--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package libvirt
This fixes several CVEs as well as crashes:
CVEs:
* CVE-2014-8131: Fix possible deadlock and segfault in
qemuConnectGetAllDomainStats() (Closes: #773858)
* CVE-2014-8135: storage: fix crash caused by no check return before
set close (Closes: #773855)
* CVE-2014-8136: qemu: migration: Unlock vm on failed ACL check in
protocol v2 APIs (Closes: #773856)
Crashes:
* qemu: Fix crash in tunnelled migration (Closes: #773503)
* lxc: Fix crash when using interface type 'direct' (Closes:
#769600)
Doc update:
* Document surprises on CPU microcode updates (Closes: #773706)
Fix unusable drivers/features
* vbox: fix a bug in _machineStateInactive (Closes: #770202)
* Install lock drivers (Closes: #773706)
* qemu: bulk stats: Fix logic in monitor handling
I'm not happy with that amount of changes late in the release each
individual change is rather small though.
Cheers,
-- Guido
unblock libvirt/1.2.9-7
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-rc6 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/README.Debian b/debian/README.Debian
index ffa7917..0fa9358 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -84,4 +84,32 @@ for a complete explanation:
<http://bugs.debian.org/453627>
<http://bugs.debian.org/614291>
- -- Guido Günther <a...@sigxcpu.org> Sun, 28 Sep 2014 09:50:41 +0200
+Libvirt CPU models and microcode updates
+========================================
+CPU microcode updates (e.g. via the intel-microcode package) might change the
+available CPU flags. One example is version 3.20140913.1 of the intel-microcode
+removing TSX-NI which results in the kernel no longer reporting the *hle* flag.
+
+In this case if you hard coded the CPU model in your virtual machine
+configuration via:
+
+ <cpu mode='custom' match='exact'>
+ <model fallback='forbid'>Haswell</model>
+ <vendor>Intel</vendor>
+ ...
+ </cpu>
+
+and update the CPU microcode the VM might fail to start with errors like
+
+ error: Failed to start domain foo
+ error: unsupported configuration: guest and host CPU are not compatible: Host CPU does not provide required features: hle
+
+since libvirt doesn't differentiate between microcode versions. It is therefore
+recommended to copy over the needed CPU flags instead of hard coding the CPU
+model. See
+
+ <https://www.redhat.com/archives/libvir-list/2014-December/msg00950.html>
+
+for further details.
+
+ -- Guido Günther <a...@sigxcpu.org> Wen, 24 Dec 2014 09:55:41 +0200
diff --git a/debian/changelog b/debian/changelog
index b4f25d7..90ea4aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+libvirt (1.2.9-7) unstable; urgency=medium
+
+ * [d7df883] CVE-2014-8131: Fix possible deadlock and segfault in
+ qemuConnectGetAllDomainStats()
+ (Closes: #773858)
+ * [d0085e0] qemu: bulk stats: Fix logic in monitor handling
+ * [b5e081c] CVE-2014-8135: storage: fix crash caused by no check return
+ before set close
+ (Closes: #773855)
+ * [a5452de] CVE-2014-8136: qemu: migration: Unlock vm on failed ACL check in
+ protocol v2 APIs
+ (Closes: #773856)
+ * [5aaafc9] qemu: Fix crash in tunnelled migration (Closes: #773503)
+ * [87b3713] lxc: Fix crash when using interface type 'direct'
+ Thanks to Bastian Blank for the patch (Closes: #769600)
+ * [17807c0] Document surprises on CPU microcode updates (Closes: #773706)
+ * [66a3ca6] Install lock drivers (Closes: #773706)
+ * [f6ffda7] vbox: fix a bug in _machineStateInactive (Closes: #770202)
+
+ -- Guido Günther <a...@sigxcpu.org> Wed, 24 Dec 2014 10:33:31 +0100
+
libvirt (1.2.9-6) unstable; urgency=medium
* [9779548] Add a python build-dependency for the docs build
diff --git a/debian/libvirt-daemon.install b/debian/libvirt-daemon.install
index 74ba67f..7852973 100644
--- a/debian/libvirt-daemon.install
+++ b/debian/libvirt-daemon.install
@@ -1,5 +1,6 @@
usr/sbin/*
usr/lib/libvirt/libvirt*
+usr/lib/libvirt/lock-driver/lockd.so
usr/lib/libvirt/connection-driver
usr/share/augeas/*
usr/share/libvirt/*
diff --git a/debian/patches/lxc-Don-t-crash-on-NULL-ifname_guest_actual.patch b/debian/patches/lxc-Don-t-crash-on-NULL-ifname_guest_actual.patch
new file mode 100644
index 0000000..9222bf8
--- /dev/null
+++ b/debian/patches/lxc-Don-t-crash-on-NULL-ifname_guest_actual.patch
@@ -0,0 +1,21 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 19 Dec 2014 10:11:42 +0100
+Subject: lxc: Don't crash on NULL ifname_guest_actual
+
+---
+ src/lxc/lxc_container.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
+index 2af2674..0ebcb11 100644
+--- a/src/lxc/lxc_container.c
++++ b/src/lxc/lxc_container.c
+@@ -473,7 +473,7 @@ lxcContainerGetNetDef(virDomainDefPtr vmDef, const char *devName)
+
+ for (i = 0; i < vmDef->nnets; i++) {
+ netDef = vmDef->nets[i];
+- if (STREQ(netDef->ifname_guest_actual, devName))
++ if (netDef->ifname_guest_actual && STREQ(netDef->ifname_guest_actual, devName))
+ return netDef;
+ }
+
diff --git a/debian/patches/lxc-Move-setting-ifname_guest_actual-to-virLXCSetupI.patch b/debian/patches/lxc-Move-setting-ifname_guest_actual-to-virLXCSetupI.patch
new file mode 100644
index 0000000..772a1cc
--- /dev/null
+++ b/debian/patches/lxc-Move-setting-ifname_guest_actual-to-virLXCSetupI.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 19 Dec 2014 10:08:38 +0100
+Subject: lxc: Move setting ifname_guest_actual to virLXCSetupInterfaces
+
+so it applies to interfaces of type 'direct' too.
+---
+ src/lxc/lxc_process.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
+index ed30c37..d15c215 100644
+--- a/src/lxc/lxc_process.c
++++ b/src/lxc/lxc_process.c
+@@ -259,8 +259,6 @@ char *virLXCProcessSetupInterfaceBridged(virConnectPtr conn,
+
+ if (virNetDevSetMAC(containerVeth, &net->mac) < 0)
+ goto cleanup;
+- if (VIR_STRDUP(net->ifname_guest_actual, containerVeth) < 0)
+- goto cleanup;
+
+ if (vport && vport->virtPortType == VIR_NETDEV_VPORT_PROFILE_OPENVSWITCH) {
+ if (virNetDevOpenvswitchAddPort(brname, parentVeth, &net->mac,
+@@ -452,6 +450,9 @@ static int virLXCProcessSetupInterfaces(virConnectPtr conn,
+
+ (*veths)[(*nveths)-1] = veth;
+
++ if (VIR_STRDUP(def->nets[i]->ifname_guest_actual, veth) < 0)
++ goto cleanup;
++
+ /* Make sure all net definitions will have a name in the container */
+ if (!def->nets[i]->ifname_guest) {
+ if (virAsprintf(&def->nets[i]->ifname_guest, "eth%zu", niface) < 0)
diff --git a/debian/patches/qemu-bulk-stats-Fix-logic-in-monitor-handling.patch b/debian/patches/qemu-bulk-stats-Fix-logic-in-monitor-handling.patch
new file mode 100644
index 0000000..d9400bd
--- /dev/null
+++ b/debian/patches/qemu-bulk-stats-Fix-logic-in-monitor-handling.patch
@@ -0,0 +1,36 @@
+From: Francesco Romani <from...@redhat.com>
+Date: Thu, 11 Dec 2014 08:44:09 +0100
+Subject: qemu: bulk stats: Fix logic in monitor handling
+
+A logic bug in qemuConnectGetAllDomainStats makes the code mark the
+monitor as available when qemuDomainObjBeginJob fails, instead of when
+it succeeds, as the correct flow requires.
+
+This patch fixes the check and updates the code documentation
+accordingly.
+
+Broken by commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b.
+
+Signed-off-by: Francesco Romani <from...@redhat.com>
+(cherry picked from commit cb104ef734dfea12cb8826dba7e2c98912c4b7e1)
+Signed-off-by: Martin Kletzander <mklet...@redhat.com>
+---
+ src/qemu/qemu_driver.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 14a1ae9..048ded9 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -18153,9 +18153,9 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
+ }
+
+ if (HAVE_JOB(privflags) &&
+- qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) < 0)
+- /* As it was never requested. Gather as much as possible anyway. */
++ qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) == 0)
+ domflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
++ /* else: without a job it's still possible to gather some data */
+
+ if (qemuDomainGetStats(conn, dom, stats, &tmp, domflags) < 0)
+ goto endjob;
diff --git a/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch b/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
new file mode 100644
index 0000000..9ff9874
--- /dev/null
+++ b/debian/patches/security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
@@ -0,0 +1,73 @@
+From: Martin Kletzander <mklet...@redhat.com>
+Date: Thu, 27 Nov 2014 15:47:52 +0100
+Subject: CVE-2014-8131: Fix possible deadlock and segfault in
+ qemuConnectGetAllDomainStats()
+
+When user doesn't have read access on one of the domains he requested,
+the for loop could exit abruptly or continue and override pointer which
+pointed to locked object.
+
+This patch fixed two issues at once. One is that domflags might have
+had QEMU_DOMAIN_STATS_HAVE_JOB even when there was no job started (this
+is fixed by doing domflags |= QEMU_DOMAIN_STATS_HAVE_JOB only when the
+job was acquired and cleaning domflags on every start of the loop.
+Second one is that the domain is kept locked when
+virConnectGetAllDomainStatsCheckACL() fails and continues the loop when
+it didn't end. Adding a simple virObjectUnlock() and clearing the
+pointer ought to do.
+
+Signed-off-by: Martin Kletzander <mklet...@redhat.com>
+(cherry picked from commit 57023c0a3af4af1c547189c1f6712ed5edeb0c0b)
+Signed-off-by: Martin Kletzander <mklet...@redhat.com>
+---
+ src/qemu/qemu_driver.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index e873d45..14a1ae9 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -18139,20 +18139,23 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
+ privflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
+
+ for (i = 0; i < ndoms; i++) {
+- domflags = privflags;
+ virDomainStatsRecordPtr tmp = NULL;
++ domflags = 0;
+
+ if (!(dom = qemuDomObjFromDomain(doms[i])))
+ continue;
+
+ if (doms != domlist &&
+- !virConnectGetAllDomainStatsCheckACL(conn, dom->def))
++ !virConnectGetAllDomainStatsCheckACL(conn, dom->def)) {
++ virObjectUnlock(dom);
++ dom = NULL;
+ continue;
++ }
+
+- if (HAVE_JOB(domflags) &&
++ if (HAVE_JOB(privflags) &&
+ qemuDomainObjBeginJob(driver, dom, QEMU_JOB_QUERY) < 0)
+ /* As it was never requested. Gather as much as possible anyway. */
+- domflags &= ~QEMU_DOMAIN_STATS_HAVE_JOB;
++ domflags |= QEMU_DOMAIN_STATS_HAVE_JOB;
+
+ if (qemuDomainGetStats(conn, dom, stats, &tmp, domflags) < 0)
+ goto endjob;
+@@ -18160,9 +18163,12 @@ qemuConnectGetAllDomainStats(virConnectPtr conn,
+ if (tmp)
+ tmpstats[nstats++] = tmp;
+
+- if (HAVE_JOB(domflags) && !qemuDomainObjEndJob(driver, dom)) {
+- dom = NULL;
+- continue;
++ if (HAVE_JOB(domflags)) {
++ domflags = 0;
++ if (!qemuDomainObjEndJob(driver, dom)) {
++ dom = NULL;
++ continue;
++ }
+ }
+
+ virObjectUnlock(dom);
diff --git a/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch b/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch
new file mode 100644
index 0000000..70cf119
--- /dev/null
+++ b/debian/patches/security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch
@@ -0,0 +1,44 @@
+From: Luyao Huang <lhu...@redhat.com>
+Date: Wed, 3 Dec 2014 23:01:32 +0800
+Subject: CVE-2014-8135: storage: fix crash caused by no check return before
+ set close
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1087104#c5
+
+When trying to use an invalid offset to virStorageVolUpload(), libvirt
+fails in virFDStreamOpenFileInternal(), although it seems libvirt does
+not check the return in storageVolUpload(), and calls
+virFDStreamSetInternalCloseCb() right after. But stream doesn't have a
+privateData (is NULL) yet, and the daemon crashes then.
+
+0 0x00007f09429a9c10 in pthread_mutex_lock () from /lib64/libpthread.so.0
+1 0x00007f094514dbf5 in virMutexLock (m=<optimized out>) at util/virthread.c:88
+2 0x00007f09451cb211 in virFDStreamSetInternalCloseCb at fdstream.c:795
+3 0x00007f092ff2c9eb in storageVolUpload at storage/storage_driver.c:2098
+4 0x00007f09451f46e0 in virStorageVolUpload at libvirt.c:14000
+5 0x00007f0945c78fa1 in remoteDispatchStorageVolUpload at remote_dispatch.h:14339
+6 remoteDispatchStorageVolUploadHelper at remote_dispatch.h:14309
+7 0x00007f094524a192 in virNetServerProgramDispatchCall at rpc/virnetserverprogram.c:437
+
+Signed-off-by: Luyao Huang <lhu...@redhat.com>
+(cherry picked from commit 87b9437f8951f9d24f9a85c6bbfff0e54df8c984)
+---
+ src/storage/storage_driver.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 7c518bf..7d4ae50 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -2088,8 +2088,9 @@ storageVolUpload(virStorageVolPtr obj,
+ goto cleanup;
+ }
+
+- ret = backend->uploadVol(obj->conn, pool, vol, stream,
+- offset, length, flags);
++ if ((ret = backend->uploadVol(obj->conn, pool, vol, stream,
++ offset, length, flags)) < 0)
++ goto cleanup;
+
+ /* Add cleanup callback - call after uploadVol since the stream
+ * is then fully set up
diff --git a/debian/patches/security/CVE-2014-8136-qemu-migration-Unlock-vm-on-failed-ACL.patch b/debian/patches/security/CVE-2014-8136-qemu-migration-Unlock-vm-on-failed-ACL.patch
new file mode 100644
index 0000000..6884e25
--- /dev/null
+++ b/debian/patches/security/CVE-2014-8136-qemu-migration-Unlock-vm-on-failed-ACL.patch
@@ -0,0 +1,43 @@
+From: Peter Krempa <pkre...@redhat.com>
+Date: Mon, 8 Dec 2014 19:25:21 +0100
+Subject: CVE-2014-8136: qemu: migration: Unlock vm on failed ACL check in
+ protocol v2 APIs
+
+Avoid leaving the domain locked on a failed ACL check in
+qemuDomainMigratePerform() and qemuDomainMigrateFinish2().
+
+Introduced in commit abf75aea247e (Add ACL checks into the QEMU driver).
+
+(cherry picked from commit 2bdcd29c713dfedd813c89f56ae98f6f3898313d)
+---
+ src/qemu/qemu_driver.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 048ded9..0c9b269 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -11008,8 +11008,10 @@ qemuDomainMigratePerform(virDomainPtr dom,
+ if (!(vm = qemuDomObjFromDomain(dom)))
+ goto cleanup;
+
+- if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0)
++ if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) {
++ virObjectUnlock(vm);
+ goto cleanup;
++ }
+
+ if (flags & VIR_MIGRATE_PEER2PEER) {
+ dconnuri = uri;
+@@ -11056,8 +11058,10 @@ qemuDomainMigrateFinish2(virConnectPtr dconn,
+ goto cleanup;
+ }
+
+- if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0)
++ if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) {
++ virObjectUnlock(vm);
+ goto cleanup;
++ }
+
+ /* Do not use cookies in v2 protocol, since the cookie
+ * length was not sufficiently large, causing failures
diff --git a/debian/patches/series b/debian/patches/series
index cfa566c..3cb2c9f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,11 @@ debian/Debianize-virtlockd.patch
qemu-use-systemd-s-TerminateMachine-to-kill-all-proc.patch
security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
util-Prepare-URI-formatting-for-libxml2-2.9.2.patch
+security/CVE-2014-8131-Fix-possible-deadlock-and-segfault-in-.patch
+qemu-bulk-stats-Fix-logic-in-monitor-handling.patch
+security/CVE-2014-8135-storage-fix-crash-caused-by-no-check-r.patch
+security/CVE-2014-8136-qemu-migration-Unlock-vm-on-failed-ACL.patch
+upstream/qemu-Fix-crash-in-tunnelled-migration.patch
+lxc-Move-setting-ifname_guest_actual-to-virLXCSetupI.patch
+lxc-Don-t-crash-on-NULL-ifname_guest_actual.patch
+upstream/vbox-fix-a-bug-in-_machineStateInactive.patch
diff --git a/debian/patches/upstream/qemu-Fix-crash-in-tunnelled-migration.patch b/debian/patches/upstream/qemu-Fix-crash-in-tunnelled-migration.patch
new file mode 100644
index 0000000..c7e0e13
--- /dev/null
+++ b/debian/patches/upstream/qemu-Fix-crash-in-tunnelled-migration.patch
@@ -0,0 +1,32 @@
+From: Jiri Denemark <jdene...@redhat.com>
+Date: Thu, 20 Nov 2014 13:09:16 +0100
+Subject: qemu: Fix crash in tunnelled migration
+
+Any attempt to start a tunnelled migration with libvirtd that supports
+RDMA migration (specifically commit v1.2.8-226-ged22a47) crashes
+libvirtd on the destination host.
+
+The crash is inevitable because qemuMigrationPrepareAny is always called
+with NULL protocol in case of tunnelled migration.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1147331
+Signed-off-by: Jiri Denemark <jdene...@redhat.com>
+
+Closes: #773503
+---
+ src/qemu/qemu_migration.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index 284cd5a..e18556f 100644
+--- a/src/qemu/qemu_migration.c
++++ b/src/qemu/qemu_migration.c
+@@ -2696,7 +2696,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
+ QEMU_MIGRATION_COOKIE_NBD)))
+ goto cleanup;
+
+- if (STREQ(protocol, "rdma") && !vm->def->mem.hard_limit) {
++ if (STREQ_NULLABLE(protocol, "rdma") && !vm->def->mem.hard_limit) {
+ virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+ _("cannot start RDMA migration with no memory hard "
+ "limit set"));
diff --git a/debian/patches/upstream/vbox-fix-a-bug-in-_machineStateInactive.patch b/debian/patches/upstream/vbox-fix-a-bug-in-_machineStateInactive.patch
new file mode 100644
index 0000000..7f0305c
--- /dev/null
+++ b/debian/patches/upstream/vbox-fix-a-bug-in-_machineStateInactive.patch
@@ -0,0 +1,28 @@
+From: Yohan BELLEGUIC <yohan.belleg...@diateam.net>
+Date: Wed, 19 Nov 2014 09:53:15 +0100
+Subject: vbox: fix a bug in _machineStateInactive
+
+This function returned non-inactive domains instead of active
+domains. This broke virConnectNumOfDefinedDomains() and
+virConnectListDefinedDomains() functions.
+
+Closes: #770202
+---
+ src/vbox/vbox_tmpl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/vbox/vbox_tmpl.c b/src/vbox/vbox_tmpl.c
+index e5d6d66..c42e186 100644
+--- a/src/vbox/vbox_tmpl.c
++++ b/src/vbox/vbox_tmpl.c
+@@ -6081,8 +6081,8 @@ static bool _machineStateOnline(PRUint32 state)
+
+ static bool _machineStateInactive(PRUint32 state)
+ {
+- return ((state > MachineState_FirstOnline) &&
+- (state < MachineState_LastOnline));
++ return ((state < MachineState_FirstOnline) ||
++ (state > MachineState_LastOnline));
+ }
+
+ static bool _machineStateNotStart(PRUint32 state)
--- End Message ---