diff options
6 files changed, 237 insertions, 4 deletions
diff --git a/libraries/libvirt/libvirt.SlackBuild b/libraries/libvirt/libvirt.SlackBuild index e39684a713247..d9a6e23cad632 100644 --- a/libraries/libvirt/libvirt.SlackBuild +++ b/libraries/libvirt/libvirt.SlackBuild @@ -5,7 +5,7 @@ # Maintained by Bogdan Radulescu <bogdan@nimblex.net> PRGNAM=libvirt -VERSION=${VERSION:-1.2.6} +VERSION=${VERSION:-1.2.7} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -56,6 +56,11 @@ find -L . \ # we have sysctld files in /etc/sysctl.d sed -i "s|(prefix)/lib/sysctl|(sysconfdir)/sysctl|" daemon/Makefile.in +patch -p1 < $CWD/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch +patch -p1 < $CWD/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch +patch -p1 < $CWD/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch +patch -p1 < $CWD/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch + CFLAGS="$SLKCFLAGS" \ ./configure \ --prefix=/usr \ diff --git a/libraries/libvirt/libvirt.info b/libraries/libvirt/libvirt.info index ba29981fe2172..e8b6b5a9b70fd 100644 --- a/libraries/libvirt/libvirt.info +++ b/libraries/libvirt/libvirt.info @@ -1,8 +1,8 @@ PRGNAM="libvirt" -VERSION="1.2.6" +VERSION="1.2.7" HOMEPAGE="http://libvirt.org" -DOWNLOAD="http://libvirt.org/sources/libvirt-1.2.6.tar.gz" -MD5SUM="ac1c3edbafb38f7978debe9507e5515c" +DOWNLOAD="http://libvirt.org/sources/libvirt-1.2.7.tar.gz" +MD5SUM="d556b3d815a222fd9680f9f3948595cb" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="yajl urlgrabber" diff --git a/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch b/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch new file mode 100644 index 0000000000000..ce9a62b4ad525 --- /dev/null +++ b/libraries/libvirt/patches/0001-Don-t-fail-qemu-driver-intialization-if-we-can-t-det.patch @@ -0,0 +1,40 @@ +From ee2a7c5483c9dc746ad439340925947f393b919a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Sun, 10 Aug 2014 12:42:37 +0200 +Subject: [PATCH] Don't fail qemu driver intialization if we can't determine + hugepage size + +Otherwise we fail like + + libvirt version: 1.2.7, package: 6 (root 2014-08-08-16:09:22 bogon) + virAuditOpen:62 : Unable to initialize audit layer: Protocol not supported + virFileGetDefaultHugepageSize:2958 : internal error: Unable to parse /proc/meminfo + virStateInitialize:749 : Initialization of QEMU state driver failed: internal error: Unable to parse /proc/meminfo + daemonRunStateInit:922 : Driver state initialization failed + +if the data can't be determined. + +Reference: http://bugs.debian.org/757609 +--- + src/util/virfile.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/util/virfile.c b/src/util/virfile.c +index f9efc65..b6f5e3f 100644 +--- a/src/util/virfile.c ++++ b/src/util/virfile.c +@@ -2953,8 +2953,9 @@ virFileGetDefaultHugepageSize(unsigned long long *size) + goto cleanup; + + if (!(c = strstr(meminfo, HUGEPAGESIZE_STR))) { +- virReportError(VIR_ERR_INTERNAL_ERROR, +- _("Unable to parse %s"), ++ virReportError(VIR_ERR_NO_SUPPORT, ++ _("%s not found in %s"), ++ HUGEPAGESIZE_STR, + PROC_MEMINFO); + goto cleanup; + } +-- +2.0.3 + diff --git a/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch b/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch new file mode 100644 index 0000000000000..a86263cbd3509 --- /dev/null +++ b/libraries/libvirt/patches/0001-blockjob-correctly-report-active-commit-for-job-info.patch @@ -0,0 +1,35 @@ +From 2151695a5119a8d7f44d416c730df50a1e42695a Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Tue, 5 Aug 2014 08:49:32 -0600 +Subject: [PATCH 1/3] blockjob: correctly report active commit for job info + +Commit 232a31b munged job info to report 'active commit' instead of +'commit' when generating events, but forgot to also munge the polling +variant of the command. + +* src/qemu/qemu_driver.c (qemuDomainBlockJobImpl): Adjust type as +needed. + +Signed-off-by: Eric Blake <eblake@redhat.com> +(cherry picked from commit e8cc973041e7ac4ddeefe343af751863c76687fe) +--- + src/qemu/qemu_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index a3de784..57cc913 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -15103,6 +15103,9 @@ qemuDomainBlockJobImpl(virDomainObjPtr vm, + ret = qemuMonitorBlockJob(priv->mon, device, basePath, backingPath, + bandwidth, info, mode, async); + qemuDomainObjExitMonitor(driver, vm); ++ if (info && info->type == VIR_DOMAIN_BLOCK_JOB_TYPE_COMMIT && ++ disk->mirrorJob == VIR_DOMAIN_BLOCK_JOB_TYPE_ACTIVE_COMMIT) ++ info->type = disk->mirrorJob; + if (ret < 0) { + if (mode == BLOCK_JOB_ABORT && disk->mirror) + disk->mirrorState = VIR_DOMAIN_DISK_MIRROR_STATE_NONE; +-- +2.0.3 + diff --git a/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch b/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch new file mode 100644 index 0000000000000..1f430369ff325 --- /dev/null +++ b/libraries/libvirt/patches/0002-blockjob-avoid-memory-leak-during-block-pivot.patch @@ -0,0 +1,48 @@ +From 7620b422e515249bbfff02d0372301334fe1dd50 Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Wed, 6 Aug 2014 14:48:59 -0600 +Subject: [PATCH 2/3] blockjob: avoid memory leak during block pivot + +Valgrind caught a memory leak: + +==2018== 9 bytes in 1 blocks are definitely lost in loss record 143 of 927 +==2018== at 0x4A0645D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==2018== by 0x8C42369: strdup (strdup.c:42) +==2018== by 0x50EACC9: virStrdup (virstring.c:676) +==2018== by 0x50E79E5: virStorageSourceCopy (virstoragefile.c:1845) +==2018== by 0x20A3FAA7: qemuDomainBlockCommit (qemu_driver.c:15620) +==2018== by 0x51DC6B2: virDomainBlockCommit (libvirt.c:20092) + +I traced it to the fact that blockcopy and blockcommit end up +reparsing a backing chain on pivot, but the chain parsing code +doesn't gracefully handle the case where the backing file is +already known. + +I'm not exactly sure when this was introduced, but suspect that the +refactoring in commit 9944b71 and friends that moved towards probing +in-place rather than into a temporary structure are part of the cause. + +* src/util/virstoragefile.c (virStorageFileGetMetadataInternal): +Don't leak any prior value. + +Signed-off-by: Eric Blake <eblake@redhat.com> +(cherry picked from commit a595a005725f142e1a258d10f7647982efa3cfd8) +--- + src/util/virstoragefile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c +index 3da9073..5b6b2f5 100644 +--- a/src/util/virstoragefile.c ++++ b/src/util/virstoragefile.c +@@ -817,6 +817,7 @@ virStorageFileGetMetadataInternal(virStorageSourcePtr meta, + goto cleanup; + } + ++ VIR_FREE(meta->backingStoreRaw); + if (fileTypeInfo[meta->format].getBackingStore != NULL) { + int store = fileTypeInfo[meta->format].getBackingStore(&meta->backingStoreRaw, + backingFormat, +-- +2.0.3 + diff --git a/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch b/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch new file mode 100644 index 0000000000000..0f967214e4411 --- /dev/null +++ b/libraries/libvirt/patches/0003-blockjob-fix-use-after-free-in-blockcopy.patch @@ -0,0 +1,105 @@ +From 9617e31b5349b193469874706abcbcb013e6a6fd Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Wed, 6 Aug 2014 14:06:23 -0600 +Subject: [PATCH 3/3] blockjob: fix use-after-free in blockcopy + +Commit febf84c2 tried to delay in-memory modification of the actual +domain disk structure until after the qemu event was received. +However, I missed that the code for block pivot had been temporarily +setting disk->src = disk->mirror prior to the qemu command, in order +to label the backing chain of a reused external blockcopy disk; +and calls into qemu while still in that state before finally undoing +things at the cleanup label. Since the qemu event handler then does: + virStorageSourceFree(disk->src); + disk->src = disk->mirror; +we have the sad race that a fast enough qemu event can cause a leak of +the original disk->src, as well as a use-after-free of the disk->mirror +contents, bad enough to crash libvirtd in some of my test runs, even +though the common case of the qemu event being much later won't trip +the race. + +I'll go wear the brown paper bag of shame, for introducing a crasher +in between rc1 and rc2 of the freeze for 1.2.7 :( My only +consolation is that virDomainBlockJobAbort requires the domain:write +ACL, so it is not a CVE. + +The valgrind report when the race occurs looks like: + +==25612== Invalid read of size 4 +==25612== at 0x50E7C90: virStorageSourceGetActualType (virstoragefile.c:1948) +==25612== by 0x209C0B18: qemuDomainDetermineDiskChain (qemu_domain.c:2473) +==25612== by 0x209D7F6A: qemuProcessHandleBlockJob (qemu_process.c:1087) +==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357) +... +==25612== Address 0xe4b5610 is 0 bytes inside a block of size 200 free'd +==25612== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==25612== by 0x50839E9: virFree (viralloc.c:582) +==25612== by 0x50E7E51: virStorageSourceFree (virstoragefile.c:2015) +==25612== by 0x209D7EFF: qemuProcessHandleBlockJob (qemu_process.c:1073) +==25612== by 0x209F40C9: qemuMonitorEmitBlockJob (qemu_monitor.c:1357) + +* src/qemu/qemu_driver.c (qemuDomainBlockPivot): Don't corrupt +disk->src, and only label chain for blockcopy. + +Signed-off-by: Eric Blake <eblake@redhat.com> +(cherry picked from commit 265680c58ebbee30bb70369e7d9905a599afbd6a) +--- + src/qemu/qemu_driver.c | 40 +++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 57cc913..a050dbc 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -14888,23 +14888,33 @@ qemuDomainBlockPivot(virConnectPtr conn, + } + } + +- /* We previously labeled only the top-level image; but if the +- * image includes a relative backing file, the pivot may result in +- * qemu needing to open the entire backing chain, so we need to +- * label the entire chain. This action is safe even if the +- * backing chain has already been labeled; but only necessary when +- * we know for sure that there is a backing chain. */ +- oldsrc = disk->src; +- disk->src = disk->mirror; ++ /* For active commit, the mirror is part of the already labeled ++ * chain. For blockcopy, we previously labeled only the top-level ++ * image; but if the user is reusing an external image that ++ * includes a backing file, the pivot may result in qemu needing ++ * to open the entire backing chain, so we need to label the ++ * entire chain. This action is safe even if the backing chain ++ * has already been labeled; but only necessary when we know for ++ * sure that there is a backing chain. */ ++ if (disk->mirrorJob == VIR_DOMAIN_BLOCK_JOB_TYPE_COPY) { ++ oldsrc = disk->src; ++ disk->src = disk->mirror; ++ ++ if (qemuDomainDetermineDiskChain(driver, vm, disk, false) < 0) ++ goto cleanup; + +- if (qemuDomainDetermineDiskChain(driver, vm, disk, false) < 0) +- goto cleanup; ++ if (disk->mirror->format && ++ disk->mirror->format != VIR_STORAGE_FILE_RAW && ++ (virDomainLockDiskAttach(driver->lockManager, cfg->uri, vm, ++ disk) < 0 || ++ qemuSetupDiskCgroup(vm, disk) < 0 || ++ virSecurityManagerSetDiskLabel(driver->securityManager, vm->def, ++ disk) < 0)) ++ goto cleanup; + +- if (disk->mirror->format && disk->mirror->format != VIR_STORAGE_FILE_RAW && +- (virDomainLockDiskAttach(driver->lockManager, cfg->uri, vm, disk) < 0 || +- qemuSetupDiskCgroup(vm, disk) < 0 || +- virSecurityManagerSetDiskLabel(driver->securityManager, vm->def, disk) < 0)) +- goto cleanup; ++ disk->src = oldsrc; ++ oldsrc = NULL; ++ } + + /* Attempt the pivot. Record the attempt now, to prevent duplicate + * attempts; but the actual disk change will be made when emitting +-- +2.0.3 + |