Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2013-08-15 13:22:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2013-08-04 08:00:29.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2013-08-15 13:22:40.000000000 +0200 @@ -1,0 +2,10 @@ +Tue Aug 13 10:47:37 MDT 2013 - jfeh...@suse.com + +- Fix memory corruption in legacy Xen driver + 0e671a16-CVE-2013-4239.patch + bnc#834598 +- Upstream patches to fix dumpxml in legacy Xen driver + 9d0557b9-legacy-xen-double-free.patch, + d7a45bf2-legacy-xen-dumpxml.patch + +------------------------------------------------------------------- New: ---- 0e671a16-CVE-2013-4239.patch 9d0557b9-legacy-xen-double-free.patch d7a45bf2-legacy-xen-dumpxml.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.B0n9IN/_old 2013-08-15 13:22:41.000000000 +0200 +++ /var/tmp/diff_new_pack.B0n9IN/_new 2013-08-15 13:22:41.000000000 +0200 @@ -405,6 +405,9 @@ Source99: baselibs.conf # Upstream patches Patch0: bcef0f01-libxl-console.patch +Patch1: 9d0557b9-legacy-xen-double-free.patch +Patch2: d7a45bf2-legacy-xen-dumpxml.patch +Patch3: 0e671a16-CVE-2013-4239.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -904,6 +907,9 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 %patch102 -p1 ++++++ 0e671a16-CVE-2013-4239.patch ++++++ commit 0e671a1646df543eab683b38f6644f70d12fbee1 Author: Jim Fehlig <jfeh...@suse.com> Date: Mon Aug 5 10:27:23 2013 -0600 xen: fix memory corruption in legacy driver Commit 632180d1 introduced memory corruption in xenDaemonListDefinedDomains by starting to populate the names array at index -1, causing all sorts of havoc in libvirtd such as aborts like the following *** Error in `/usr/sbin/libvirtd': double free or corruption (out): 0x00007fffe00ccf20 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7abf6)[0x7ffff3fa0bf6] /lib64/libc.so.6(+0x7b973)[0x7ffff3fa1973] /lib64/libc.so.6(xdr_array+0xde)[0x7ffff403cbae] /usr/sbin/libvirtd(+0x50251)[0x5555555a4251] /lib64/libc.so.6(xdr_free+0x15)[0x7ffff403ccd5] /usr/lib64/libvirt.so.0(+0x1fad34)[0x7ffff76b1d34] /usr/lib64/libvirt.so.0(virNetServerProgramDispatch+0x1fc)[0x7ffff76b16f1] /usr/lib64/libvirt.so.0(+0x1f214a)[0x7ffff76a914a] /usr/lib64/libvirt.so.0(+0x1f222d)[0x7ffff76a922d] /usr/lib64/libvirt.so.0(+0xbcc4f)[0x7ffff7573c4f] /usr/lib64/libvirt.so.0(+0xbc5e5)[0x7ffff75735e5] /lib64/libpthread.so.0(+0x7e0f)[0x7ffff48f7e0f] /lib64/libc.so.6(clone+0x6d)[0x7ffff400e7dd] Fix by initializing ret to 0 and only setting to error on failure path. Index: libvirt-1.1.1/src/xen/xend_internal.c =================================================================== --- libvirt-1.1.1.orig/src/xen/xend_internal.c +++ libvirt-1.1.1/src/xen/xend_internal.c @@ -2896,7 +2896,7 @@ xenDaemonListDefinedDomains(virConnectPt { struct sexpr *root = NULL; size_t i; - int ret = -1; + int ret = 0; struct sexpr *_for_i, *node; if (maxnames == 0) @@ -2919,16 +2919,15 @@ xenDaemonListDefinedDomains(virConnectPt break; } - ret = 0; - cleanup: sexpr_free(root); return ret; error: - for (i = 0; ret != -1 && i < ret; ++i) + for (i = 0; i < ret; ++i) VIR_FREE(names[i]); + ret = -1; goto cleanup; } ++++++ 9d0557b9-legacy-xen-double-free.patch ++++++ commit 9d0557b9655fe4a3f31af2e1cc2f33de8acfaa7d Author: Stefan Bader <stefan.ba...@canonical.com> Date: Wed Jul 31 11:59:21 2013 +0200 xen: Avoid double free of virDomainDef in xenDaemonCreateXML The virDomainDef is allocated by the caller and also used after calling to xenDaemonCreateXML. So it must not get freed by the callee. Signed-off-by: Stefan Bader <stefan.ba...@canonical.com> Index: libvirt-1.1.1/src/xen/xend_internal.c =================================================================== --- libvirt-1.1.1.orig/src/xen/xend_internal.c +++ libvirt-1.1.1/src/xen/xend_internal.c @@ -2171,7 +2171,6 @@ xenDaemonCreateXML(virConnectPtr conn, v if (xenDaemonDomainResume(conn, def) < 0) goto error; - virDomainDefFree(def); return 0; error: ++++++ d7a45bf2-legacy-xen-dumpxml.patch ++++++ commit d7a45bf22368161869963b92a0a1d5599590fdf5 Author: Stefan Bader <stefan.ba...@canonical.com> Date: Tue Aug 6 12:28:58 2013 +0100 xen: Use internal interfaces in xenDomainUsedCpus Since commit 95e18efd most public interfaces (xenUnified...) obtain a virDomainDefPtr via xenGetDomainDefFor...() which take the unified lock. This is already taken before calling xenDomainUsedCpus(), so we get a deadlock for active guests. Avoid this by splitting up xenUnifiedDomainGetVcpusFlags() and xenUnifiedDomainGetVcpus() into public and private function calls (which get the virDomainDefPtr passed) and use those in xenDomainUsedCpus(). xenDomainUsedCpus ... nb_vcpu = xenUnifiedDomainGetMaxVcpus(dom); return xenUnifiedDomainGetVcpusFlags(...) ... if (!(def = xenGetDomainDefForDom(dom))) return xenGetDomainDefForUUID(dom->conn, dom->uuid); ... ret = xenHypervisorLookupDomainByUUID(conn, uuid); ... xenUnifiedLock(priv); name = xenStoreDomainGetName(conn, id); xenUnifiedUnlock(priv); ... if ((ncpus = xenUnifiedDomainGetVcpus(dom, cpuinfo, nb_vcpu, ... if (!(def = xenGetDomainDefForDom(dom))) [again like above] Signed-off-by: Stefan Bader <stefan.ba...@canonical.com> Index: libvirt-1.1.1/src/xen/xen_driver.c =================================================================== --- libvirt-1.1.1.orig/src/xen/xen_driver.c +++ libvirt-1.1.1/src/xen/xen_driver.c @@ -73,12 +73,19 @@ static int xenUnifiedNodeGetInfo(virConnectPtr conn, virNodeInfoPtr info); + static int -xenUnifiedDomainGetMaxVcpus(virDomainPtr dom); +xenUnifiedDomainGetVcpusFlagsInternal(virDomainPtr dom, + virDomainDefPtr def, + unsigned int flags); + static int -xenUnifiedDomainGetVcpus(virDomainPtr dom, - virVcpuInfoPtr info, int maxinfo, - unsigned char *cpumaps, int maplen); +xenUnifiedDomainGetVcpusInternal(virDomainPtr dom, + virDomainDefPtr def, + virVcpuInfoPtr info, + int maxinfo, + unsigned char *cpumaps, + int maplen); static bool is_privileged = false; @@ -173,6 +180,7 @@ xenNumaInit(virConnectPtr conn) { /** * xenDomainUsedCpus: * @dom: the domain + * @def: the domain definition * * Analyze which set of CPUs are used by the domain and * return a string providing the ranges. @@ -181,7 +189,7 @@ xenNumaInit(virConnectPtr conn) { * NULL if the domain uses all CPU or in case of error. */ char * -xenDomainUsedCpus(virDomainPtr dom) +xenDomainUsedCpus(virDomainPtr dom, virDomainDefPtr def) { char *res = NULL; int ncpus; @@ -202,7 +210,9 @@ xenDomainUsedCpus(virDomainPtr dom) if (priv->nbNodeCpus <= 0) return NULL; - nb_vcpu = xenUnifiedDomainGetMaxVcpus(dom); + nb_vcpu = xenUnifiedDomainGetVcpusFlagsInternal(dom, def, + (VIR_DOMAIN_VCPU_LIVE | + VIR_DOMAIN_VCPU_MAXIMUM)); if (nb_vcpu <= 0) return NULL; if (xenUnifiedNodeGetInfo(dom->conn, &nodeinfo) < 0) @@ -217,8 +227,8 @@ xenDomainUsedCpus(virDomainPtr dom) VIR_ALLOC_N(cpumap, nb_vcpu * cpumaplen) < 0) goto done; - if ((ncpus = xenUnifiedDomainGetVcpus(dom, cpuinfo, nb_vcpu, - cpumap, cpumaplen)) >= 0) { + if ((ncpus = xenUnifiedDomainGetVcpusInternal(dom, def, cpuinfo, nb_vcpu, + cpumap, cpumaplen)) >= 0) { for (n = 0; n < ncpus; n++) { for (m = 0; m < priv->nbNodeCpus; m++) { bool used; @@ -1416,54 +1426,62 @@ cleanup: } static int -xenUnifiedDomainGetVcpus(virDomainPtr dom, - virVcpuInfoPtr info, int maxinfo, - unsigned char *cpumaps, int maplen) +xenUnifiedDomainGetVcpusInternal(virDomainPtr dom, + virDomainDefPtr def, + virVcpuInfoPtr info, + int maxinfo, + unsigned char *cpumaps, + int maplen) { xenUnifiedPrivatePtr priv = dom->conn->privateData; - virDomainDefPtr def = NULL; int ret = -1; - if (!(def = xenGetDomainDefForDom(dom))) - goto cleanup; - - if (virDomainGetVcpusEnsureACL(dom->conn, def) < 0) - goto cleanup; - if (dom->id < 0) { if (priv->xendConfigVersion < XEND_CONFIG_VERSION_3_0_4) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Cannot get VCPUs of inactive domain")); - goto cleanup; } else { - ret = xenDaemonDomainGetVcpus(dom->conn, def, info, maxinfo, cpumaps, maplen); + ret = xenDaemonDomainGetVcpus(dom->conn, def, info, maxinfo, + cpumaps, maplen); } } else { - ret = xenHypervisorGetVcpus(dom->conn, def, info, maxinfo, cpumaps, maplen); + ret = xenHypervisorGetVcpus(dom->conn, def, info, maxinfo, cpumaps, + maplen); } -cleanup: - virDomainDefFree(def); return ret; } static int -xenUnifiedDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) +xenUnifiedDomainGetVcpus(virDomainPtr dom, + virVcpuInfoPtr info, int maxinfo, + unsigned char *cpumaps, int maplen) { - xenUnifiedPrivatePtr priv = dom->conn->privateData; virDomainDefPtr def = NULL; int ret = -1; - virCheckFlags(VIR_DOMAIN_VCPU_LIVE | - VIR_DOMAIN_VCPU_CONFIG | - VIR_DOMAIN_VCPU_MAXIMUM, -1); - if (!(def = xenGetDomainDefForDom(dom))) goto cleanup; - if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def) < 0) + if (virDomainGetVcpusEnsureACL(dom->conn, def) < 0) goto cleanup; + ret = xenUnifiedDomainGetVcpusInternal(dom, def, info, maxinfo, cpumaps, + maplen); + +cleanup: + virDomainDefFree(def); + return ret; +} + +static int +xenUnifiedDomainGetVcpusFlagsInternal(virDomainPtr dom, + virDomainDefPtr def, + unsigned int flags) +{ + xenUnifiedPrivatePtr priv = dom->conn->privateData; + int ret = -1; + if (dom->id < 0) { if (priv->xendConfigVersion < XEND_CONFIG_VERSION_3_0_4) ret = xenXMDomainGetVcpusFlags(dom->conn, def, flags); @@ -1476,6 +1494,27 @@ xenUnifiedDomainGetVcpusFlags(virDomainP ret = xenDaemonDomainGetVcpusFlags(dom->conn, def, flags); } + return ret; +} + +static int +xenUnifiedDomainGetVcpusFlags(virDomainPtr dom, unsigned int flags) +{ + virDomainDefPtr def = NULL; + int ret = -1; + + virCheckFlags(VIR_DOMAIN_VCPU_LIVE | + VIR_DOMAIN_VCPU_CONFIG | + VIR_DOMAIN_VCPU_MAXIMUM, -1); + + if (!(def = xenGetDomainDefForDom(dom))) + goto cleanup; + + if (virDomainGetVcpusFlagsEnsureACL(dom->conn, def) < 0) + goto cleanup; + + ret = xenUnifiedDomainGetVcpusFlagsInternal(dom, def, flags); + cleanup: virDomainDefFree(def); return ret; @@ -1507,7 +1546,7 @@ xenUnifiedDomainGetXMLDesc(virDomainPtr } else { char *cpus; xenUnifiedLock(priv); - cpus = xenDomainUsedCpus(dom); + cpus = xenDomainUsedCpus(dom, minidef); xenUnifiedUnlock(priv); def = xenDaemonDomainGetXMLDesc(dom->conn, minidef, cpus); VIR_FREE(cpus); Index: libvirt-1.1.1/src/xen/xen_driver.h =================================================================== --- libvirt-1.1.1.orig/src/xen/xen_driver.h +++ libvirt-1.1.1/src/xen/xen_driver.h @@ -187,7 +187,7 @@ struct _xenUnifiedPrivate { typedef struct _xenUnifiedPrivate *xenUnifiedPrivatePtr; -char *xenDomainUsedCpus(virDomainPtr dom); +char *xenDomainUsedCpus(virDomainPtr dom, virDomainDefPtr def); virDomainXMLOptionPtr xenDomainXMLConfInit(void); ++++++ fix-pci-attach-xen-driver.patch ++++++ --- /var/tmp/diff_new_pack.B0n9IN/_old 2013-08-15 13:22:41.000000000 +0200 +++ /var/tmp/diff_new_pack.B0n9IN/_new 2013-08-15 13:22:41.000000000 +0200 @@ -12,7 +12,7 @@ =================================================================== --- libvirt-1.1.1.orig/src/xen/xend_internal.c +++ libvirt-1.1.1/src/xen/xend_internal.c -@@ -2207,6 +2207,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr +@@ -2206,6 +2206,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr virBuffer buf = VIR_BUFFER_INITIALIZER; char class[8], ref[80]; char *target = NULL; @@ -20,7 +20,7 @@ virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | VIR_DOMAIN_AFFECT_CONFIG, -1); -@@ -2305,8 +2306,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr +@@ -2304,8 +2305,18 @@ xenDaemonAttachDeviceFlags(virConnectPtr } sexpr = virBufferContentAndReset(&buf); ++++++ libvirtd-init-script.patch ++++++ --- /var/tmp/diff_new_pack.B0n9IN/_old 2013-08-15 13:22:41.000000000 +0200 +++ /var/tmp/diff_new_pack.B0n9IN/_new 2013-08-15 13:22:41.000000000 +0200 @@ -1,9 +1,9 @@ Adjust libvirtd sysconfig file to conform to SUSE standards -Index: libvirt-1.1.0/daemon/libvirtd.sysconf +Index: libvirt-1.1.1/daemon/libvirtd.sysconf =================================================================== ---- libvirt-1.1.0.orig/daemon/libvirtd.sysconf -+++ libvirt-1.1.0/daemon/libvirtd.sysconf +--- libvirt-1.1.1.orig/daemon/libvirtd.sysconf ++++ libvirt-1.1.1/daemon/libvirtd.sysconf @@ -1,16 +1,25 @@ +## Path: System/Virtualization/libvirt + ++++++ xen-name-for-devid.patch ++++++ --- /var/tmp/diff_new_pack.B0n9IN/_old 2013-08-15 13:22:41.000000000 +0200 +++ /var/tmp/diff_new_pack.B0n9IN/_new 2013-08-15 13:22:41.000000000 +0200 @@ -27,7 +27,7 @@ virDomainDeviceDefPtr dev, char *class, char *ref, int ref_len); -@@ -3316,18 +3316,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c +@@ -3314,18 +3314,18 @@ xenDaemonDomainBlockPeek(virConnectPtr c * Returns 0 in case of success, -1 in case of failure. */ static int @@ -50,7 +50,7 @@ if (dev->data.disk->driverName && STREQ(dev->data.disk->driverName, "tap")) strcpy(class, "tap"); -@@ -3337,19 +3337,17 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3335,19 +3335,17 @@ virDomainXMLDevID(virConnectPtr conn, else strcpy(class, "vbd"); @@ -81,7 +81,7 @@ } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { char mac[VIR_MAC_STRING_BUFLEN]; virDomainNetDefPtr netdef = dev->data.net; -@@ -3357,16 +3355,22 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3355,16 +3353,22 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "vif"); @@ -114,7 +114,7 @@ } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV && dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && dev->data.hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) { -@@ -3382,17 +3386,44 @@ virDomainXMLDevID(virConnectPtr conn, +@@ -3380,17 +3384,44 @@ virDomainXMLDevID(virConnectPtr conn, strcpy(class, "pci"); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org