From bbee1d2694de2749d6641fed00276d965581d23f Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 14 Oct 2020 16:38:07 +0800 Subject: [PATCH 1/6] rpc: gendispatch: handle empty flags CVE-2020-25637 Prepare for omission of the in remote_protocol.x @acl annotations: @acl: :: so that we can add more field after, e.g.: @acl: ::: Signed-off-by: Jan Tomko Reviewed-by: Jiri Denemark cherry-pick from commit 955029bd0ad7ef96000f529ac38204a8f4a96401 Signed-off-by: Jiajie Li --- rpc-gendispatch-handle-empty-flags.patch | 47 ++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rpc-gendispatch-handle-empty-flags.patch diff --git a/rpc-gendispatch-handle-empty-flags.patch b/rpc-gendispatch-handle-empty-flags.patch new file mode 100644 index 0000000..20b65bc --- /dev/null +++ b/rpc-gendispatch-handle-empty-flags.patch @@ -0,0 +1,47 @@ +From bdf86cc3af84887e486842ebdb35baa10f91dade Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 16:38:07 +0800 +Subject: [PATCH] rpc: gendispatch: handle empty flags + +CVE-2020-25637 + +Prepare for omission of the in remote_protocol.x +@acl annotations: + @acl: :: +so that we can add more field after, e.g.: + @acl: ::: + +Signed-off-by: Jan Tomko +Reviewed-by: Jiri Denemark + +cherry-pick from commit 955029bd0ad7ef96000f529ac38204a8f4a96401 +Signed-off-by: Jiajie Li +--- + src/rpc/gendispatch.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 0b2ae59910..6feb1c8320 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -2119,7 +2119,7 @@ elsif ($mode eq "client") { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; + } +- if (defined $acl[$i]->{flags}) { ++ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } + } +@@ -2207,7 +2207,7 @@ elsif ($mode eq "client") { + my $method = "virAccessManagerCheck" . $object; + my $space = ' ' x length($method); + print " if ("; +- if (defined $acl->{flags}) { ++ if (defined $acl->{flags} && length $acl->{flags}) { + my $flags = $acl->{flags}; + if ($flags =~ /^\!/) { + $flags = substr $flags, 1; +-- +2.23.0 + -- Gitee From 6cf7c11f6355df19aa4dc3443848ca2cc2f3c615 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 14 Oct 2020 17:06:09 +0800 Subject: [PATCH 2/6] rpc: add support for filtering @acls by uint params CVE-2020-25637 Add a new field to @acl annotations for filtering by unsigned int parameters. Signed-off-by: Jan Tomko Reviewed-by: Jiri Denemark cherry-pick from commit 50864dcda191eb35732dbd80fb6ca251a6bba923 Signed-off-by: Jiajie Li --- ...rt-for-filtering-acls-by-uint-params.patch | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 rpc-add-support-for-filtering-acls-by-uint-params.patch diff --git a/rpc-add-support-for-filtering-acls-by-uint-params.patch b/rpc-add-support-for-filtering-acls-by-uint-params.patch new file mode 100644 index 0000000..b30b929 --- /dev/null +++ b/rpc-add-support-for-filtering-acls-by-uint-params.patch @@ -0,0 +1,100 @@ +From e1a37691c982cd1f983951badd69a905683d4b77 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:06:09 +0800 +Subject: [PATCH] rpc: add support for filtering @acls by uint params + +CVE-2020-25637 + +Add a new field to @acl annotations for filtering by +unsigned int parameters. + +Signed-off-by: Jan Tomko +Reviewed-by: Jiri Denemark + +cherry-pick from commit 50864dcda191eb35732dbd80fb6ca251a6bba923 +Signed-off-by: Jiajie Li +--- + src/remote/remote_protocol.x | 3 +++ + src/rpc/gendispatch.pl | 21 ++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index d4393680e9..5f3858c00c 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -3805,6 +3805,7 @@ enum remote_procedure { + * + * - @acl: : + * - @acl: :: ++ * - @acl: :::: + * + * Declare the access control requirements for the API. May be repeated + * multiple times, if multiple rules are required. +@@ -3814,6 +3815,8 @@ enum remote_procedure { + * is one of the permissions in access/viraccessperm.h + * indicates the rule only applies if the named flag + * is set in the API call ++ * and can be used to check an unsigned in parameter ++ * against value + * + * - @aclfilter: : + * +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 6feb1c8320..590a46ef66 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -2111,10 +2111,12 @@ elsif ($mode eq "client") { + my @acl; + foreach (@{$acl}) { + my @bits = split /:/; +- push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] } ++ push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2], ++ param => $bits[3], value => $bits[4] } + } + + my $checkflags = 0; ++ my $paramtocheck = undef; + for (my $i = 1 ; $i <= $#acl ; $i++) { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; +@@ -2122,6 +2124,9 @@ elsif ($mode eq "client") { + if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } ++ if (defined $acl[$i]->{param}) { ++ $paramtocheck = $acl[$i]->{param}; ++ } + } + + my $apiname = $prefix . $call->{ProcName}; +@@ -2157,6 +2162,9 @@ elsif ($mode eq "client") { + if ($checkflags) { + push @argdecls, "unsigned int flags"; + } ++ if (defined $paramtocheck) { ++ push @argdecls, "unsigned int " . $paramtocheck; ++ } + + my $ret; + my $pass; +@@ -2217,6 +2225,17 @@ elsif ($mode eq "client") { + } + print " "; + } ++ if (defined $acl->{param}) { ++ my $param = $acl->{param}; ++ my $value = $acl->{value}; ++ if ($value =~ /^\!/) { ++ $value = substr $value, 1; ++ print "($param != ($value)) &&\n"; ++ } else { ++ print "($param == ($value)) &&\n"; ++ } ++ print " "; ++ } + print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n"; + print " virObjectUnref(mgr);\n"; + if ($action eq "Ensure") { +-- +2.23.0 + -- Gitee From 21adb3e64f01cef3efe4dafab91dfd8939310241 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 14 Oct 2020 17:18:29 +0800 Subject: [PATCH 3/6] rpc: require write acl for guest agent in virDomainInterfaceAddresses CVE-2020-25637 Add a requirement for domain:write if source is set to VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT. Signed-off-by: Jan Tomko Reported-by: Ilja Van Sprundel Reviewed-by: Jiri Denemark cherry-pick from commit e4116eaa44cb366b59f7fe98f4b88d04c04970ad Signed-off-by: Jiajie Li --- ...e-acl-for-guest-agent-in-virDomainIn.patch | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch diff --git a/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch b/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch new file mode 100644 index 0000000..21be664 --- /dev/null +++ b/rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch @@ -0,0 +1,78 @@ +From 647f3bfe7152aba930d2d2fd1b86af139fe0fb10 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:18:29 +0800 +Subject: [PATCH] rpc: require write acl for guest agent in + virDomainInterfaceAddresses + +CVE-2020-25637 + +Add a requirement for domain:write if source is set to +VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT. + +Signed-off-by: Jan Tomko +Reported-by: Ilja Van Sprundel +Reviewed-by: Jiri Denemark + +cherry-pick from commit e4116eaa44cb366b59f7fe98f4b88d04c04970ad +Signed-off-by: Jiajie Li +--- + src/libxl/libxl_driver.c | 2 +- + src/lxc/lxc_driver.c | 2 +- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 1 + + 4 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c +index 980984b199..f07700b71c 100644 +--- a/src/libxl/libxl_driver.c ++++ b/src/libxl/libxl_driver.c +@@ -6381,7 +6381,7 @@ libxlDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = libxlDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c +index 851894c459..71c7068bbf 100644 +--- a/src/lxc/lxc_driver.c ++++ b/src/lxc/lxc_driver.c +@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = lxcDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index a0f6df2490..5901f922bf 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -22058,7 +22058,7 @@ qemuDomainInterfaceAddresses(virDomainPtr dom, + if (!(vm = qemuDomainObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 5f3858c00c..8b05082b61 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -6211,6 +6211,7 @@ enum remote_procedure { + /** + * @generate: none + * @acl: domain:read ++ * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT + */ + REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353, + +-- +2.23.0 + -- Gitee From b35e3571d32b8372ed2b7199c527c4a9cbf03289 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 14 Oct 2020 17:23:54 +0800 Subject: [PATCH 4/6] qemu: agent: set ifname to NULL after freeing CVE-2020-25637 Signed-off-by: Jan Tomko Rported-by: Ilja Van Sprundel Reviewed-by: Mauro Matteo Cascella Reviewed-by: Jiri Denemark cherry-pick from commit a63b48c5ecef077bf0f909a85f453a605600cf05 Signed-off-by: Jiajie Li --- ...ent-set-ifname-to-NULL-after-freeing.patch | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 qemu-agent-set-ifname-to-NULL-after-freeing.patch diff --git a/qemu-agent-set-ifname-to-NULL-after-freeing.patch b/qemu-agent-set-ifname-to-NULL-after-freeing.patch new file mode 100644 index 0000000..9498da5 --- /dev/null +++ b/qemu-agent-set-ifname-to-NULL-after-freeing.patch @@ -0,0 +1,33 @@ +From f759c367b48a25113ad5bde12f3951909a03bf22 Mon Sep 17 00:00:00 2001 +From: Jan Tomko +Date: Wed, 14 Oct 2020 17:23:54 +0800 +Subject: [PATCH] qemu: agent: set ifname to NULL after freeing + +CVE-2020-25637 + +Signed-off-by: Jan Tomko +Rported-by: Ilja Van Sprundel +Reviewed-by: Mauro Matteo Cascella +Reviewed-by: Jiri Denemark + +cherry-pick from commit a63b48c5ecef077bf0f909a85f453a605600cf05 +Signed-off-by: Jiajie Li +--- + src/qemu/qemu_agent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c +index d7fcc869c6..31d3268d42 100644 +--- a/src/qemu/qemu_agent.c ++++ b/src/qemu/qemu_agent.c +@@ -2166,6 +2166,7 @@ qemuAgentGetInterfaces(qemuAgentPtr agent, + + /* Has to be freed for each interface. */ + virStringListFree(ifname); ++ ifname = NULL; + + /* as well as IP address which - moreover - + * can be presented multiple times */ +-- +2.23.0 + -- Gitee From 0d667fe7e3ad0458eb50564774036b472750a1aa Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 27 Oct 2020 09:16:04 +0800 Subject: [PATCH 5/6] spec: Update patch and changelog with !12 rpc: gendispatch: handle empty flags rpc: add support for filtering @acls by uint params rpc: require write acl for guest agent in virDomainInterfaceAddresses qemu: agent: set ifname to NULL after freeing Signed-off-by: Jan Tomko Signed-off-by: Jiajie Li --- libvirt.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libvirt.spec b/libvirt.spec index bc5e82f..1d3776f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -164,6 +164,10 @@ Patch0053: qemuDomainDefPostParse-Fail-if-unable-to-fill-machin.patch Patch0054: virNetDevGetFamilyId-Change-signature.patch Patch0055: virNetDevSwitchdevFeature-Make-failure-to-get-family.patch Patch0056: qemuDomainGetUnplugTimeout-Add-G_GNUC_NO_INLINE.patch +Patch0057: rpc-gendispatch-handle-empty-flags.patch +Patch0058: rpc-add-support-for-filtering-acls-by-uint-params.patch +Patch0059: rpc-require-write-acl-for-guest-agent-in-virDomainIn.patch +Patch0060: qemu-agent-set-ifname-to-NULL-after-freeing.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1896,6 +1900,12 @@ exit 0 %changelog +* Wed Oct 14 2020 Huawei Technologies Co., Ltd +- rpc: gendispatch: handle empty flags +- rpc: add support for filtering @acls by uint params +- rpc: require write acl for guest agent in virDomainInterfaceAddresses +- qemu: agent: set ifname to NULL after freeing + * Tue Sep 22 2020 AlexChen - 6.2.0-13 - bugfix: cherry-pick some bugfix patches from opensource community * Tue Sep 22 2020 Hao Wang - 6.2.0-12 -- Gitee From d32ce0cf48ac296fd5885c107761e3db65bd7759 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 27 Oct 2020 09:16:04 +0800 Subject: [PATCH 6/6] spec: Update release version with !12 increase release verison by one Signed-off-by: Euler Robot --- libvirt.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec b/libvirt.spec index 1d3776f..4031623 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -99,7 +99,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 13 +Release: 14 License: LGPLv2+ URL: https://libvirt.org/ -- Gitee