +- int content_length = -1; ++ int content_length = 0; + int retcode = 0; + + while (sreads(fd, buffer, sizeof(buffer)) > 0) { +@@ -325,19 +327,17 @@ xend_req(int fd, char *content, size_t n_content) + retcode = atoi(buffer + 9); + } + +- if (content_length > -1) { ++ if (content_length > 0) { + ssize_t ret; + +- if ((unsigned int) content_length > (n_content + 1)) +- content_length = n_content - 1; ++ if (VIR_ALLOC_N(*content, content_length) < 0 ) { ++ virReportOOMError(); ++ return -1; ++ } + +- ret = sread(fd, content, content_length); ++ ret = sread(fd, *content, content_length); + if (ret < 0) + return -1; +- +- content[ret] = 0; +- } else { +- content[0] = 0; + } + + return retcode; +@@ -348,7 +348,6 @@ xend_req(int fd, char *content, size_t n_content) + * @xend: pointer to the Xen Daemon structure + * @path: the path used for the HTTP request + * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Do an HTTP GET RPC with the Xen Daemon + * +@@ -356,7 +355,7 @@ xend_req(int fd, char *content, size_t n_content) + */ + static int + xend_get(virConnectPtr xend, const char *path, +- char *content, size_t n_content) ++ char **content) + { + int ret; + int s = do_connect(xend); +@@ -373,14 +372,15 @@ xend_get(virConnectPtr xend, const char *path, + "Accept-Encoding: identity\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" "\r\n"); + +- ret = xend_req(s, content, n_content); ++ ret = xend_req(s, content); + close(s); + + if (((ret < 0) || (ret >= 300)) && + ((ret != 404) || (!STRPREFIX(path, "/xend/domain/")))) { + virXendError(VIR_ERR_GET_FAILED, + _("%d status from xen daemon: %s:%s"), +- ret, path, content); ++ ret, path, ++ content ? *content: "NULL"); + } + + return ret; +@@ -392,8 +392,6 @@ xend_get(virConnectPtr xend, const char *path, + * @xend: pointer to the Xen Daemon structure + * @path: the path used for the HTTP request + * @ops: the information sent for the POST +- * @content: the buffer to store the content +- * @n_content: the size of the buffer + * + * Do an HTTP POST RPC with the Xen Daemon, this usually makes changes at the + * Xen level. +@@ -401,10 +399,10 @@ xend_get(virConnectPtr xend, const char *path, + * Returns the HTTP return code or -1 in case or error. + */ + static int +-xend_post(virConnectPtr xend, const char *path, const char *ops, +- char *content, size_t n_content) ++xend_post(virConnectPtr xend, const char *path, const char *ops) + { + char buffer[100]; ++ char *err_buf = NULL; + int ret; + int s = do_connect(xend); + +@@ -425,26 +423,28 @@ xend_post(virConnectPtr xend, const char *path, const char *ops, + swrites(s, "\r\n\r\n"); + swrites(s, ops); + +- ret = xend_req(s, content, n_content); ++ ret = xend_req(s, &err_buf); + close(s); + + if ((ret < 0) || (ret >= 300)) { + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); +- } else if ((ret == 202) && (strstr(content, "failed") != NULL)) { ++ _("xend_post: error from xen daemon: %s"), err_buf); ++ } else if ((ret == 202) && err_buf && (strstr(err_buf, "failed") != NULL)) { + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); ++ _("xend_post: error from xen daemon: %s"), err_buf); + ret = -1; +- } else if (((ret >= 200) && (ret <= 202)) && (strstr(content, "xend.err") != NULL)) { ++ } else if (((ret >= 200) && (ret <= 202)) && err_buf && ++ (strstr(err_buf, "xend.err") != NULL)) { + /* This is to catch case of things like 'virsh dump Domain-0 foo' + * which returns a success code, but the word 'xend.err' + * in body to indicate error :-( + */ + virXendError(VIR_ERR_POST_FAILED, +- _("xend_post: error from xen daemon: %s"), content); ++ _("xend_post: error from xen daemon: %s"), err_buf); + ret = -1; + } + ++ VIR_FREE(err_buf); + return ret; + } + #endif /* ! PROXY */ +@@ -487,8 +487,6 @@ http2unix(int ret) + * xend_op_ext: + * @xend: pointer to the Xen Daemon structure + * @path: path for the object +- * @error: buffer for the error output +- * @n_error: size of @error + * @key: the key for the operation + * @ap: input values to pass to the operation + * +@@ -497,8 +495,7 @@ http2unix(int ret) + * Returns 0 in case of success, -1 in case of failure. + */ + static int +-xend_op_ext(virConnectPtr xend, const char *path, char *error, +- size_t n_error, const char *key, va_list ap) ++xend_op_ext(virConnectPtr xend, const char *path, const char *key, va_list ap) + { + const char *k = key, *v; + virBuffer buf = VIR_BUFFER_INITIALIZER; +@@ -524,7 +521,7 @@ xend_op_ext(virConnectPtr xend, const char *path, char *error, + } + + content = virBufferContentAndReset(&buf); +- ret = http2unix(xend_post(xend, path, content, error, n_error)); ++ ret = http2unix(xend_post(xend, path, content)); + VIR_FREE(content); + + return ret; +@@ -535,8 +532,6 @@ xend_op_ext(virConnectPtr xend, const char *path, char *error, + * xend_op: + * @xend: pointer to the Xen Daemon structure + * @name: the domain name target of this operation +- * @error: buffer for the error output +- * @n_error: size of @error + * @key: the key for the operation + * @ap: input values to pass to the operation + * @...: input values to pass to the operation +@@ -550,14 +545,13 @@ static int ATTRIBUTE_SENTINEL + xend_op(virConnectPtr xend, const char *name, const char *key, ...) + { + char buffer[1024]; +- char error[1024]; + va_list ap; + int ret; + + snprintf(buffer, sizeof(buffer), "/xend/domain/%s", name); + + va_start(ap, key); +- ret = xend_op_ext(xend, buffer, error, sizeof(error), key, ap); ++ ret = xend_op_ext(xend, buffer, key, ap); + va_end(ap); + + return ret; +@@ -581,21 +575,29 @@ static struct sexpr *sexpr_get(virConnectPtr xend, const char *fmt, ...) + static struct sexpr * + sexpr_get(virConnectPtr xend, const char *fmt, ...) + { +- char buffer[4096]; ++ char *buffer = NULL; + char path[1024]; + va_list ap; + int ret; ++ struct sexpr *res = NULL; + + va_start(ap, fmt); + vsnprintf(path, sizeof(path), fmt, ap); + va_end(ap); + +- ret = xend_get(xend, path, buffer, sizeof(buffer)); ++ ret = xend_get(xend, path, &buffer); + ret = http2unix(ret); + if (ret == -1) +- return NULL; ++ goto cleanup; ++ ++ if (buffer == NULL) ++ goto cleanup; ++ ++ res = string2sexpr(buffer); + +- return string2sexpr(buffer); ++cleanup: ++ VIR_FREE(buffer); ++ return res; + } + + /**