diff --git a/Substitute-security_context_t-with-char.patch b/Substitute-security_context_t-with-char.patch new file mode 100644 index 0000000000000000000000000000000000000000..31ec1009fa146e6ea9ac49ce56b069181dfc4fde --- /dev/null +++ b/Substitute-security_context_t-with-char.patch @@ -0,0 +1,320 @@ +From 931b264611f1d56ea29670fd4489cb9fb9f9b69d Mon Sep 17 00:00:00 2001 +From: Xu Yandong +Date: Tue, 4 Aug 2020 01:44:48 +0000 +Subject: [PATCH] Substitute security_context_t with char * + +Historically, we've used security_context_t for variables passed +to libselinux APIs. But almost 7 years ago, libselinux developers +admitted in their API that in fact, it's just a 'char *' type +[1]. Ever since then the APIs accept 'char *' instead, but they +kept the old alias just for API stability. Well, not anymore [2]. + +1: https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9 +2: https://github.com/SELinuxProject/selinux/commit/7a124ca2758136f49cc38efc26fb1a2d385ecfd9 + +Signed-off-by: Michal Privoznik +Reviewed-by: Andrea Bolognani +(cherry-picked from commit e71e13488dc1aa65456e54a4b41bc925821b4263) +Signed-off-by: Xu Yandong +--- + src/libvirt-lxc.c | 2 +- + src/rpc/virnetsocket.c | 2 +- + src/security/security_selinux.c | 26 +++++++++++++------------- + src/storage/storage_util.c | 2 +- + src/util/viridentity.c | 2 +- + tests/securityselinuxhelper.c | 16 ++++++++-------- + tests/securityselinuxlabeltest.c | 4 ++-- + tests/securityselinuxtest.c | 2 +- + tests/viridentitytest.c | 2 +- + 9 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c +index 47a06a39f2..25f1cfc5f7 100644 +--- a/src/libvirt-lxc.c ++++ b/src/libvirt-lxc.c +@@ -204,7 +204,7 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model, + if (STREQ(model->model, "selinux")) { + #ifdef WITH_SELINUX + if (oldlabel) { +- security_context_t ctx; ++ char *ctx; + + if (getcon(&ctx) < 0) { + virReportSystemError(errno, +diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c +index 6c790cb577..553728984b 100644 +--- a/src/rpc/virnetsocket.c ++++ b/src/rpc/virnetsocket.c +@@ -1595,7 +1595,7 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock G_GNUC_UNUSED, + int virNetSocketGetSELinuxContext(virNetSocketPtr sock, + char **context) + { +- security_context_t seccon = NULL; ++ char *seccon = NULL; + int ret = -1; + + *context = NULL; +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 8aeb6e45a5..72d1658e05 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -198,7 +198,7 @@ virSecuritySELinuxTransactionAppend(const char *path, + + static int + virSecuritySELinuxRememberLabel(const char *path, +- const security_context_t con) ++ const char *con) + { + return virSecuritySetRememberedLabel(SECURITY_SELINUX_NAME, + path, con); +@@ -207,7 +207,7 @@ virSecuritySELinuxRememberLabel(const char *path, + + static int + virSecuritySELinuxRecallLabel(const char *path, +- security_context_t *con) ++ char **con) + { + int rv; + +@@ -431,7 +431,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens, + int *catMin, + int *catMax) + { +- security_context_t ourSecContext = NULL; ++ char *ourSecContext = NULL; + context_t ourContext = NULL; + char *cat = NULL; + char *tmp; +@@ -530,8 +530,8 @@ virSecuritySELinuxMCSGetProcessRange(char **sens, + } + + static char * +-virSecuritySELinuxContextAddRange(security_context_t src, +- security_context_t dst) ++virSecuritySELinuxContextAddRange(char *src, ++ char *dst) + { + char *str = NULL; + char *ret = NULL; +@@ -575,7 +575,7 @@ virSecuritySELinuxGenNewContext(const char *basecontext, + context_t context = NULL; + char *ret = NULL; + char *str; +- security_context_t ourSecContext = NULL; ++ char *ourSecContext = NULL; + context_t ourContext = NULL; + + VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d", +@@ -967,7 +967,7 @@ virSecuritySELinuxReserveLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + pid_t pid) + { +- security_context_t pctx; ++ char *pctx; + context_t ctx = NULL; + const char *mcs; + int rv; +@@ -1217,7 +1217,7 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED, + pid_t pid, + virSecurityLabelPtr sec) + { +- security_context_t ctx; ++ char *ctx; + + if (getpidcon_raw(pid, &ctx) == -1) { + virReportSystemError(errno, +@@ -1330,7 +1330,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, + bool remember) + { + bool privileged = virSecurityManagerGetPrivileged(mgr); +- security_context_t econ = NULL; ++ char *econ = NULL; + int refcount; + int rc; + bool rollback = false; +@@ -1440,7 +1440,7 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon) + /* Set fcon to the appropriate label for path and mode, or return -1. */ + static int + getContext(virSecurityManagerPtr mgr G_GNUC_UNUSED, +- const char *newpath, mode_t mode, security_context_t *fcon) ++ const char *newpath, mode_t mode, char **fcon) + { + virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr); + +@@ -1457,7 +1457,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr, + { + bool privileged = virSecurityManagerGetPrivileged(mgr); + struct stat buf; +- security_context_t fcon = NULL; ++ char *fcon = NULL; + char *newpath = NULL; + int rc; + int ret = -1; +@@ -2972,7 +2972,7 @@ virSecuritySELinuxSetDaemonSocketLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED, + { + /* TODO: verify DOI */ + virSecurityLabelDefPtr secdef; +- security_context_t scon = NULL; ++ char *scon = NULL; + char *str = NULL; + int rc = -1; + +@@ -3259,7 +3259,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr, + int fd) + { + struct stat buf; +- security_context_t fcon = NULL; ++ char *fcon = NULL; + virSecurityLabelDefPtr secdef; + char *str = NULL, *proc = NULL, *fd_path = NULL; + int rc = -1; +diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c +index 1ec1d13625..4c67d3a4b1 100644 +--- a/src/storage/storage_util.c ++++ b/src/storage/storage_util.c +@@ -1818,7 +1818,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageSourcePtr target, + struct stat *sb) + { + #if WITH_SELINUX +- security_context_t filecon = NULL; ++ char *filecon = NULL; + #endif + + if (virStorageSourceUpdateBackingSizes(target, fd, sb) < 0) +diff --git a/src/util/viridentity.c b/src/util/viridentity.c +index 8cc2db2568..2cb9042a84 100644 +--- a/src/util/viridentity.c ++++ b/src/util/viridentity.c +@@ -157,7 +157,7 @@ virIdentityPtr virIdentityGetSystem(void) + unsigned long long startTime; + g_autoptr(virIdentity) ret = NULL; + #if WITH_SELINUX +- security_context_t con; ++ char *con; + #endif + + if (!(ret = virIdentityNew())) +diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c +index f89224c07a..63b57261da 100644 +--- a/tests/securityselinuxhelper.c ++++ b/tests/securityselinuxhelper.c +@@ -58,7 +58,7 @@ static struct selabel_handle *(*real_selabel_open)(unsigned int backend, + unsigned nopts); + static void (*real_selabel_close)(struct selabel_handle *handle); + static int (*real_selabel_lookup_raw)(struct selabel_handle *handle, +- security_context_t *con, ++ char **con, + const char *key, + int type); + +@@ -94,7 +94,7 @@ static void init_syms(void) + * the virt_use_nfs bool is set. + */ + +-int getcon_raw(security_context_t *context) ++int getcon_raw(char **context) + { + if (!is_selinux_enabled()) { + errno = EINVAL; +@@ -109,12 +109,12 @@ int getcon_raw(security_context_t *context) + return 0; + } + +-int getcon(security_context_t *context) ++int getcon(char **context) + { + return getcon_raw(context); + } + +-int getpidcon_raw(pid_t pid, security_context_t *context) ++int getpidcon_raw(pid_t pid, char **context) + { + if (!is_selinux_enabled()) { + errno = EINVAL; +@@ -134,7 +134,7 @@ int getpidcon_raw(pid_t pid, security_context_t *context) + return 0; + } + +-int getpidcon(pid_t pid, security_context_t *context) ++int getpidcon(pid_t pid, char **context) + { + return getpidcon_raw(pid, context); + } +@@ -170,7 +170,7 @@ int setfilecon(const char *path, const char *con) + return setfilecon_raw(path, con); + } + +-int getfilecon_raw(const char *path, security_context_t *con) ++int getfilecon_raw(const char *path, char **con) + { + char *constr = NULL; + ssize_t len = getxattr(path, "user.libvirt.selinux", +@@ -194,7 +194,7 @@ int getfilecon_raw(const char *path, security_context_t *con) + } + + +-int getfilecon(const char *path, security_context_t *con) ++int getfilecon(const char *path, char **con) + { + return getfilecon_raw(path, con); + } +@@ -315,7 +315,7 @@ void selabel_close(struct selabel_handle *handle) + } + + int selabel_lookup_raw(struct selabel_handle *handle, +- security_context_t *con, ++ char **con, + const char *key, + int type) + { +diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c +index 3040a36693..50b447c163 100644 +--- a/tests/securityselinuxlabeltest.c ++++ b/tests/securityselinuxlabeltest.c +@@ -252,7 +252,7 @@ static int + testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles) + { + size_t i; +- security_context_t ctx; ++ char *ctx; + + for (i = 0; i < nfiles; i++) { + ctx = NULL; +@@ -360,7 +360,7 @@ mymain(void) + if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \ + ret = -1; + +- setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023"); ++ setcon("system_r:system_u:libvirtd_t:s0:c0.c1023"); + + DO_TEST_LABELING("disks"); + DO_TEST_LABELING("kernel"); +diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c +index 6c8314de6b..3f069c2d6b 100644 +--- a/tests/securityselinuxtest.c ++++ b/tests/securityselinuxtest.c +@@ -217,7 +217,7 @@ testSELinuxGenLabel(const void *opaque) + context_t con = NULL; + context_t imgcon = NULL; + +- if (setcon_raw((security_context_t)data->pidcon) < 0) { ++ if (setcon_raw(data->pidcon) < 0) { + perror("Cannot set process security context"); + return -1; + } +diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c +index 3f87af1c3b..9a8c8914d3 100644 +--- a/tests/viridentitytest.c ++++ b/tests/viridentitytest.c +@@ -120,7 +120,7 @@ static int testIdentityGetSystem(const void *data) + static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED) + { + #if WITH_SELINUX +- return setcon_raw((security_context_t)data); ++ return setcon_raw(data); + #else + VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); + return EXIT_AM_SKIP; +-- +2.23.0 + diff --git a/conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch b/conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch new file mode 100644 index 0000000000000000000000000000000000000000..3662eb4c51e85c1d41997f72cd886b3f76e673a9 --- /dev/null +++ b/conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch @@ -0,0 +1,53 @@ +From 50b20f00d376757f090030711907e101fd6a528d Mon Sep 17 00:00:00 2001 +From: Xu Yandong +Date: Tue, 4 Aug 2020 08:40:36 +0000 +Subject: [PATCH] conf: Don't format http cookies unless + VIR_DOMAIN_DEF_FORMAT_SECURE is used + +Starting with 3b076391befc3fe72deb0c244ac6c2b4c100b410 +(v6.1.0-122-g3b076391be) we support http cookies. Since they may contain +somewhat sensitive information we should not format them into the XML +unless VIR_DOMAIN_DEF_FORMAT_SECURE is asserted. + +Reported-by: Han Han +Signed-off-by: Peter Krempa +Reviewed-by: Erik Skultety +(cherry-picked from commit a5b064bf4b17a9884d7d361733737fb614ad8979) +Signed-off-by: Xu Yandong +--- + src/conf/domain_conf.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 914e03c705..cf93a591f4 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -24565,11 +24565,15 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf, + + static void + virDomainDiskSourceFormatNetworkCookies(virBufferPtr buf, +- virStorageSourcePtr src) ++ virStorageSourcePtr src, ++ unsigned int flags) + { + g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf); + size_t i; + ++ if (!(flags & VIR_DOMAIN_DEF_FORMAT_SECURE)) ++ return; ++ + for (i = 0; i < src->ncookies; i++) { + virBufferEscapeString(&childBuf, "", src->cookies[i]->name); + virBufferEscapeString(&childBuf, "%s\n", src->cookies[i]->value); +@@ -24630,7 +24634,7 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf, + virTristateBoolTypeToString(src->sslverify)); + } + +- virDomainDiskSourceFormatNetworkCookies(childBuf, src); ++ virDomainDiskSourceFormatNetworkCookies(childBuf, src, flags); + + if (src->readahead) + virBufferAsprintf(childBuf, "\n", src->readahead); +-- +2.23.0 + diff --git a/libvirt.spec b/libvirt.spec index 7601eb9aa26cedc2dc17670e432ef38aa75b139a..d856a5290924816f70f5243a864f9b340b6982a1 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -99,7 +99,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 7 +Release: 8 License: LGPLv2+ URL: https://libvirt.org/ @@ -131,6 +131,13 @@ Patch0020: libvirt-cpu_map-add-kunpeng-920-features-as-known-features.patch Patch0021: libvirt-Substitute-security_context_t-with-char.patch Patch0022: libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch Patch0023: libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch +Patch0024: Substitute-security_context_t-with-char.patch +Patch0025: conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch +Patch0026: virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch +Patch0027: rpc-gendispatch-handle-empty-flags.patch +Patch0028: rpc-add-support-for-filtering-acls-by-uint-params.patch +Patch0029: rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch +Patch0030: qemu-agent-set-ifname-to-NULL-after-freeing.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1863,6 +1870,17 @@ exit 0 %changelog +* Wed Oct 14 2020 Huawei Technologies Co., Ltd +- rpc: gendispatch: handle empty flags +- rpc: add support for filtering @acls by uint params +- rpc: require write acl for guest agent in virDomainInterfaceAddresses +- qemu: agent: set ifname to NULL after freeing + +* Tue Aug 4 2020 Huawei Technologies Co., Ltd +- Substitute security_context_t with char * +- conf: Don't format http cookies unless VIR_DOMAIN_DEF_FORMAT_SECURE is used +- virstoragetest: testBackingParse: Use VIR_DOMAIN_DEF_FORMAT_SECURE when formatting xml + * Tue Aug 4 2020 Xu Yandong - 6.2.0-7 - Substitute security_context_t with char pointer. * Tue May 26 2020 Xu Yandong - 6.2.0-6 diff --git a/qemu-agent-set-ifname-to-NULL-after-freeing.patch b/qemu-agent-set-ifname-to-NULL-after-freeing.patch new file mode 100644 index 0000000000000000000000000000000000000000..729400e3729063fcaeaaef8714d30de3e9f86800 --- /dev/null +++ b/qemu-agent-set-ifname-to-NULL-after-freeing.patch @@ -0,0 +1,33 @@ +From f65b98faad2c13a267de9b3e44e87628bed24215 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:23:54 +0800 +Subject: [PATCH] qemu: agent: set ifname to NULL after freeing + +CVE-2020-25637 + +Signed-off-by: Jan Tomko +Rported-by: Ilja Van Sprundel +Reviewed-by: Mauro Matteo Cascella +Reviewed-by: Jiri Denemark + +cherry-pick from commit a63b48c5ecef077bf0f909a85f453a605600cf05 +Signed-off-by: Jiajie Li +--- + src/qemu/qemu_agent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c +index d7fcc869c6..31d3268d42 100644 +--- a/src/qemu/qemu_agent.c ++++ b/src/qemu/qemu_agent.c +@@ -2166,6 +2166,7 @@ qemuAgentGetInterfaces(qemuAgentPtr agent, + + /* Has to be freed for each interface. */ + virStringListFree(ifname); ++ ifname = NULL; + + /* as well as IP address which - moreover - + * can be presented multiple times */ +-- +2.23.0 + diff --git a/rpc-add-support-for-filtering-acls-by-uint-params.patch b/rpc-add-support-for-filtering-acls-by-uint-params.patch new file mode 100644 index 0000000000000000000000000000000000000000..7172c2a893c60f66048b3f5ec252d1afd4619335 --- /dev/null +++ b/rpc-add-support-for-filtering-acls-by-uint-params.patch @@ -0,0 +1,100 @@ +From a772926f16825d88ea17e09b88afa38ccdb68bc5 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:06:09 +0800 +Subject: [PATCH] rpc: add support for filtering @acls by uint params + +CVE-2020-25637 + +Add a new field to @acl annotations for filtering by +unsigned int parameters. + +Signed-off-by: Jan Tomko +Reviewed-by: Jiri Denemark + +cherry-pick from commit 50864dcda191eb35732dbd80fb6ca251a6bba923 +Signed-off-by: Jiajie Li +--- + src/remote/remote_protocol.x | 3 +++ + src/rpc/gendispatch.pl | 21 ++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index d4393680e9..5f3858c00c 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -3805,6 +3805,7 @@ enum remote_procedure { + * + * - @acl: : + * - @acl: :: ++ * - @acl: :::: + * + * Declare the access control requirements for the API. May be repeated + * multiple times, if multiple rules are required. +@@ -3814,6 +3815,8 @@ enum remote_procedure { + * is one of the permissions in access/viraccessperm.h + * indicates the rule only applies if the named flag + * is set in the API call ++ * and can be used to check an unsigned in parameter ++ * against value + * + * - @aclfilter: : + * +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 6feb1c8320..590a46ef66 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -2111,10 +2111,12 @@ elsif ($mode eq "client") { + my @acl; + foreach (@{$acl}) { + my @bits = split /:/; +- push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] } ++ push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2], ++ param => $bits[3], value => $bits[4] } + } + + my $checkflags = 0; ++ my $paramtocheck = undef; + for (my $i = 1 ; $i <= $#acl ; $i++) { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; +@@ -2122,6 +2124,9 @@ elsif ($mode eq "client") { + if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } ++ if (defined $acl[$i]->{param}) { ++ $paramtocheck = $acl[$i]->{param}; ++ } + } + + my $apiname = $prefix . $call->{ProcName}; +@@ -2157,6 +2162,9 @@ elsif ($mode eq "client") { + if ($checkflags) { + push @argdecls, "unsigned int flags"; + } ++ if (defined $paramtocheck) { ++ push @argdecls, "unsigned int " . $paramtocheck; ++ } + + my $ret; + my $pass; +@@ -2217,6 +2225,17 @@ elsif ($mode eq "client") { + } + print " "; + } ++ if (defined $acl->{param}) { ++ my $param = $acl->{param}; ++ my $value = $acl->{value}; ++ if ($value =~ /^\!/) { ++ $value = substr $value, 1; ++ print "($param != ($value)) &&\n"; ++ } else { ++ print "($param == ($value)) &&\n"; ++ } ++ print " "; ++ } + print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n"; + print " virObjectUnref(mgr);\n"; + if ($action eq "Ensure") { +-- +2.23.0 + diff --git a/rpc-gendispatch-handle-empty-flags.patch b/rpc-gendispatch-handle-empty-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..f73fb7b57ceb64aafdc075e9dfa1d9c642b5fc95 --- /dev/null +++ b/rpc-gendispatch-handle-empty-flags.patch @@ -0,0 +1,47 @@ +From 2f9159c38966dccce9ebc2f50114fbd3841ed887 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 16:38:07 +0800 +Subject: [PATCH] rpc: gendispatch: handle empty flags + +CVE-2020-25637 + +Prepare for omission of the in remote_protocol.x +@acl annotations: + @acl: :: +so that we can add more field after, e.g.: + @acl: ::: + +Signed-off-by: Jan Tomko +Reviewed-by: Jiri Denemark + +cherry-pick from commit 955029bd0ad7ef96000f529ac38204a8f4a96401 +Signed-off-by: Jiajie Li +--- + src/rpc/gendispatch.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 0b2ae59910..6feb1c8320 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -2119,7 +2119,7 @@ elsif ($mode eq "client") { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; + } +- if (defined $acl[$i]->{flags}) { ++ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } + } +@@ -2207,7 +2207,7 @@ elsif ($mode eq "client") { + my $method = "virAccessManagerCheck" . $object; + my $space = ' ' x length($method); + print " if ("; +- if (defined $acl->{flags}) { ++ if (defined $acl->{flags} && length $acl->{flags}) { + my $flags = $acl->{flags}; + if ($flags =~ /^\!/) { + $flags = substr $flags, 1; +-- +2.23.0 + diff --git a/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch b/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch new file mode 100644 index 0000000000000000000000000000000000000000..adbba2087f9b05276f90f19e1dd9a27c0a73becb --- /dev/null +++ b/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch @@ -0,0 +1,78 @@ +From fd6e573efa50f536027fdf88c4520e2b20198503 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:18:29 +0800 +Subject: [PATCH] rpc: require write acl for guest agent in + virDomainInterfaceAddresses + +CVE-2020-25637 + +Add a requirement for domain:write if source is set to +VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT. + +Signed-off-by: Jan Tomko +Reported-by: Ilja Van Sprundel +Reviewed-by: Jiri Denemark + +cherry-pick from commit e4116eaa44cb366b59f7fe98f4b88d04c04970ad +Signed-off-by: Jiajie Li +--- + src/libxl/libxl_driver.c | 2 +- + src/lxc/lxc_driver.c | 2 +- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 1 + + 4 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c +index 7ec4fcc3d1..16bc91d503 100644 +--- a/src/libxl/libxl_driver.c ++++ b/src/libxl/libxl_driver.c +@@ -6381,7 +6381,7 @@ libxlDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = libxlDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c +index 851894c459..71c7068bbf 100644 +--- a/src/lxc/lxc_driver.c ++++ b/src/lxc/lxc_driver.c +@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = lxcDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 8bc5368b2f..c0e88bca46 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -22042,7 +22042,7 @@ qemuDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = qemuDomainObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 5f3858c00c..8b05082b61 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -6211,6 +6211,7 @@ enum remote_procedure { + /** + * @generate: none + * @acl: domain:read ++ * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT + */ + REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353, + +-- +2.23.0 + diff --git a/virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch b/virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch new file mode 100644 index 0000000000000000000000000000000000000000..e13d911fdeb954d6ce872c35759936c08e4dd316 --- /dev/null +++ b/virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch @@ -0,0 +1,40 @@ +From a4f3c6bcc0b27703fb35c1a9e363540301ccfe92 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 4 Aug 2020 09:09:04 +0000 +Subject: [PATCH] virstoragetest: testBackingParse: Use + VIR_DOMAIN_DEF_FORMAT_SECURE when formatting xml + +We want to format even the secure information in tests. + +Signed-off-by: Peter Krempa +Reviewed-by: Erik Skultety +(cherry-picked from commit 524de6cc35d3b222f0e940bb0fd027f5482572c5) +Signed-off-by: Xu Yandong +--- + tests/virstoragetest.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c +index 6e8ebeba13..6d2b21c25f 100644 +--- a/tests/virstoragetest.c ++++ b/tests/virstoragetest.c +@@ -594,6 +594,7 @@ testBackingParse(const void *args) + g_autoptr(virStorageSource) src = NULL; + int rc; + int erc = data->rv; ++ unsigned int xmlformatflags = VIR_DOMAIN_DEF_FORMAT_SECURE; + + /* expect failure return code with NULL expected data */ + if (!data->expect) +@@ -613,7 +614,7 @@ testBackingParse(const void *args) + return -1; + } + +- if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, 0, true, NULL) < 0 || ++ if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, xmlformatflags, true, NULL) < 0 || + !(xml = virBufferContentAndReset(&buf))) { + fprintf(stderr, "failed to format disk source xml\n"); + return -1; +-- +2.23.0 +