starlingx/virt
Code Issues Proposed changes
Files
c9f3f21e238395e556870c30b35e50d96832a566
virt/libvirt/debian/patches/CVE-2024-2494.patch
Murillo Arantes c9f3f21e23 Upversion libvirt to v8.0.0-1 
The new stx-openstack release will be based on the Openstack 2025.1
Epoxy version, which uses libvirt >= 8.0.0. This change aims to
upversion the current libvirt package from 7.0.0-3 to the 8.0.0-1. To
make this possible, it was necessary to update the libvirt metadata
and review all the patches currently applied to version 7.0.0-3,
analyzing which patches should be kept, which need to be adapted,
which can be removed and which new patches need to be created. The
following list describes the actions taken for each patch included in
this change:

Patches removed because they are no longer needed in version 8.0.0-1:
 CVE-2021-3631.patch
 CVE-2021-3667.patch
 CVE-2021-3975.patch
 CVE-2021-4147_1.patch
 CVE-2021-4147_2.patch
 CVE-2021-4147_3.patch
 CVE-2021-4147_4.patch
 CVE-2021-4147_5.patch
 CVE-2021-4147_6.patch
 0010-qemu-capabilities-Introduce-QEMU_CAPS_OBJECT_QAPIFIE.patch
 0011-qemu-monitor-Make-wrapping-of-props-of-object-add-op.patch
 0012-qemuMonitorCreateObjectPropsWrap-Open-code-in-qemuBu.patch
 0013-qemu-monitor-Don-t-add-props-wrapper-if-qemu-has-QEM.patch
 0014-qemu-remove-support-for-generating-yes-no-boolean-op.patch
 0015-qemu-command-Use-JSON-for-QAPIfied-object-directly.patch
 0016-qemu-capabilities-Enable-detection-of-QEMU_CAPS_OBJE.patch
 libxl-Fix-domain-shutdown.patch

Patches adapted due to changes between versions 7.0.0-3 and 8.0.0-1:
 CVE-2024-1441.patch
 CVE-2024-2494.patch
 CVE-2024-2496.patch
 0001-STX-Customize-Debian-build-files.patch
 0001-STX-CPU-pinning-not-working-over-live-migration.patch
 0002-STX-System-Logging-set-group-read-permission-on-log.patch
 0003-STX-Drop-migration-poll-times-to-10mS.patch
 0004-STX-DPDK-parms-handling.patch
 0007-STX-Stop-processing-memory-stats-if-balloon-info.patch
 0008-STX-Increase-timeout-for-connecting-to-monitor.patch
 0009-STX-pci-sriov-perform-limited-retry-on-netlink.patch

Some examples of changes between libvirt versions that required
updates to the patches can be found in [1], [2], [3], [4], and [5].

New patch required to ensure compatibility with the libc6-dev version
dependency (see the patch description for more details):
 0002-STX-Adjust-libc6-dev-version-compatibility.patch

[1] https://salsa.debian.org/libvirt-team/libvirt/-/commit/53a7a787d3
[2] https://salsa.debian.org/libvirt-team/libvirt/-/blob/debian/7.0.0-3/src/conf/domain_conf.c?ref_type=tags#L2011
[3] https://salsa.debian.org/libvirt-team/libvirt/-/blob/debian/8.0.0-1/src/conf/domain_conf.c?ref_type=tags#L2079
[4] https://salsa.debian.org/libvirt-team/libvirt/-/blob/debian/7.0.0-3/src/qemu/qemu_monitor_json.c?ref_type=tags#L2270
[5] https://salsa.debian.org/libvirt-team/libvirt/-/blob/debian/8.0.0-1/src/qemu/qemu_monitor_json.c?ref_type=tags#L2076

TEST PLAN:

PASS - build-pkgs --all
PASS - build-pkgs -c -p libvirt
PASS - build ISO image
PASS - build wheels and base docker image
PASS - build stx-libvirt docker image
PASS - build stx-openstack
PASS - AIO-SX: fresh install with the ISO
PASS - launch/pause/resume/restart/delete vm on the host
PASS - STD system: apply stx-openstack
PASS - check pods are healthy
PASS - check libvirt version
PASS - launch vm
PASS - pause/resume vm
PASS - restart vm
PASS - delete vm
PASS - cold migrate vm
PASS - live migrate vm
PASS - virsh list vm

Story: 2011516
Task: 52969

Change-Id: I792e8bba8b7288f2d3257ce3e1c5d0fc0780fcf8
Signed-off-by: Murillo Arantes <murillo.arantes@windriver.com>
Co-Authored-By: Daniel Caires <danielmarques.caires@windriver.com>
2025-11-05 09:33:26 -03:00

215 lines
8.9 KiB
Diff
Raw Blame History

From: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri, 15 Mar 2024 10:47:50 +0000
Subject: remote: check for negative array lengths before allocation
While the C API entry points will validate non-negative lengths
for various parameters, the RPC server de-serialization code
will need to allocate memory for arrays before entering the C
API. These allocations will thus happen before the non-negative
length check is performed.
Passing a negative length to the g_new0 function will usually
result in a crash due to the negative length being treated as
a huge positive number.
This was found and diagnosed by ALT Linux Team with AFLplusplus.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Origin: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2270115
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-2494
Bug-Debian: https://bugs.debian.org/1067461
[ Fixed pointers while porting patch to libvirt v8.0.0-1 ]
Signed-off-by: Daniel Caires <danielmarques.caires@windriver.com>
---
src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++++++++++
src/rpc/gendispatch.pl | 5 +++
2 files changed, 70 insertions(+)
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index 689001889..78d4b3174 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -2306,6 +2306,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2354,6 +2358,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2512,6 +2520,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
goto cleanup;
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -2737,6 +2749,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->ncpumaps < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
+ goto cleanup;
+ }
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+ goto cleanup;
+ }
if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
goto cleanup;
@@ -2831,6 +2851,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+ goto cleanup;
+ }
+
/* Allocate buffers to take the results */
if (args->maplen > 0)
cpumaps = g_new0(unsigned char, args->maplen);
@@ -2878,6 +2903,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
if (!(dom = get_nonnull_domain(conn, args->dom)))
goto cleanup;
+ if (args->maxinfo < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
+ goto cleanup;
+ }
+ if (args->maplen < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
+ goto cleanup;
+ }
if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
goto cleanup;
@@ -3117,6 +3150,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3177,6 +3214,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3237,6 +3278,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3298,6 +3343,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3365,6 +3414,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -3545,6 +3598,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
if (!conn)
goto cleanup;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -5087,6 +5144,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
@@ -5307,6 +5368,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
flags = args->flags;
+ if (args->nparams < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
+ goto cleanup;
+ }
if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
goto cleanup;
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index 9f5bf0e31..aacab8880 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -1074,6 +1074,11 @@ elsif ($mode eq "server") {
print "\n";
if ($single_ret_as_list) {
+ print " if (args->$single_ret_list_max_var < 0) {\n";
+ print " virReportError(VIR_ERR_RPC,\n";
+ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
+ print " goto cleanup;\n";
+ print " }\n";
print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
print " virReportError(VIR_ERR_RPC,\n";
print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
View Git Blame Copy Permalink