Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: libv...@packages.debian.org Control: affects -1 + src:libvirt User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
libvirt/7.0.0-3+deb11u2, currently in Bullseye, is vulnerable to several
no-DSA security issues. These issues have been fixed for Buster LTS
(DLA 3778-1), so this is a regression for users upgrading to Bullseye
from Buster.
[ Impact ]
Users are vulnerable to (no-dsa) security issues.
[ Tests ]
AFAICT the code is architectured in several orthogonal components and
drivers, and the DEP-8 smoke tests only cover some of them such as LXC
or QEMU/KVM.
The bulk of the proposed change touches the libxl driver (Xen) which is
not covered by DEP-8 tests, so I tested that one more carefully, but
also ran manual tests for KVM on a test hypervisor.
[ Risks ]
All patches are backported from upstream and applied cleanly (except for
the libxl-related ones).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2021-3631: SELinux MCS may be accessed by another machine.
* Fix CVE-2021-3667: Improper locking in the
virStoragePoolLookupByTargetPath API.
* Fix CVE-2021-3975: Use-after-free vulnerability. The
qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called
using multiple threads without being adequately protected by a monitor
lock.
* Fix CVE-2021-4147: Deadlock and crash in libxl driver.
* libxl: Fix regression in domain shutdown.
* Fix CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters.
* Fix CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus()
function.
* Fix CVE-2024-2494: Missing check for negative array lengths in RPC server
de-serialization routines.
* Fix CVE-2024-2496: NULL pointer dereference in the
udevConnectListAllInterfaces() function.
--
Guilhem.
diffstat for libvirt-7.0.0 libvirt-7.0.0 changelog | 24 +++ patches/CVE-2021-3631.patch | 49 ++++++ patches/CVE-2021-3667.patch | 36 +++++ patches/CVE-2021-3975.patch | 37 +++++ patches/CVE-2021-4147_1.patch | 111 +++++++++++++++ patches/CVE-2021-4147_2.patch | 68 +++++++++ patches/CVE-2021-4147_3.patch | 32 ++++ patches/CVE-2021-4147_4.patch | 145 ++++++++++++++++++++ patches/CVE-2021-4147_5.patch | 172 ++++++++++++++++++++++++ patches/CVE-2021-4147_6.patch | 90 ++++++++++++ patches/CVE-2022-0897.patch | 48 ++++++ patches/CVE-2024-1441.patch | 35 ++++ patches/CVE-2024-2494.patch | 212 ++++++++++++++++++++++++++++++ patches/CVE-2024-2496.patch | 86 ++++++++++++ patches/libxl-Fix-domain-shutdown.patch | 226 ++++++++++++++++++++++++++++++++ patches/series | 14 + 16 files changed, 1385 insertions(+) diff -Nru libvirt-7.0.0/debian/changelog libvirt-7.0.0/debian/changelog --- libvirt-7.0.0/debian/changelog 2023-02-06 17:50:14.000000000 +0100 +++ libvirt-7.0.0/debian/changelog 2024-07-30 21:35:28.000000000 +0200 @@ -1,3 +1,27 @@ +libvirt (7.0.0-3+deb11u3) bullseye; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2021-3631: SELinux MCS may be accessed by another machine. + (Closes: #990709) + * Fix CVE-2021-3667: Improper locking in the + virStoragePoolLookupByTargetPath API. (Closes: #991594) + * Fix CVE-2021-3975: Use-after-free vulnerability. The + qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called + using multiple threads without being adequately protected by a monitor + lock. + * Fix CVE-2021-4147: Deadlock and crash in libxl driver. (Closes: #1002535) + * libxl: Fix regression in domain shutdown. + * Fix CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters. + (Closes: #1009075) + * Fix CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus() + function. (Closes: #1066058) + * Fix CVE-2024-2494: Missing check for negative array lengths in RPC server + de-serialization routines. (Closes: #1067461) + * Fix CVE-2024-2496: NULL pointer dereference in the + udevConnectListAllInterfaces() function. + + -- Guilhem Moulin <guil...@debian.org> Tue, 30 Jul 2024 21:35:28 +0200 + libvirt (7.0.0-3+deb11u2) bullseye; urgency=medium * [461d540] Fix libxl config test failures. diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-3631.patch libvirt-7.0.0/debian/patches/CVE-2021-3631.patch --- libvirt-7.0.0/debian/patches/CVE-2021-3631.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-3631.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,49 @@ +From: Daniel P. Berrangé <berra...@redhat.com> +Date: Mon, 28 Jun 2021 13:09:04 +0100 +Subject: security: fix SELinux label generation logic + +A process can access a file if the set of MCS categories +for the file is equal-to *or* a subset-of, the set of +MCS categories for the process. + +If there are two VMs: + + a) svirt_t:s0:c117 + b) svirt_t:s0:c117,c720 + +Then VM (b) is able to access files labelled for VM (a). + +IOW, we must discard case where the categories are equal +because that is a subset of many other valid category pairs. + +Reviewed-by: Peter Krempa <pkre...@redhat.com> +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2 +Bug: https://gitlab.com/libvirt/libvirt/-/issues/153 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-3631 +Bug-Debian: https://bugs.debian.org/990709 +--- + src/security/security_selinux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 2fc6ef2..61a871e 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -389,7 +389,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr, + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); + + if (c1 == c2) { +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); ++ /* ++ * A process can access a file if the set of MCS categories ++ * for the file is equal-to *or* a subset-of, the set of ++ * MCS categories for the process. ++ * ++ * IOW, we must discard case where the categories are equal ++ * because that is a subset of other category pairs. ++ */ ++ continue; + } else { + if (c1 > c2) { + int t = c1; diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-3667.patch libvirt-7.0.0/debian/patches/CVE-2021-3667.patch --- libvirt-7.0.0/debian/patches/CVE-2021-3667.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-3667.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,36 @@ +From: Peter Krempa <pkre...@redhat.com> +Date: Wed, 21 Jul 2021 11:22:25 +0200 +Subject: storage_driver: Unlock object on ACL fail in + storagePoolLookupByTargetPath + +'virStoragePoolObjListSearch' returns a locked and refed object, thus we +must release it on ACL permission failure. + +Fixes: 7aa0e8c0cb8 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 +Signed-off-by: Peter Krempa <pkre...@redhat.com> +Reviewed-by: Michal Privoznik <mpriv...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-3667 +Bug-Debian: https://bugs.debian.org/991594 +--- + src/storage/storage_driver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c +index 16bc53a..2787c16 100644 +--- a/src/storage/storage_driver.c ++++ b/src/storage/storage_driver.c +@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn, + storagePoolLookupByTargetPathCallback, + cleanpath))) { + def = virStoragePoolObjGetDef(obj); +- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) ++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) { ++ virStoragePoolObjEndAPI(&obj); + return NULL; ++ } + + pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL); + virStoragePoolObjEndAPI(&obj); diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-3975.patch libvirt-7.0.0/debian/patches/CVE-2021-3975.patch --- libvirt-7.0.0/debian/patches/CVE-2021-3975.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-3975.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,37 @@ +From: Peng Liang <liangpen...@huawei.com> +Date: Wed, 24 Feb 2021 19:28:23 +0800 +Subject: qemu: Add missing lock in qemuProcessHandleMonitorEOF + +qemuMonitorUnregister will be called in multiple threads (e.g. threads +in rpc worker pool and the vm event thread). In some cases, it isn't +protected by the monitor lock, which may lead to call g_source_unref +more than one time and a use-after-free problem eventually. + +Add the missing lock in qemuProcessHandleMonitorEOF (which is the only +position missing lock of monitor I found). + +Suggested-by: Michal Privoznik <mpriv...@redhat.com> +Signed-off-by: Peng Liang <liangpen...@huawei.com> +Signed-off-by: Michal Privoznik <mpriv...@redhat.com> +Reviewed-by: Michal Privoznik <mpriv...@redhat.com> +Origin: https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2024326 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-3975 +--- + src/qemu/qemu_process.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 202d867..3f7355f 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -317,7 +317,9 @@ qemuProcessHandleMonitorEOF(qemuMonitorPtr mon, + /* We don't want this EOF handler to be called over and over while the + * thread is waiting for a job. + */ ++ virObjectLock(mon); + qemuMonitorUnregister(mon); ++ virObjectUnlock(mon); + + /* We don't want any cleanup from EOF handler (or any other + * thread) to enter qemu namespace. */ diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_1.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_1.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_1.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_1.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,111 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Fri, 29 Oct 2021 14:16:33 -0600 +Subject: libxl: Disable death events after receiving a shutdown event + +The libxl driver will handle all domain destruction and cleanup +when receiving a domain shutdown event from libxl. Commit fa30ee04a2a +introduced the ignoreDeathEvent boolean in the DomainObjPrivate struct +to ignore subsequent death events from libxl. But libxl already provides +a mechanism to disable death events via libxl_evdisable_domain_death. + +This patch partially reverts commit fa30ee04a2a and instead uses +libxl_evdisable_domain_death to disable subsequent death events when +processing a shutdown event. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/23b51d7b8ec885e97a9277cf0a6c2833db4636e8 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 23 +++++------------------ + src/libxl/libxl_domain.h | 3 --- + 2 files changed, 5 insertions(+), 21 deletions(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index 63938d5..f97c6da 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -614,12 +614,6 @@ static void + libxlDomainHandleDeath(libxlDriverPrivatePtr driver, virDomainObjPtr vm) + { + virObjectEventPtr dom_event = NULL; +- libxlDomainObjPrivatePtr priv = vm->privateData; +- +- if (priv->ignoreDeathEvent) { +- priv->ignoreDeathEvent = false; +- return; +- } + + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) + return; +@@ -667,7 +661,6 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + } + + if (event->type == LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN) { +- libxlDomainObjPrivatePtr priv = vm->privateData; + struct libxlShutdownThreadInfo *shutdown_info = NULL; + virThread thread; + g_autofree char *name = NULL; +@@ -684,12 +677,9 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + name = g_strdup_printf("ev-%d", event->domid); + /* + * Cleanup will be handled by the shutdown thread. +- * Ignore the forthcoming death event from libxl + */ +- priv->ignoreDeathEvent = true; + if (virThreadCreateFull(&thread, false, libxlDomainShutdownThread, + name, false, shutdown_info) < 0) { +- priv->ignoreDeathEvent = false; + /* + * Not much we can do on error here except log it. + */ +@@ -813,18 +803,17 @@ libxlDomainDestroyInternal(libxlDriverPrivatePtr driver, + libxlDomainObjPrivatePtr priv = vm->privateData; + int ret = -1; + +- /* Ignore next LIBXL_EVENT_TYPE_DOMAIN_DEATH as the caller will handle +- * domain death appropriately already (having more info, like the reason). +- */ +- priv->ignoreDeathEvent = true; ++ if (priv->deathW) { ++ libxl_evdisable_domain_death(cfg->ctx, priv->deathW); ++ priv->deathW = NULL; ++ } ++ + /* Unlock virDomainObj during destroy, which can take considerable + * time on large memory domains. + */ + virObjectUnlock(vm); + ret = libxl_domain_destroy(cfg->ctx, vm->def->id, NULL); + virObjectLock(vm); +- if (ret) +- priv->ignoreDeathEvent = false; + + return ret; + } +@@ -877,8 +866,6 @@ libxlDomainCleanup(libxlDriverPrivatePtr driver, + priv->deathW = NULL; + } + +- priv->ignoreDeathEvent = false; +- + if (!!g_atomic_int_dec_and_test(&driver->nactive) && driver->inhibitCallback) + driver->inhibitCallback(false, driver->inhibitOpaque); + +diff --git a/src/libxl/libxl_domain.h b/src/libxl/libxl_domain.h +index 0068254..e06a88b 100644 +--- a/src/libxl/libxl_domain.h ++++ b/src/libxl/libxl_domain.h +@@ -62,9 +62,6 @@ struct _libxlDomainObjPrivate { + /* console */ + virChrdevsPtr devs; + libxl_evgen_domain_death *deathW; +- /* Flag to indicate the upcoming LIBXL_EVENT_TYPE_DOMAIN_DEATH is caused +- * by libvirt and should not be handled separately */ +- bool ignoreDeathEvent; + virThreadPtr migrationDstReceiveThr; + unsigned short migrationPort; + char *lockState; diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_2.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_2.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_2.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,68 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Wed, 24 Nov 2021 11:10:19 -0700 +Subject: libxl: Rename libxlShutdownThreadInfo struct + +An upcoming change will use the struct in a thread created to process +death events. Rename libxlShutdownThreadInfo to libxlEventHandlerThreadInfo +to reflect the more generic usage. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/a4e6fba069c0809b8b5dde5e9db62d2efd91b4a0 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index f97c6da..6ad9ab7 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -473,7 +473,7 @@ libxlDomainShutdownHandleRestart(libxlDriverPrivatePtr driver, + } + + +-struct libxlShutdownThreadInfo ++struct libxlEventHandlerThreadInfo + { + libxlDriverPrivatePtr driver; + virDomainObjPtr vm; +@@ -484,7 +484,7 @@ struct libxlShutdownThreadInfo + static void + libxlDomainShutdownThread(void *opaque) + { +- struct libxlShutdownThreadInfo *shutdown_info = opaque; ++ struct libxlEventHandlerThreadInfo *shutdown_info = opaque; + virDomainObjPtr vm = shutdown_info->vm; + libxl_event *ev = shutdown_info->event; + libxlDriverPrivatePtr driver = shutdown_info->driver; +@@ -661,7 +661,7 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + } + + if (event->type == LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN) { +- struct libxlShutdownThreadInfo *shutdown_info = NULL; ++ struct libxlEventHandlerThreadInfo *shutdown_info = NULL; + virThread thread; + g_autofree char *name = NULL; + +@@ -669,7 +669,7 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + * Start a thread to handle shutdown. We don't want to be tying up + * libxl's event machinery by doing a potentially lengthy shutdown. + */ +- shutdown_info = g_new0(struct libxlShutdownThreadInfo, 1); ++ shutdown_info = g_new0(struct libxlEventHandlerThreadInfo, 1); + + shutdown_info->driver = driver; + shutdown_info->vm = vm; +@@ -689,7 +689,7 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + } + /* + * virDomainObjEndAPI is called in the shutdown thread, where +- * libxlShutdownThreadInfo and libxl_event are also freed. ++ * libxlEventHandlerThreadInfo and libxl_event are also freed. + */ + return; + } else if (event->type == LIBXL_EVENT_TYPE_DOMAIN_DEATH) { diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_3.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_3.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_3.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_3.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,32 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Wed, 24 Nov 2021 11:16:38 -0700 +Subject: libxl: Modify name of shutdown thread + +The current thread name 'ev-<domid>' is a bit terse. Change the name +to 'shutdown-event-<domid>', allowing it to be distinguished between +thread handling other event types. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/e4f7589a3ec285489618ca04c8c0230cc31f3d99 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index 6ad9ab7..2af9d31 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -674,7 +674,7 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + shutdown_info->driver = driver; + shutdown_info->vm = vm; + shutdown_info->event = (libxl_event *)event; +- name = g_strdup_printf("ev-%d", event->domid); ++ name = g_strdup_printf("shutdown-event-%d", event->domid); + /* + * Cleanup will be handled by the shutdown thread. + */ diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_4.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_4.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_4.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_4.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,145 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Wed, 24 Nov 2021 11:36:55 -0700 +Subject: libxl: Handle domain death events in a thread + +Similar to domain shutdown events, processing domain death events can be a +lengthy process and we don't want to block the event handler while the +operation completes. Move the death handling function to a thread. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/b9a5faea49b7412e26d7389af4c32fc2b3ee80e5 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 67 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 47 insertions(+), 20 deletions(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index 2af9d31..f541469 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -611,12 +611,17 @@ libxlDomainShutdownThread(void *opaque) + } + + static void +-libxlDomainHandleDeath(libxlDriverPrivatePtr driver, virDomainObjPtr vm) ++libxlDomainDeathThread(void *opaque) + { ++ struct libxlEventHandlerThreadInfo *death_info = opaque; ++ virDomainObjPtr vm = death_info->vm; ++ libxl_event *ev = death_info->event; ++ libxlDriverPrivatePtr driver = death_info->driver; + virObjectEventPtr dom_event = NULL; ++ g_autoptr(libxlDriverConfig) cfg = libxlDriverConfigGet(driver); + + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) +- return; ++ goto cleanup; + + virDomainObjSetState(vm, VIR_DOMAIN_SHUTOFF, VIR_DOMAIN_SHUTOFF_DESTROYED); + dom_event = virDomainEventLifecycleNewFromObj(vm, +@@ -627,6 +632,11 @@ libxlDomainHandleDeath(libxlDriverPrivatePtr driver, virDomainObjPtr vm) + virDomainObjListRemove(driver->domains, vm); + libxlDomainObjEndJob(driver, vm); + virObjectEventStateQueue(driver->domainEventState, dom_event); ++ ++ cleanup: ++ virDomainObjEndAPI(&vm); ++ libxl_event_free(cfg->ctx, ev); ++ VIR_FREE(death_info); + } + + +@@ -640,6 +650,9 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + libxl_shutdown_reason xl_reason = event->u.domain_shutdown.shutdown_reason; + virDomainObjPtr vm = NULL; + g_autoptr(libxlDriverConfig) cfg = NULL; ++ struct libxlEventHandlerThreadInfo *thread_info = NULL; ++ virThread thread; ++ g_autofree char *thread_name = NULL; + + if (event->type != LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN && + event->type != LIBXL_EVENT_TYPE_DOMAIN_DEATH) { +@@ -660,31 +673,27 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + goto cleanup; + } + ++ /* ++ * Start event-specific threads to handle shutdown and death. ++ * They are potentially lengthy operations and we don't want to be ++ * blocking this event handler while they are in progress. ++ */ + if (event->type == LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN) { +- struct libxlEventHandlerThreadInfo *shutdown_info = NULL; +- virThread thread; +- g_autofree char *name = NULL; +- +- /* +- * Start a thread to handle shutdown. We don't want to be tying up +- * libxl's event machinery by doing a potentially lengthy shutdown. +- */ +- shutdown_info = g_new0(struct libxlEventHandlerThreadInfo, 1); ++ thread_info = g_new0(struct libxlEventHandlerThreadInfo, 1); + +- shutdown_info->driver = driver; +- shutdown_info->vm = vm; +- shutdown_info->event = (libxl_event *)event; +- name = g_strdup_printf("shutdown-event-%d", event->domid); ++ thread_info->driver = driver; ++ thread_info->vm = vm; ++ thread_info->event = (libxl_event *)event; ++ thread_name = g_strdup_printf("shutdown-event-%d", event->domid); + /* + * Cleanup will be handled by the shutdown thread. + */ + if (virThreadCreateFull(&thread, false, libxlDomainShutdownThread, +- name, false, shutdown_info) < 0) { ++ thread_name, false, thread_info) < 0) { + /* + * Not much we can do on error here except log it. + */ + VIR_ERROR(_("Failed to create thread to handle domain shutdown")); +- VIR_FREE(shutdown_info); + goto cleanup; + } + /* +@@ -693,15 +702,33 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + */ + return; + } else if (event->type == LIBXL_EVENT_TYPE_DOMAIN_DEATH) { ++ thread_info = g_new0(struct libxlEventHandlerThreadInfo, 1); ++ ++ thread_info->driver = driver; ++ thread_info->vm = vm; ++ thread_info->event = (libxl_event *)event; ++ thread_name = g_strdup_printf("death-event-%d", event->domid); + /* +- * On death the domain is cleaned up from Xen's perspective. +- * Cleanup on the libvirt side can be done synchronously. ++ * Cleanup will be handled by the death thread. + */ +- libxlDomainHandleDeath(driver, vm); ++ if (virThreadCreateFull(&thread, false, libxlDomainDeathThread, ++ thread_name, false, thread_info) < 0) { ++ /* ++ * Not much we can do on error here except log it. ++ */ ++ VIR_ERROR(_("Failed to create thread to handle domain death")); ++ goto cleanup; ++ } ++ /* ++ * virDomainObjEndAPI is called in the death thread, where ++ * libxlEventHandlerThreadInfo and libxl_event are also freed. ++ */ ++ return; + } + + cleanup: + virDomainObjEndAPI(&vm); ++ VIR_FREE(thread_info); + cfg = libxlDriverConfigGet(driver); + /* Cast away any const */ + libxl_event_free(cfg->ctx, (libxl_event *)event); diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_5.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_5.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_5.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_5.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,172 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Wed, 24 Nov 2021 11:48:51 -0700 +Subject: libxl: Search for virDomainObj in event handler threads + +libxl can deliver events and invoke callbacks on any application thread +calling into libxl. This can cause deadlock in the libvirt libxl driver + +Thread 19 (Thread 0x7f31411ec700 (LWP 14068) "libvirtd"): +#0 0x00007f318520cc7d in __lll_lock_wait () from /lib64/libpthread.so.0 +#1 0x00007f3185205ed5 in pthread_mutex_lock () from /lib64/libpthread.so.0 +#2 0x00007f3189488015 in virMutexLock (m=<optimized out>) at ../../src/util/virthread.c:79 +#3 0x00007f3189463f3b in virObjectLock (anyobj=<optimized out>) at ../../src/util/virobject.c:433 +#4 0x00007f31894f2f41 in virDomainObjListSearchID (payload=0x7f317400a6d0, name=<optimized out>, data=0x7f31411eaeac) at ../../src/conf/virdomainobjlist.c:105 +#5 0x00007f3189437ac5 in virHashSearch (ctable=0x7f3124025a30, iter=iter@entry=0x7f31894f2f30 <virDomainObjListSearchID>, data=data@entry=0x7f31411eaeac, name=name@entry=0x0) at ../../src/util/virhash.c:745 +#6 0x00007f31894f3919 in virDomainObjListFindByID (doms=0x7f3124025430, id=<optimized out>) at ../../src/conf/virdomainobjlist.c:121 +#7 0x00007f3152f292e5 in libxlDomainEventHandler (data=0x7f3124023d80, event=0x7f310c010ae0) at ../../src/libxl/libxl_domain.c:660 +#8 0x00007f3152c6ff5d in egc_run_callbacks (egc=egc@entry=0x7f31411eaf50) at libxl_event.c:1427 +#9 0x00007f3152c718bd in libxl__egc_cleanup (egc=0x7f31411eaf50) at libxl_event.c:1458 +#10 libxl__ao_inprogress (ao=ao@entry=0x7f310c00b8a0, file=file@entry=0x7f3152cce987 "libxl_domain.c", line=line@entry=730, func=func@entry=0x7f3152ccf750 <__func__.22238> "libxl_domain_unpause") at libxl_event.c:2047 +#11 0x00007f3152c8c5b8 in libxl_domain_unpause (ctx=0x7f3124015a40, domid=<optimized out>, ao_how=ao_how@entry=0x0) at libxl_domain.c:730 +#12 0x00007f3152f2a584 in libxl_domain_unpause_0x041200 (domid=<optimized out>, ctx=<optimized out>) at /usr/include/libxl.h:1756 +#13 libxlDomainStart (driver=driver@entry=0x7f3124023d80, vm=vm@entry=0x7f317400a6d0, start_paused=start_paused@entry=false, restore_fd=restore_fd@entry=-1, restore_ver=<optimized out>, restore_ver@entry=2) at ../../src/libxl/libxl_domain.c:1482 +#14 0x00007f3152f2a6e3 in libxlDomainStartNew (driver=driver@entry=0x7f3124023d80, vm=vm@entry=0x7f317400a6d0, start_paused=start_paused@entry=false) at ../../src/libxl/libxl_domain.c:1545 +#15 0x00007f3152f2a789 in libxlDomainShutdownHandleRestart (driver=0x7f3124023d80, vm=0x7f317400a6d0) at ../../src/libxl/libxl_domain.c:464 +#16 0x00007f3152f2a9e4 in libxlDomainShutdownThread (opaque=<optimized out>) at ../../src/libxl/libxl_domain.c:559 +#17 0x00007f3189487ee2 in virThreadHelper (data=<optimized out>) at ../../src/util/virthread.c:196 +#18 0x00007f3185203539 in start_thread () from /lib64/libpthread.so.0 +#19 0x00007f3184f3becf in clone () from /lib64/libc.so.6 + +Frame 16 runs a thread created to handle domain shutdown processing for +domid 28712. In this case the event contained the reboot reason, so the +old domain is destroyed and a new one is created by libxlDomainStart new. +After starting the domain, it is unpaused by calling libxl_domain_unpause +in frame 12. While the thread is running within libxl, libxl takes the +opportunity to deliver a pending domain shutdown event for unrelated domid +28710. While searching for the associated virDomainObj by ID, a deadlock is +encountered when attempting to lock the virDomainObj for domid 28712, which +is already locked since this thread is processing its shutdown event. + +The deadlock can be avoided by moving the search for a virDomainObj +associated with the event domid to the shutdown thread. The same is done +for the death thread. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/5c5df5310f72be4878a71ace47074c54e0d1a27d +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index f541469..0127211 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -476,7 +476,6 @@ libxlDomainShutdownHandleRestart(libxlDriverPrivatePtr driver, + struct libxlEventHandlerThreadInfo + { + libxlDriverPrivatePtr driver; +- virDomainObjPtr vm; + libxl_event *event; + }; + +@@ -485,7 +484,7 @@ static void + libxlDomainShutdownThread(void *opaque) + { + struct libxlEventHandlerThreadInfo *shutdown_info = opaque; +- virDomainObjPtr vm = shutdown_info->vm; ++ virDomainObjPtr vm = NULL; + libxl_event *ev = shutdown_info->event; + libxlDriverPrivatePtr driver = shutdown_info->driver; + virObjectEventPtr dom_event = NULL; +@@ -495,6 +494,12 @@ libxlDomainShutdownThread(void *opaque) + + libxl_domain_config_init(&d_config); + ++ vm = virDomainObjListFindByID(driver->domains, ev->domid); ++ if (!vm) { ++ /* Nothing to do if we can't find the virDomainObj */ ++ goto cleanup; ++ } ++ + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) + goto cleanup; + +@@ -614,12 +619,18 @@ static void + libxlDomainDeathThread(void *opaque) + { + struct libxlEventHandlerThreadInfo *death_info = opaque; +- virDomainObjPtr vm = death_info->vm; ++ virDomainObjPtr vm = NULL; + libxl_event *ev = death_info->event; + libxlDriverPrivatePtr driver = death_info->driver; + virObjectEventPtr dom_event = NULL; + g_autoptr(libxlDriverConfig) cfg = libxlDriverConfigGet(driver); + ++ vm = virDomainObjListFindByID(driver->domains, ev->domid); ++ if (!vm) { ++ /* Nothing to do if we can't find the virDomainObj */ ++ goto cleanup; ++ } ++ + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) + goto cleanup; + +@@ -648,7 +659,6 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + { + libxlDriverPrivatePtr driver = data; + libxl_shutdown_reason xl_reason = event->u.domain_shutdown.shutdown_reason; +- virDomainObjPtr vm = NULL; + g_autoptr(libxlDriverConfig) cfg = NULL; + struct libxlEventHandlerThreadInfo *thread_info = NULL; + virThread thread; +@@ -667,12 +677,6 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + if (xl_reason == LIBXL_SHUTDOWN_REASON_SUSPEND) + goto cleanup; + +- vm = virDomainObjListFindByID(driver->domains, event->domid); +- if (!vm) { +- /* Nothing to do if we can't find the virDomainObj */ +- goto cleanup; +- } +- + /* + * Start event-specific threads to handle shutdown and death. + * They are potentially lengthy operations and we don't want to be +@@ -682,7 +686,6 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + thread_info = g_new0(struct libxlEventHandlerThreadInfo, 1); + + thread_info->driver = driver; +- thread_info->vm = vm; + thread_info->event = (libxl_event *)event; + thread_name = g_strdup_printf("shutdown-event-%d", event->domid); + /* +@@ -697,15 +700,14 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + goto cleanup; + } + /* +- * virDomainObjEndAPI is called in the shutdown thread, where +- * libxlEventHandlerThreadInfo and libxl_event are also freed. ++ * libxlEventHandlerThreadInfo and libxl_event are freed in the ++ * shutdown thread + */ + return; + } else if (event->type == LIBXL_EVENT_TYPE_DOMAIN_DEATH) { + thread_info = g_new0(struct libxlEventHandlerThreadInfo, 1); + + thread_info->driver = driver; +- thread_info->vm = vm; + thread_info->event = (libxl_event *)event; + thread_name = g_strdup_printf("death-event-%d", event->domid); + /* +@@ -720,14 +722,13 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + goto cleanup; + } + /* +- * virDomainObjEndAPI is called in the death thread, where +- * libxlEventHandlerThreadInfo and libxl_event are also freed. ++ * libxlEventHandlerThreadInfo and libxl_event are freed in the ++ * death thread + */ + return; + } + + cleanup: +- virDomainObjEndAPI(&vm); + VIR_FREE(thread_info); + cfg = libxlDriverConfigGet(driver); + /* Cast away any const */ diff -Nru libvirt-7.0.0/debian/patches/CVE-2021-4147_6.patch libvirt-7.0.0/debian/patches/CVE-2021-4147_6.patch --- libvirt-7.0.0/debian/patches/CVE-2021-4147_6.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2021-4147_6.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,90 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Thu, 18 Nov 2021 12:03:20 -0700 +Subject: libxl: Protect access to libxlLogger files hash table + +The hash table of log file objects in libxlLogger is not protected against +concurrent access. It is possible for one thread to remove an entry while +another is updating it. Add a mutex to the libxlLogger object and lock it +when accessing the files hash table. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/a7a03324d86e111f81687b5315b8f296dde84340 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_logger.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/libxl/libxl_logger.c b/src/libxl/libxl_logger.c +index 93a9c76..4113d67 100644 +--- a/src/libxl/libxl_logger.c ++++ b/src/libxl/libxl_logger.c +@@ -28,6 +28,7 @@ + #include "util/virfile.h" + #include "util/virhash.h" + #include "util/virstring.h" ++#include "util/virthread.h" + #include "util/virtime.h" + + #define VIR_FROM_THIS VIR_FROM_LIBXL +@@ -43,6 +44,7 @@ struct xentoollog_logger_libvirt { + + /* map storing the opened fds: "domid" -> FILE* */ + GHashTable *files; ++ virMutex tableLock; + FILE *defaultLogFile; + }; + +@@ -85,7 +87,9 @@ libvirt_vmessage(xentoollog_logger *logger_in, + start = start + 9; + *end = '\0'; + ++ virMutexLock(&lg->tableLock); + domainLogFile = virHashLookup(lg->files, start); ++ virMutexUnlock(&lg->tableLock); + if (domainLogFile) + logFile = domainLogFile; + +@@ -161,6 +165,11 @@ libxlLoggerNew(const char *logDir, virLogPriority minLevel) + if ((logger.defaultLogFile = fopen(path, "a")) == NULL) + goto error; + ++ if (virMutexInit(&logger.tableLock) < 0) { ++ VIR_FORCE_FCLOSE(logger.defaultLogFile); ++ goto error; ++ } ++ + logger_out = XTL_NEW_LOGGER(libvirt, logger); + + cleanup: +@@ -179,6 +188,7 @@ libxlLoggerFree(libxlLoggerPtr logger) + if (logger->defaultLogFile) + VIR_FORCE_FCLOSE(logger->defaultLogFile); + virHashFree(logger->files); ++ virMutexDestroy(&logger->tableLock); + xtl_logger_destroy(xtl_logger); + } + +@@ -200,7 +210,9 @@ libxlLoggerOpenFile(libxlLoggerPtr logger, + path, g_strerror(errno)); + goto cleanup; + } ++ virMutexLock(&logger->tableLock); + ignore_value(virHashAddEntry(logger->files, domidstr, logFile)); ++ virMutexUnlock(&logger->tableLock); + + /* domain_config is non NULL only when starting a new domain */ + if (domain_config) { +@@ -219,7 +231,9 @@ libxlLoggerCloseFile(libxlLoggerPtr logger, int id) + char *domidstr = NULL; + domidstr = g_strdup_printf("%d", id); + ++ virMutexLock(&logger->tableLock); + ignore_value(virHashRemoveEntry(logger->files, domidstr)); ++ virMutexUnlock(&logger->tableLock); + + VIR_FREE(domidstr); + } diff -Nru libvirt-7.0.0/debian/patches/CVE-2022-0897.patch libvirt-7.0.0/debian/patches/CVE-2022-0897.patch --- libvirt-7.0.0/debian/patches/CVE-2022-0897.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2022-0897.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,48 @@ +From: Daniel P. Berrangé <berra...@redhat.com> +Date: Tue, 8 Mar 2022 17:28:38 +0000 +Subject: nwfilter: fix crash when counting number of network filters + +The virNWFilterObjListNumOfNWFilters method iterates over the +driver->nwfilters, accessing virNWFilterObj instances. As such +it needs to be protected against concurrent modification of +the driver->nwfilters object. + +This API allows unprivileged users to connect, so users with +read-only access to libvirt can cause a denial of service +crash if they are able to race with a call of virNWFilterUndefine. +Since network filters are usually statically defined, this is +considered a low severity problem. + +This is assigned CVE-2022-0897. + +Reviewed-by: Eric Blake <ebl...@redhat.com> +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-0897 +Bug-Debian: https://bugs.debian.org/1009075 +--- + src/nwfilter/nwfilter_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c +index 1b8e3db..4b09518 100644 +--- a/src/nwfilter/nwfilter_driver.c ++++ b/src/nwfilter/nwfilter_driver.c +@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn, + static int + nwfilterConnectNumOfNWFilters(virConnectPtr conn) + { ++ int ret; + if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) + return -1; + +- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, +- virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverLock(); ++ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, ++ virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverUnlock(); ++ return ret; + } + + diff -Nru libvirt-7.0.0/debian/patches/CVE-2024-1441.patch libvirt-7.0.0/debian/patches/CVE-2024-1441.patch --- libvirt-7.0.0/debian/patches/CVE-2024-1441.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2024-1441.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,35 @@ +From: Martin Kletzander <mklet...@redhat.com> +Date: Tue, 27 Feb 2024 16:20:12 +0100 +Subject: Fix off-by-one error in udevListInterfacesByStatus + +Ever since this function was introduced in 2012 it could've tried +filling in an extra interface name. That was made worse in 2019 when +the caller functions started accepting NULL arrays of size 0. + +This is assigned CVE-2024-1441. + +Signed-off-by: Martin Kletzander <mklet...@redhat.com> +Reported-by: Alexander Kuznetsov <kuznetso...@altlinux.org> +Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca +Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 +Reviewed-by: Ján Tomko <jto...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-1441 +Bug-Debian: https://bugs.debian.org/1066058 +--- + src/interface/interface_backend_udev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c +index 6a94a45..65a5244 100644 +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -221,7 +221,7 @@ udevListInterfacesByStatus(virConnectPtr conn, + virInterfaceDefPtr def; + + /* Ensure we won't exceed the size of our array */ +- if (count > names_len) ++ if (count >= names_len) + break; + + path = udev_list_entry_get_name(dev_entry); diff -Nru libvirt-7.0.0/debian/patches/CVE-2024-2494.patch libvirt-7.0.0/debian/patches/CVE-2024-2494.patch --- libvirt-7.0.0/debian/patches/CVE-2024-2494.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2024-2494.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,212 @@ +From: Daniel P. Berrangé <berra...@redhat.com> +Date: Fri, 15 Mar 2024 10:47:50 +0000 +Subject: remote: check for negative array lengths before allocation + +While the C API entry points will validate non-negative lengths +for various parameters, the RPC server de-serialization code +will need to allocate memory for arrays before entering the C +API. These allocations will thus happen before the non-negative +length check is performed. + +Passing a negative length to the g_new0 function will usually +result in a crash due to the negative length being treated as +a huge positive number. + +This was found and diagnosed by ALT Linux Team with AFLplusplus. + +Reviewed-by: Michal Privoznik <mpriv...@redhat.com> +Found-by: Alexandr Shashkin <duty...@altlinux.org> +Co-developed-by: Alexander Kuznetsov <kuznetso...@altlinux.org> +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2270115 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-2494 +Bug-Debian: https://bugs.debian.org/1067461 +--- + src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++++++++++ + src/rpc/gendispatch.pl | 5 +++ + 2 files changed, 70 insertions(+) + +diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c +index 46683aa..4def952 100644 +--- a/src/remote/remote_daemon_dispatch.c ++++ b/src/remote/remote_daemon_dispatch.c +@@ -2330,6 +2330,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServerPtr server G_GNUC_UNUSED, + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2378,6 +2382,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServerPtr server G_GNUC_UN + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2536,6 +2544,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServerPtr server G_GNUC_UNUSED, + goto cleanup; + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2764,6 +2776,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServerPtr server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->ncpumaps < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } + if (args->ncpumaps > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -2858,6 +2878,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServerPtr server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } ++ + /* Allocate buffers to take the results */ + if (args->maplen > 0) + cpumaps = g_new0(unsigned char, args->maplen); +@@ -2905,6 +2930,14 @@ remoteDispatchDomainGetVcpus(virNetServerPtr server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maxinfo < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } + if (args->maxinfo > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -3145,6 +3178,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3205,6 +3242,10 @@ remoteDispatchDomainGetNumaParameters(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3265,6 +3306,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3326,6 +3371,10 @@ remoteDispatchNodeGetCPUStats(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3393,6 +3442,10 @@ remoteDispatchNodeGetMemoryStats(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3573,6 +3626,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServerPtr server G_GNUC_UNUSED, + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5117,6 +5174,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5337,6 +5398,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServerPtr server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 0020273..84b239c 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -1073,6 +1073,11 @@ elsif ($mode eq "server") { + print "\n"; + + if ($single_ret_as_list) { ++ print " if (args->$single_ret_list_max_var < 0) {\n"; ++ print " virReportError(VIR_ERR_RPC,\n"; ++ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n"; ++ print " goto cleanup;\n"; ++ print " }\n"; + print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n"; + print " virReportError(VIR_ERR_RPC,\n"; + print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n"; diff -Nru libvirt-7.0.0/debian/patches/CVE-2024-2496.patch libvirt-7.0.0/debian/patches/CVE-2024-2496.patch --- libvirt-7.0.0/debian/patches/CVE-2024-2496.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/CVE-2024-2496.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,86 @@ +From: Dmitry Frolov <fro...@swemel.ru> +Date: Tue, 12 Sep 2023 15:56:47 +0300 +Subject: interface: fix udev_device_get_sysattr_value return value check + +Reviewing the code I found that return value of function +udev_device_get_sysattr_value() is dereferenced without a check. +udev_device_get_sysattr_value() may return NULL by number of reasons. + +v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE() +v3: More checks added, to skip earlier. More verbose VIR_DEBUG. + +Signed-off-by: Dmitry Frolov <fro...@swemel.ru> +Reviewed-by: Martin Kletzander <mklet...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-2496 +--- + src/interface/interface_backend_udev.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c +index 65a5244..74b24e8 100644 +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -23,6 +23,7 @@ + #include <dirent.h> + #include <libudev.h> + ++#include "virlog.h" + #include "virerror.h" + #include "virfile.h" + #include "datatypes.h" +@@ -41,6 +42,8 @@ + + #define VIR_FROM_THIS VIR_FROM_INTERFACE + ++VIR_LOG_INIT("interface.interface_backend_udev"); ++ + struct udev_iface_driver { + struct udev *udev; + /* pid file FD, ensures two copies of the driver can't use the same root */ +@@ -357,11 +360,20 @@ udevConnectListAllInterfaces(virConnectPtr conn, + const char *macaddr; + virInterfaceDefPtr def; + +- path = udev_list_entry_get_name(dev_entry); +- dev = udev_device_new_from_syspath(udev, path); +- name = udev_device_get_sysname(dev); ++ if (!(path = udev_list_entry_get_name(dev_entry))) { ++ VIR_DEBUG("Skipping interface, path == NULL"); ++ continue; ++ } ++ if (!(dev = udev_device_new_from_syspath(udev, path))) { ++ VIR_DEBUG("Skipping interface '%s', dev == NULL", path); ++ continue; ++ } ++ if (!(name = udev_device_get_sysname(dev))) { ++ VIR_DEBUG("Skipping interface '%s', name == NULL", path); ++ continue; ++ } + macaddr = udev_device_get_sysattr_value(dev, "address"); +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + def = udevGetMinimalDefForDevice(dev); + if (!virConnectListAllInterfacesCheckACL(conn, def)) { +@@ -976,9 +988,9 @@ udevGetIfaceDef(struct udev *udev, const char *name) + + /* MTU */ + mtu_str = udev_device_get_sysattr_value(dev, "mtu"); +- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { ++ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, +- _("Could not parse MTU value '%s'"), mtu_str); ++ _("Could not parse MTU value '%s'"), NULLSTR(mtu_str)); + goto error; + } + ifacedef->mtu = mtu; +@@ -1105,7 +1117,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo) + goto cleanup; + + /* Check if it's active or not */ +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + udev_device_unref(dev); + diff -Nru libvirt-7.0.0/debian/patches/libxl-Fix-domain-shutdown.patch libvirt-7.0.0/debian/patches/libxl-Fix-domain-shutdown.patch --- libvirt-7.0.0/debian/patches/libxl-Fix-domain-shutdown.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-7.0.0/debian/patches/libxl-Fix-domain-shutdown.patch 2024-07-30 21:35:28.000000000 +0200 @@ -0,0 +1,226 @@ +From: Jim Fehlig <jfeh...@suse.com> +Date: Fri, 19 Feb 2021 16:29:10 -0700 +Subject: libxl: Fix domain shutdown + +Commit fa30ee04a2 caused a regression in normal domain shutown. +Initiating a shutdown from within the domain or via 'virsh shutdown' +does cause the guest OS running in the domain to shutdown, but libvirt +never reaps the domain so it is always shown in a running state until +calling 'virsh destroy'. + +The shutdown thread is also an internal user of the driver shutdown +machinery and eventually calls libxlDomainDestroyInternal where +the ignoreDeathEvent inhibitor is set, but running in a thread +introduces the possibility of racing with the death event from +libxl. This can be prevented by setting ignoreDeathEvent before +running the shutdown thread. + +An additional improvement is to handle the destroy event synchronously +instead of spawning a thread. The time consuming aspects of destroying +a domain have been completed when the destroy event is delivered. + +Signed-off-by: Jim Fehlig <jfeh...@suse.com> +Reviewed-by: Michal Privoznik <mpriv...@redhat.com> +Origin: https://gitlab.com/libvirt/libvirt/-/commit/87a9d3a6b01baebdca33d95ad0e79781b6a46ca8 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-4147 +Bug-Debian: https://bugs.debian.org/1002535 +--- + src/libxl/libxl_domain.c | 120 ++++++++++++++++++++++------------------------- + 1 file changed, 57 insertions(+), 63 deletions(-) + +diff --git a/src/libxl/libxl_domain.c b/src/libxl/libxl_domain.c +index afa21bf..63938d5 100644 +--- a/src/libxl/libxl_domain.c ++++ b/src/libxl/libxl_domain.c +@@ -476,6 +476,7 @@ libxlDomainShutdownHandleRestart(libxlDriverPrivatePtr driver, + struct libxlShutdownThreadInfo + { + libxlDriverPrivatePtr driver; ++ virDomainObjPtr vm; + libxl_event *event; + }; + +@@ -484,7 +485,7 @@ static void + libxlDomainShutdownThread(void *opaque) + { + struct libxlShutdownThreadInfo *shutdown_info = opaque; +- virDomainObjPtr vm = NULL; ++ virDomainObjPtr vm = shutdown_info->vm; + libxl_event *ev = shutdown_info->event; + libxlDriverPrivatePtr driver = shutdown_info->driver; + virObjectEventPtr dom_event = NULL; +@@ -494,12 +495,6 @@ libxlDomainShutdownThread(void *opaque) + + libxl_domain_config_init(&d_config); + +- vm = virDomainObjListFindByID(driver->domains, ev->domid); +- if (!vm) { +- VIR_INFO("Received event for unknown domain ID %d", ev->domid); +- goto cleanup; +- } +- + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) + goto cleanup; + +@@ -616,32 +611,18 @@ libxlDomainShutdownThread(void *opaque) + } + + static void +-libxlDomainDeathThread(void *opaque) ++libxlDomainHandleDeath(libxlDriverPrivatePtr driver, virDomainObjPtr vm) + { +- struct libxlShutdownThreadInfo *shutdown_info = opaque; +- virDomainObjPtr vm = NULL; +- libxl_event *ev = shutdown_info->event; +- libxlDriverPrivatePtr driver = shutdown_info->driver; + virObjectEventPtr dom_event = NULL; +- g_autoptr(libxlDriverConfig) cfg = libxlDriverConfigGet(driver); +- libxlDomainObjPrivatePtr priv; +- +- vm = virDomainObjListFindByID(driver->domains, ev->domid); +- if (!vm) { +- /* vm->def->id already cleared, means the death was handled by the +- * driver already */ +- goto cleanup; +- } +- +- priv = vm->privateData; ++ libxlDomainObjPrivatePtr priv = vm->privateData; + + if (priv->ignoreDeathEvent) { + priv->ignoreDeathEvent = false; +- goto cleanup; ++ return; + } + + if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) +- goto cleanup; ++ return; + + virDomainObjSetState(vm, VIR_DOMAIN_SHUTOFF, VIR_DOMAIN_SHUTOFF_DESTROYED); + dom_event = virDomainEventLifecycleNewFromObj(vm, +@@ -651,12 +632,7 @@ libxlDomainDeathThread(void *opaque) + if (!vm->persistent) + virDomainObjListRemove(driver->domains, vm); + libxlDomainObjEndJob(driver, vm); +- +- cleanup: +- virDomainObjEndAPI(&vm); + virObjectEventStateQueue(driver->domainEventState, dom_event); +- libxl_event_free(cfg->ctx, ev); +- VIR_FREE(shutdown_info); + } + + +@@ -668,16 +644,13 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + { + libxlDriverPrivatePtr driver = data; + libxl_shutdown_reason xl_reason = event->u.domain_shutdown.shutdown_reason; +- struct libxlShutdownThreadInfo *shutdown_info = NULL; +- virThread thread; ++ virDomainObjPtr vm = NULL; + g_autoptr(libxlDriverConfig) cfg = NULL; +- int ret = -1; +- g_autofree char *name = NULL; + + if (event->type != LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN && + event->type != LIBXL_EVENT_TYPE_DOMAIN_DEATH) { + VIR_INFO("Unhandled event type %d", event->type); +- goto error; ++ goto cleanup; + } + + /* +@@ -685,42 +658,63 @@ libxlDomainEventHandler(void *data, VIR_LIBXL_EVENT_CONST libxl_event *event) + * after calling libxl_domain_suspend() are handled by its callers. + */ + if (xl_reason == LIBXL_SHUTDOWN_REASON_SUSPEND) +- goto error; ++ goto cleanup; ++ ++ vm = virDomainObjListFindByID(driver->domains, event->domid); ++ if (!vm) { ++ /* Nothing to do if we can't find the virDomainObj */ ++ goto cleanup; ++ } ++ ++ if (event->type == LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN) { ++ libxlDomainObjPrivatePtr priv = vm->privateData; ++ struct libxlShutdownThreadInfo *shutdown_info = NULL; ++ virThread thread; ++ g_autofree char *name = NULL; + +- /* +- * Start a thread to handle shutdown. We don't want to be tying up +- * libxl's event machinery by doing a potentially lengthy shutdown. +- */ +- shutdown_info = g_new0(struct libxlShutdownThreadInfo, 1); +- +- shutdown_info->driver = driver; +- shutdown_info->event = (libxl_event *)event; +- name = g_strdup_printf("ev-%d", event->domid); +- if (event->type == LIBXL_EVENT_TYPE_DOMAIN_SHUTDOWN) +- ret = virThreadCreateFull(&thread, false, libxlDomainShutdownThread, +- name, false, shutdown_info); +- else if (event->type == LIBXL_EVENT_TYPE_DOMAIN_DEATH) +- ret = virThreadCreateFull(&thread, false, libxlDomainDeathThread, +- name, false, shutdown_info); +- +- if (ret < 0) { + /* +- * Not much we can do on error here except log it. ++ * Start a thread to handle shutdown. We don't want to be tying up ++ * libxl's event machinery by doing a potentially lengthy shutdown. + */ +- VIR_ERROR(_("Failed to create thread to handle domain shutdown")); +- goto error; +- } ++ shutdown_info = g_new0(struct libxlShutdownThreadInfo, 1); + +- /* +- * libxlShutdownThreadInfo and libxl_event are freed in shutdown thread +- */ +- return; ++ shutdown_info->driver = driver; ++ shutdown_info->vm = vm; ++ shutdown_info->event = (libxl_event *)event; ++ name = g_strdup_printf("ev-%d", event->domid); ++ /* ++ * Cleanup will be handled by the shutdown thread. ++ * Ignore the forthcoming death event from libxl ++ */ ++ priv->ignoreDeathEvent = true; ++ if (virThreadCreateFull(&thread, false, libxlDomainShutdownThread, ++ name, false, shutdown_info) < 0) { ++ priv->ignoreDeathEvent = false; ++ /* ++ * Not much we can do on error here except log it. ++ */ ++ VIR_ERROR(_("Failed to create thread to handle domain shutdown")); ++ VIR_FREE(shutdown_info); ++ goto cleanup; ++ } ++ /* ++ * virDomainObjEndAPI is called in the shutdown thread, where ++ * libxlShutdownThreadInfo and libxl_event are also freed. ++ */ ++ return; ++ } else if (event->type == LIBXL_EVENT_TYPE_DOMAIN_DEATH) { ++ /* ++ * On death the domain is cleaned up from Xen's perspective. ++ * Cleanup on the libvirt side can be done synchronously. ++ */ ++ libxlDomainHandleDeath(driver, vm); ++ } + +- error: ++ cleanup: ++ virDomainObjEndAPI(&vm); + cfg = libxlDriverConfigGet(driver); + /* Cast away any const */ + libxl_event_free(cfg->ctx, (libxl_event *)event); +- VIR_FREE(shutdown_info); + } + + char * diff -Nru libvirt-7.0.0/debian/patches/series libvirt-7.0.0/debian/patches/series --- libvirt-7.0.0/debian/patches/series 2023-02-06 17:49:16.000000000 +0100 +++ libvirt-7.0.0/debian/patches/series 2024-07-30 21:35:28.000000000 +0200 @@ -15,3 +15,17 @@ backport/vircgroup-Fix-virCgroupKillRecursive-wrt-nested-controlle.patch backport/tests-Fix-libxlxml2domconfigtest-with-latest-xen.patch backport/tests-Fix-libxlxml2domconfigtest.patch +CVE-2021-3631.patch +CVE-2021-3667.patch +CVE-2021-3975.patch +libxl-Fix-domain-shutdown.patch +CVE-2021-4147_1.patch +CVE-2021-4147_2.patch +CVE-2021-4147_3.patch +CVE-2021-4147_4.patch +CVE-2021-4147_5.patch +CVE-2021-4147_6.patch +CVE-2022-0897.patch +CVE-2024-1441.patch +CVE-2024-2496.patch +CVE-2024-2494.patch
signature.asc
Description: PGP signature
