From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562160; cv=none; d=zohomail.com; s=zohoarc; b=AUgRifC+j0g7RTGVVzzKQs9KE0I907xbsRflQodPkdfWqc8/2QhvWmT9Pqa4ii9Bq/BmwzfnSLW9rvMRPiPrf7zaxK1W0WRbXHBhIfuiYlpa5flsVMXIsbVMEcqs/cyWWM44imZFRUPgalIszY+9Wj/HFK7nATTp4NYaN0myjc8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562160; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6mQp4fjGCAnfBjGBHS4tm3LHK64wXHoh5gPivYMu7H0=; b=k6r/BqSKjbIal42qHlXrNW90+L58smRvJ71cYJa1yXdMmMqNqL/hpAntAHrjtLYtPuU/wFNTsICog7D+4RlQI3vKi4tto3WjRL14KpdBb/sCjW3XTqSAAssbVT8sLFlX8zo01xt2y3Dy8y683T64Xbydn/Vrb8L85VUGdbJN+cE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1575562160469598.590917557815; Thu, 5 Dec 2019 08:09:20 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-305-6VZFxOV6NEuUiW-ZJ44-Xw-1; Thu, 05 Dec 2019 11:09:16 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E381710AF38E; Thu, 5 Dec 2019 16:09:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A80225DA60; Thu, 5 Dec 2019 16:09:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 55CF418089D6; Thu, 5 Dec 2019 16:09:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G93tl024043 for ; Thu, 5 Dec 2019 11:09:03 -0500 Received: by smtp.corp.redhat.com (Postfix) id 376A660135; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E86F0600D1 for ; Thu, 5 Dec 2019 16:09:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562159; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=6mQp4fjGCAnfBjGBHS4tm3LHK64wXHoh5gPivYMu7H0=; b=OfJlem6sh013qIeAmwWccnAWDBnn6oq/40xp3p+TFdo6ONalecyN3CStLKDoZz6W2z+qUU 5GMo9IMwen76jZadrbw1P3Nm21cQSh3Y6uxIZXnVs3zN2lP05jk4/oM9+/6Wdml4a9qfv+ h/kszg0Cn2UK+CFM3Ut/jAR1Q6kvvIw= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:50 -0600 Message-Id: <20191205160857.30182-2-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/8] qemu: don't take agent and monitor job for shutdown X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: 6VZFxOV6NEuUiW-ZJ44-Xw-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. So split the function into separate parts: one that does the agent shutdown and one that does the monitor shutdown. Each part holds only a job of the appropriate type. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 116 +++++++++++++++++++++++++---------------- 1 file changed, 72 insertions(+), 44 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 1911073f3e..92efde72dd 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1929,6 +1929,72 @@ static int qemuDomainResume(virDomainPtr dom) return ret; } =20 +static int qemuDomainShutdownFlagsAgent(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot, + bool reportError) +{ + int ret =3D -1; + qemuAgentPtr agent; + int agentFlag =3D isReboot ? QEMU_AGENT_SHUTDOWN_REBOOT : + QEMU_AGENT_SHUTDOWN_POWERDOWN; + + if (qemuDomainObjBeginAgentJob(driver, vm, + QEMU_AGENT_JOB_MODIFY) < 0) + goto cleanup; + + if (virDomainObjGetState(vm, NULL) !=3D VIR_DOMAIN_RUNNING) { + virReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("domain is not running")); + goto endjob; + } + + if (!qemuDomainAgentAvailable(vm, reportError)) + goto endjob; + + qemuDomainSetFakeReboot(driver, vm, false); + agent =3D qemuDomainObjEnterAgent(vm); + ret =3D qemuAgentShutdown(agent, agentFlag); + qemuDomainObjExitAgent(vm, agent); + + endjob: + qemuDomainObjEndAgentJob(vm); + + cleanup: + return ret; +} + +static int qemuDomainShutdownFlagsMonitor(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv; + + priv =3D vm->privateData; + + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + + if (virDomainObjGetState(vm, NULL) !=3D VIR_DOMAIN_RUNNING) { + virReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("domain is not running")); + goto endjob; + } + + qemuDomainSetFakeReboot(driver, vm, isReboot); + qemuDomainObjEnterMonitor(driver, vm); + ret =3D qemuMonitorSystemPowerdown(priv->mon); + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret =3D -1; + + endjob: + qemuDomainObjEndJob(driver, vm); + + cleanup: + return ret; +} + static int qemuDomainShutdownFlags(virDomainPtr dom, unsigned int flags) { virQEMUDriverPtr driver =3D dom->conn->privateData; @@ -1938,8 +2004,6 @@ static int qemuDomainShutdownFlags(virDomainPtr dom, = unsigned int flags) bool useAgent =3D false, agentRequested, acpiRequested; bool isReboot =3D false; bool agentForced; - qemuDomainAgentJob agentJob =3D QEMU_AGENT_JOB_NONE; - int agentFlag =3D QEMU_AGENT_SHUTDOWN_POWERDOWN; =20 virCheckFlags(VIR_DOMAIN_SHUTDOWN_ACPI_POWER_BTN | VIR_DOMAIN_SHUTDOWN_GUEST_AGENT, -1); @@ -1950,7 +2014,6 @@ static int qemuDomainShutdownFlags(virDomainPtr dom, = unsigned int flags) if (vm->def->onPoweroff =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_RESTART || vm->def->onPoweroff =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_RESTART_REN= AME) { isReboot =3D true; - agentFlag =3D QEMU_AGENT_SHUTDOWN_REBOOT; VIR_INFO("Domain on_poweroff setting overridden, attempting reboot= "); } =20 @@ -1965,62 +2028,27 @@ static int qemuDomainShutdownFlags(virDomainPtr dom= , unsigned int flags) if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; =20 - if (useAgent) - agentJob =3D QEMU_AGENT_JOB_MODIFY; - - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_MODIFY, - agentJob) < 0) - goto cleanup; - - if (virDomainObjGetState(vm, NULL) !=3D VIR_DOMAIN_RUNNING) { - virReportError(VIR_ERR_OPERATION_INVALID, - "%s", _("domain is not running")); - goto endjob; - } - agentForced =3D agentRequested && !acpiRequested; - if (!qemuDomainAgentAvailable(vm, agentForced)) { - if (agentForced) - goto endjob; - useAgent =3D false; - } - - if (useAgent) { - qemuAgentPtr agent; - qemuDomainSetFakeReboot(driver, vm, false); - agent =3D qemuDomainObjEnterAgent(vm); - ret =3D qemuAgentShutdown(agent, agentFlag); - qemuDomainObjExitAgent(vm, agent); + ret =3D qemuDomainShutdownFlagsAgent(driver, vm, isReboot, agentFo= rced); + if (ret < 0 && agentForced) + goto cleanup; } =20 /* If we are not enforced to use just an agent, try ACPI * shutdown as well in case agent did not succeed. */ - if (!useAgent || - (ret < 0 && (acpiRequested || !flags))) { - + if (!useAgent || (ret < 0 && (acpiRequested || !flags))) { /* Even if agent failed, we have to check if guest went away * by itself while our locks were down. */ if (useAgent && !virDomainObjIsActive(vm)) { ret =3D 0; - goto endjob; + goto cleanup; } =20 - qemuDomainSetFakeReboot(driver, vm, isReboot); - qemuDomainObjEnterMonitor(driver, vm); - ret =3D qemuMonitorSystemPowerdown(priv->mon); - if (qemuDomainObjExitMonitor(driver, vm) < 0) - ret =3D -1; + ret =3D qemuDomainShutdownFlagsMonitor(driver, vm, isReboot); } =20 - endjob: - if (agentJob) - qemuDomainObjEndJobWithAgent(driver, vm); - else - qemuDomainObjEndJob(driver, vm); - cleanup: virDomainObjEndAPI(&vm); return ret; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562157; cv=none; d=zohomail.com; s=zohoarc; b=hIEdQIkeKTybQ+jJh3GyAlv13O56MG43JOx+7cwwhYFV1acp21tMQq2e7A5seAdNkLCtVjFAt8jE0PDGDbRFNkeoUoW3pbig7XALFQHH96MKJgvUmdhRbdvE3BgDnG25JKRsjpt7ceEaaORNgCRVAiYxSF4nd8dPDSFcF3mlkIw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562157; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=VFLqUS+nVkFm81OBAx6qjh4LM4k3EA903qyu8AvPVmE=; b=KrBXCBCy3BxfGX+fRff+ETzzpcpJsAU5Aq+gz4QHCZslWPIcCnKfEJkX4B7+8UEib76MqcYJZEopgfpmFCM57JxS8LKgQQ89qEhhLZfcZ/PnUe0dqYJAS697rKMKieLlbhHEkv7/r3GFViwtLdsHCs4lDZF5BFG/8l0RlSItdMk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 157556215785133.09474386580666; Thu, 5 Dec 2019 08:09:17 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-72-bo2W0a3pMAuzSd0HqGCtjw-1; Thu, 05 Dec 2019 11:09:12 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B963B8E336A; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8E2AD5DDA9; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 43CA118089CF; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G93qt024048 for ; Thu, 5 Dec 2019 11:09:03 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8B4BC600D1; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 583C360142 for ; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562156; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=VFLqUS+nVkFm81OBAx6qjh4LM4k3EA903qyu8AvPVmE=; b=VqIM0xdyPd82eCe5+JZ+qwX76cPG6XGti88J9CssCPBt3T1TYXsfmQz/3TIzWKriLsL60E 6KsYQ5HL5rpyAhsT3ExsTqahd4SBAMeaIKQiO2dcXvA9bEv0ZjgbbfeDow18hCfPdl1xaz aFDykNBS33rvuVmgSXn6V8tO3CQpQyY= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:51 -0600 Message-Id: <20191205160857.30182-3-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/8] qemu: don't hold a monitor and agent job for reboot X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: bo2W0a3pMAuzSd0HqGCtjw-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. Split the function so that we only hold the appropriate type of job while rebooting. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 111 +++++++++++++++++++++++++---------------- 1 file changed, 68 insertions(+), 43 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 92efde72dd..edd36f4a89 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2059,6 +2059,69 @@ static int qemuDomainShutdown(virDomainPtr dom) return qemuDomainShutdownFlags(dom, 0); } =20 +static int +qemuDomainRebootAgent(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot, + bool agentForced) +{ + qemuAgentPtr agent; + int ret =3D -1; + int agentFlag =3D QEMU_AGENT_SHUTDOWN_REBOOT; + + if (!isReboot) + agentFlag =3D QEMU_AGENT_SHUTDOWN_POWERDOWN; + + if (qemuDomainObjBeginAgentJob(driver, vm, + QEMU_AGENT_JOB_MODIFY) < 0) + return -1; + + if (!qemuDomainAgentAvailable(vm, agentForced)) + goto endjob; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + + qemuDomainSetFakeReboot(driver, vm, false); + agent =3D qemuDomainObjEnterAgent(vm); + ret =3D qemuAgentShutdown(agent, agentFlag); + qemuDomainObjExitAgent(vm, agent); + + endjob: + qemuDomainObjEndAgentJob(vm); + return ret; +} + +static int +qemuDomainRebootMonitor(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool isReboot) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + int ret =3D -1; + + if (qemuDomainObjBeginJob(driver, vm, + QEMU_JOB_MODIFY) < 0) + return -1; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + +#if !WITH_YAJL + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("ACPI reboot is not supported without the JSON monito= r")); + goto endjob; +#endif + qemuDomainSetFakeReboot(driver, vm, isReboot); + qemuDomainObjEnterMonitor(driver, vm); + ret =3D qemuMonitorSystemPowerdown(priv->mon); + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret =3D -1; + + endjob: + qemuDomainObjEndJob(driver, vm); + return ret; +} =20 static int qemuDomainReboot(virDomainPtr dom, unsigned int flags) @@ -2070,8 +2133,6 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags) bool useAgent =3D false, agentRequested, acpiRequested; bool isReboot =3D true; bool agentForced; - qemuDomainAgentJob agentJob =3D QEMU_AGENT_JOB_NONE; - int agentFlag =3D QEMU_AGENT_SHUTDOWN_REBOOT; =20 virCheckFlags(VIR_DOMAIN_REBOOT_ACPI_POWER_BTN | VIR_DOMAIN_REBOOT_GUEST_AGENT, -1); @@ -2081,7 +2142,6 @@ qemuDomainReboot(virDomainPtr dom, unsigned int flags) =20 if (vm->def->onReboot =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_DESTROY || vm->def->onReboot =3D=3D VIR_DOMAIN_LIFECYCLE_ACTION_PRESERVE) { - agentFlag =3D QEMU_AGENT_SHUTDOWN_POWERDOWN; isReboot =3D false; VIR_INFO("Domain on_reboot setting overridden, shutting down"); } @@ -2097,56 +2157,21 @@ qemuDomainReboot(virDomainPtr dom, unsigned int fla= gs) if (virDomainRebootEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; =20 - if (useAgent) - agentJob =3D QEMU_AGENT_JOB_MODIFY; - - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_MODIFY, - agentJob) < 0) - goto cleanup; - agentForced =3D agentRequested && !acpiRequested; - if (!qemuDomainAgentAvailable(vm, agentForced)) { - if (agentForced) - goto endjob; - useAgent =3D false; - } - - if (virDomainObjCheckActive(vm) < 0) - goto endjob; - - if (useAgent) { - qemuAgentPtr agent; + if (useAgent) + ret =3D qemuDomainRebootAgent(driver, vm, isReboot, agentForced); =20 - qemuDomainSetFakeReboot(driver, vm, false); - agent =3D qemuDomainObjEnterAgent(vm); - ret =3D qemuAgentShutdown(agent, agentFlag); - qemuDomainObjExitAgent(vm, agent); - } + if (ret < 0 && agentForced) + goto cleanup; =20 /* If we are not enforced to use just an agent, try ACPI * shutdown as well in case agent did not succeed. */ if ((!useAgent) || (ret < 0 && (acpiRequested || !flags))) { -#if !WITH_YAJL - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("ACPI reboot is not supported without the JSON mo= nitor")); - goto endjob; -#endif - qemuDomainSetFakeReboot(driver, vm, isReboot); - qemuDomainObjEnterMonitor(driver, vm); - ret =3D qemuMonitorSystemPowerdown(priv->mon); - if (qemuDomainObjExitMonitor(driver, vm) < 0) - ret =3D -1; + ret =3D qemuDomainRebootMonitor(driver, vm, isReboot); } =20 - endjob: - if (agentJob) - qemuDomainObjEndJobWithAgent(driver, vm); - else - qemuDomainObjEndJob(driver, vm); - cleanup: virDomainObjEndAPI(&vm); return ret; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562166; cv=none; d=zohomail.com; s=zohoarc; b=ByRI/IXLqlq7wpO4CNv9lOF98qz6ENSljJK0vv91mK6sk4+8XQwPhMzaR8wtvP+9cv50bIGqXOq4rXPptRK5MZjXjZB5Gymu/bpcE/B1O00OHyaVb6YFhywRE0FaXch8rD66ZcvEW8/n3VQSti9/1uNjiXYTyIqzvU2QN7VRtVQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562166; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=L0yWot/cxowMsGzyrxEn3TmaV61yBm5iT+uIg6HijDk=; b=UzPqsDnZJZKHyWPHia/cyfTkbBNoaBErNgTc9iN6nh1F7d8+us3tuDg1Be6RAwqLTNr9PLRDljRYtNBKCX49A+1by5aq5dS27QFVxEYxtf2RsDEChCGZ+40GTDg8KpIVZ1eucHmnI7Ov/bOx+mPmdszAXw6E+Xi9EO32KdCo3cc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1575562166383806.9467185362852; Thu, 5 Dec 2019 08:09:26 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-245-SGC47pDBME6Z94jDg-fFkg-1; Thu, 05 Dec 2019 11:09:18 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5E8E810C6A63; Thu, 5 Dec 2019 16:09:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2A1E960469; Thu, 5 Dec 2019 16:09:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BF1F518089D8; Thu, 5 Dec 2019 16:09:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G93aj024054 for ; Thu, 5 Dec 2019 11:09:03 -0500 Received: by smtp.corp.redhat.com (Postfix) id E07C960135; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ACA7A600D1 for ; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562165; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=L0yWot/cxowMsGzyrxEn3TmaV61yBm5iT+uIg6HijDk=; b=NJTNDO4s5A2rREvBvMdBC8NAFxW6ex3d7Zysj/f8VBRkJBmUjZDqm3BUXxqzHOrm33NXPx R6MFHClL1p9jOPnyFt5jtuBVR5J3uqJkqHrKNk2dMgY02cemXNhJuOXOhNUFKp9ZYIJrk6 gt2AVll254lNkF1HPycJFpxbB9xItnM= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:52 -0600 Message-Id: <20191205160857.30182-4-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/8] qemu: don't hold both jobs for suspend X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-MC-Unique: SGC47pDBME6Z94jDg-fFkg-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. So split the function up a bit to only hold the monitor job while querying qemu for whether the domain supports suspend. Then acquire only an agent job while issuing the agent suspend command. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 93 ++++++++++++++++++++++++++---------------- 1 file changed, 58 insertions(+), 35 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index edd36f4a89..e39ee2acc9 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -19713,6 +19713,58 @@ qemuDomainProbeQMPCurrentMachine(virQEMUDriverPtr = driver, } =20 =20 +/* returns -1 on error, or if query is not supported, 0 if query was succe= ssful */ +static int +qemuDomainQueryWakeupSuspendSupport(virQEMUDriverPtr driver, + virDomainObjPtr vm, + bool *wakeupSupported) +{ + int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; + + if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) + return ret; + + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + return ret; + + if ((ret =3D virDomainObjCheckActive(vm)) < 0) + goto endjob; + + ret =3D qemuDomainProbeQMPCurrentMachine(driver, vm, wakeupSupported); + + endjob: + qemuDomainObjEndJob(driver, vm); + + return ret; +} + +static int qemuDomainPMSuspendAgent(virQEMUDriverPtr driver, + virDomainObjPtr vm, + unsigned int target) +{ + qemuAgentPtr agent; + int ret =3D -1; + + if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0) + return -1; + + if ((ret =3D virDomainObjCheckActive(vm)) < 0) + goto endjob; + + if (!qemuDomainAgentAvailable(vm, true)) + goto endjob; + + agent =3D qemuDomainObjEnterAgent(vm); + ret =3D qemuAgentSuspend(agent, target); + qemuDomainObjExitAgent(vm, agent); + + endjob: + qemuDomainObjEndAgentJob(vm); + + return ret; +} + static int qemuDomainPMSuspendForDuration(virDomainPtr dom, unsigned int target, @@ -19720,11 +19772,9 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom, unsigned int flags) { virQEMUDriverPtr driver =3D dom->conn->privateData; - qemuDomainObjPrivatePtr priv; virDomainObjPtr vm; - qemuAgentPtr agent; - qemuDomainJob job =3D QEMU_JOB_NONE; int ret =3D -1; + bool wakeupSupported; =20 virCheckFlags(0, -1); =20 @@ -19749,17 +19799,6 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom, if (virDomainPMSuspendForDurationEnsureACL(dom->conn, vm->def) < 0) goto cleanup; =20 - priv =3D vm->privateData; - - if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) - job =3D QEMU_JOB_MODIFY; - - if (qemuDomainObjBeginJobWithAgent(driver, vm, job, QEMU_AGENT_JOB_MOD= IFY) < 0) - goto cleanup; - - if (virDomainObjCheckActive(vm) < 0) - goto endjob; - /* * The case we want to handle here is when QEMU has the API (i.e. * QEMU_CAPS_QUERY_CURRENT_MACHINE is set). Otherwise, do not interfere @@ -19767,16 +19806,11 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom, * that don't know about this cap, will keep their old behavior of * suspending 'in the dark'. */ - if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) { - bool wakeupSupported; - - if (qemuDomainProbeQMPCurrentMachine(driver, vm, &wakeupSupported)= < 0) - goto endjob; - + if (qemuDomainQueryWakeupSuspendSupport(driver, vm, &wakeupSupported) = =3D=3D 0) { if (!wakeupSupported) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", _("Domain does not have suspend support")); - goto endjob; + goto cleanup; } } =20 @@ -19786,29 +19820,18 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom, target =3D=3D VIR_NODE_SUSPEND_TARGET_HYBRID)) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("S3 state is disabled for this domain")); - goto endjob; + goto cleanup; } =20 if (vm->def->pm.s4 =3D=3D VIR_TRISTATE_BOOL_NO && target =3D=3D VIR_NODE_SUSPEND_TARGET_DISK) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("S4 state is disabled for this domain")); - goto endjob; + goto cleanup; } } =20 - if (!qemuDomainAgentAvailable(vm, true)) - goto endjob; - - agent =3D qemuDomainObjEnterAgent(vm); - ret =3D qemuAgentSuspend(agent, target); - qemuDomainObjExitAgent(vm, agent); - - endjob: - if (job) - qemuDomainObjEndJobWithAgent(driver, vm); - else - qemuDomainObjEndAgentJob(vm); + ret =3D qemuDomainPMSuspendAgent(driver, vm, target); =20 cleanup: virDomainObjEndAPI(&vm); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562156; cv=none; d=zohomail.com; s=zohoarc; b=H/45g1TOBwN543YwOupppj+WQH3cxNUAKBpxiCrOAOzmriTZSwt6Dqn4cj1NnWAWdbv2OiQK699R7qsuShG+nIARjXp2qcZxuI35Wsa+I/s6OzoLBZL8HuFJQ7YIuTr1KmbboqvHM/V7h4TGRmWtRwup06hJ3ekvZ80WDIOxbD0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562156; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=keoOyqCkgX817V24krfrb5mPVf8RysrNQPM/HTRHxBg=; b=Eo/tje2QwDOlJcg7ImekJHGSYcPmy7mbupItEGvFLTi4oMx8glcj5Swws9GnwR0HV3heIphG8lX9oht2Kf2Hr0hWLVygCdW0Mezd1qpS5d3IuAc4nJCPrL3BraEF9ZwMK/a59Z6Mh4xyLaWH0WqLo0iaINSmgBP7vaM+3RqOCGQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1575562156274470.21346885304354; Thu, 5 Dec 2019 08:09:16 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-30-6ed8v4YmPwicuFQfe3xTvg-1; Thu, 05 Dec 2019 11:09:12 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3B63A10C48AE; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 12BB210013D9; Thu, 5 Dec 2019 16:09:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BE30E62D15; Thu, 5 Dec 2019 16:09:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G94us024059 for ; Thu, 5 Dec 2019 11:09:04 -0500 Received: by smtp.corp.redhat.com (Postfix) id 4A38360132; Thu, 5 Dec 2019 16:09:04 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 11346600D1 for ; Thu, 5 Dec 2019 16:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562155; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=keoOyqCkgX817V24krfrb5mPVf8RysrNQPM/HTRHxBg=; b=NsQ8v5okwTdCcyu0fvD058EbmeuTNwXiLop+rEpiKB5ZCjlW3Q+5VY3yWnwHUYDOILPqT/ ErRQnd68bkawhOPFZIalzpUj4UZ6BotjwdLOxo/6sASOHG3585FkILtiIKnGlTlnmT+5WY HIr75y2A9YFVXQoJ2j6KpxBdJ/LkC0Y= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:53 -0600 Message-Id: <20191205160857.30182-5-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 4/8] qemu: don't hold monitor and agent job when setting time X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-MC-Unique: 6ed8v4YmPwicuFQfe3xTvg-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. Split the function so that the portion issuing the agent command only holds an agent job and the portion issuing the monitor command holds only a monitor job. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 54 +++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index e39ee2acc9..10fad8d75d 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -20256,6 +20256,35 @@ qemuDomainGetTime(virDomainPtr dom, } =20 =20 +static int +qemuDomainSetTimeAgent(virQEMUDriverPtr driver, + virDomainObjPtr vm, + long long seconds, + unsigned int nseconds, + bool rtcSync) +{ + qemuAgentPtr agent; + int rv =3D -1; + + if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0) + return -1; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + + if (!qemuDomainAgentAvailable(vm, true)) + goto endjob; + + agent =3D qemuDomainObjEnterAgent(vm); + rv =3D qemuAgentSetTime(agent, seconds, nseconds, rtcSync); + qemuDomainObjExitAgent(vm, agent); + + endjob: + qemuDomainObjEndJob(driver, vm); + + return rv; +} + static int qemuDomainSetTime(virDomainPtr dom, long long seconds, @@ -20265,7 +20294,6 @@ qemuDomainSetTime(virDomainPtr dom, virQEMUDriverPtr driver =3D dom->conn->privateData; qemuDomainObjPrivatePtr priv; virDomainObjPtr vm; - qemuAgentPtr agent; bool rtcSync =3D flags & VIR_DOMAIN_TIME_SYNC; int ret =3D -1; int rv; @@ -20280,14 +20308,6 @@ qemuDomainSetTime(virDomainPtr dom, =20 priv =3D vm->privateData; =20 - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_MODIFY, - QEMU_AGENT_JOB_MODIFY) < 0) - goto cleanup; - - if (virDomainObjCheckActive(vm) < 0) - goto endjob; - /* On x86, the rtc-reset-reinjection QMP command must be called after * setting the time to avoid trouble down the line. If the command is * not available, don't set the time at all and report an error */ @@ -20297,18 +20317,14 @@ qemuDomainSetTime(virDomainPtr dom, virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", _("cannot set time: qemu doesn't support " "rtc-reset-reinjection command")); - goto endjob; + goto cleanup; } =20 - if (!qemuDomainAgentAvailable(vm, true)) - goto endjob; - - agent =3D qemuDomainObjEnterAgent(vm); - rv =3D qemuAgentSetTime(agent, seconds, nseconds, rtcSync); - qemuDomainObjExitAgent(vm, agent); + if (qemuDomainSetTimeAgent(driver, vm, seconds, nseconds, rtcSync) < 0) + goto cleanup; =20 - if (rv < 0) - goto endjob; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; =20 if (virDomainObjCheckActive(vm) < 0) goto endjob; @@ -20327,7 +20343,7 @@ qemuDomainSetTime(virDomainPtr dom, ret =3D 0; =20 endjob: - qemuDomainObjEndJobWithAgent(driver, vm); + qemuDomainObjEndJob(driver, vm); =20 cleanup: virDomainObjEndAPI(&vm); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562266; cv=none; d=zohomail.com; s=zohoarc; b=RV0n07fT+3jp8J2bspxswOAIQ9mig5yp/T47d+gpz0QfNf6dzugQGY2iJFQ6Mjx75ScLwARPQv7/LvQFwOIV8wMjkHc6jIqiKyfc/lYmUbA1oPvCDQx+6VUz+KrZtkT2YBUtCGpHNOjiGIT6JGvHnDO/8HMg3M2k3w6H18MJafs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562266; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4NUisulHs/YnT7mN4mp+p+FGRGWHZgNQw2SkfLd9zDo=; b=loSWFzSZrq/M+ByQm9W/U4Hl6TVrPOeVwv5wQfngWqR9d8jIpBtAm0PC9JBlva3UJ98hCAy6/pNc+bKuJjTlJ3HEirITYVhZJzMtS96x5M0oJ2Xw7EHeiJc28myZduHdH4R5e1z+xNG8ZylG7AFMV8B1adFfF+LuoiHaJ0hkbCk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1575562266942632.0938189819877; Thu, 5 Dec 2019 08:11:06 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-12-JQmLr5AAOq2sscDHj5RNLQ-1; Thu, 05 Dec 2019 11:09:27 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4B0C38E692F; Thu, 5 Dec 2019 16:09:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1FAE35C554; Thu, 5 Dec 2019 16:09:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D00A465D25; Thu, 5 Dec 2019 16:09:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G94AR024072 for ; Thu, 5 Dec 2019 11:09:04 -0500 Received: by smtp.corp.redhat.com (Postfix) id 9A0FD600D1; Thu, 5 Dec 2019 16:09:04 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 66D296012A for ; Thu, 5 Dec 2019 16:09:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562265; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=4NUisulHs/YnT7mN4mp+p+FGRGWHZgNQw2SkfLd9zDo=; b=NhWncPR5Mndhui78n32zIEeB4mYOjWlXNIBr8F2ZCIb9yni+Bt2U6YLrwixVDreu7rvCnr 8Vphgea8Hq7zBE0aOfAO91KAuYKxk0JUZQ/N6IoNOS4jYBXmoDWeqlWwPJfLDIS3/ugY2O 8YPDMhI0gpu7HlOQ/obHUZzEsydV0fM= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:54 -0600 Message-Id: <20191205160857.30182-6-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 5/8] qemu: don't hold monitor job for fsinfo X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: JQmLr5AAOq2sscDHj5RNLQ-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. This function does not issue any monitor commands, so we can drop the monitor job and only hold an agent job. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 10fad8d75d..e1a91c5049 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -21623,9 +21623,8 @@ qemuDomainGetFSInfo(virDomainPtr dom, if (virDomainGetFSInfoEnsureACL(dom->conn, vm->def) < 0) goto cleanup; =20 - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_QUERY, - QEMU_AGENT_JOB_QUERY) < 0) + if (qemuDomainObjBeginAgentJob(driver, vm, + QEMU_AGENT_JOB_QUERY) < 0) goto cleanup; =20 if (virDomainObjCheckActive(vm) < 0) @@ -21639,7 +21638,7 @@ qemuDomainGetFSInfo(virDomainPtr dom, qemuDomainObjExitAgent(vm, agent); =20 endjob: - qemuDomainObjEndJobWithAgent(driver, vm); + qemuDomainObjEndAgentJob(vm); =20 cleanup: virDomainObjEndAPI(&vm); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562205; cv=none; d=zohomail.com; s=zohoarc; b=bj1fIqvlPGc38VFTdk4evdz3AiJkxVd8piyLpkkPkQynFKPQklwziy/HRl6isuhMrZge4YHURraLq6o0cWDN9WE7u2oE7QmzeFdVPuR14w51DqsmVWSdzgntZRHFnBgPd33rqU55V/oIOVKefkp0ztVUxuzmy/SM2Y3aHq65uGM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562205; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=EDnJgpe8CKrppkeEbPLlGohDyBlEfYh2LgjIY3Ch8CU=; b=dERByLhgHNRRwakmXH9ptOESugmPuCBqdh7sQONcr0w6vx3nvz03iCsYWqMxgf8JgenqBC8lHaYVsCwCZhFSBPj5uxJw0+RSVIwUF9wF564CJjpavQ7/m072ghi79mY/D/K7o6nlHxdcJ7Nc39gYTaQnUW6Fywt3EEU8sxK4Kq0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1575562205789251.06604572204435; Thu, 5 Dec 2019 08:10:05 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-236-zMgZ3jaROcydCsCQZ3n1Gw-1; Thu, 05 Dec 2019 11:09:24 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 15BBE8E6925; Thu, 5 Dec 2019 16:09:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C009477EC0; Thu, 5 Dec 2019 16:09:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 731AA180887A; Thu, 5 Dec 2019 16:09:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G9451024082 for ; Thu, 5 Dec 2019 11:09:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id ED2256012A; Thu, 5 Dec 2019 16:09:04 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B9F0B600D1 for ; Thu, 5 Dec 2019 16:09:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562202; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=EDnJgpe8CKrppkeEbPLlGohDyBlEfYh2LgjIY3Ch8CU=; b=A3ElKWD9TS6VHIHWU3GtyCoQsfg7+adVfyHjCttObhQmhd1f329Mrzpowc0fF6SBnQqpMw q+yKXyDWcciJoNOLQlY/dofrTn5z+hHvbgvk5FoMIeYe06X/wM7tXR3KUcvm+BivTT5Eda HhAlTHjwuV0HLFJACal333J+y0Ffh/k= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:55 -0600 Message-Id: <20191205160857.30182-7-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 6/8] qemu: don't hold monitor job for GetGuestInfo() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: zMgZ3jaROcydCsCQZ3n1Gw-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" We have to assume that the guest agent may be malicious so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job while we're querying the agent, we open ourselves up to a DoS. This function issues several agent commands, but does not issue any monitor commands. Therefore, we can drop the monitor job and only hold an agent job. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index e1a91c5049..1cf54cda8a 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -22688,9 +22688,8 @@ qemuDomainGetGuestInfo(virDomainPtr dom, if (virDomainGetGuestInfoEnsureACL(dom->conn, vm->def) < 0) goto cleanup; =20 - if (qemuDomainObjBeginJobWithAgent(driver, vm, - QEMU_JOB_QUERY, - QEMU_AGENT_JOB_QUERY) < 0) + if (qemuDomainObjBeginAgentJob(driver, vm, + QEMU_AGENT_JOB_QUERY) < 0) goto cleanup; =20 if (!qemuDomainAgentAvailable(vm, true)) @@ -22740,7 +22739,7 @@ qemuDomainGetGuestInfo(virDomainPtr dom, qemuDomainObjExitAgent(vm, agent); =20 endjob: - qemuDomainObjEndJobWithAgent(driver, vm); + qemuDomainObjEndAgentJob(vm); =20 cleanup: virDomainObjEndAPI(&vm); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562164; cv=none; d=zohomail.com; s=zohoarc; b=Br9sRvgqMiLpE2efKgzaH2G0elSJ3rFkIUYx3krDe9kCWlYL29snBJOvDn2qxtOWbM5xNzaGuuVdAfaOkswGGz7TdJV4b5FssOXid7pj/1TtskaDxR6jK14B+TBHEQgN0b0kiVjmMAVKL8x2SdlP+WnfAWad5tct6ewHv7hrm5U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562164; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4UV4iWcwxIRBhnoZSSDYc2JCqD7eVbeGUjbm7GG+ums=; b=AznUX33tz9Pt4kKcawLysNBCNn1vYZYyqbCJsC7w9eNsKeyv0442hHtf17DYFGGLcJ08xS7QJ6YjuKHZeAGCBULEUlqKHLsfcDfAkqHvG8xvJ+TL3aM1d0c5aJKzatM9BAvYnOkvqOOKBI0w492W19hV+lvoWfewqPKHjY6MC0s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1575562164057393.05090953981426; Thu, 5 Dec 2019 08:09:24 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-309-MEbtuX4BPa6ytqOtRA23Sg-1; Thu, 05 Dec 2019 11:09:21 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A1DC48FB585; Thu, 5 Dec 2019 16:09:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 57B811B462; Thu, 5 Dec 2019 16:09:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EEAF265D25; Thu, 5 Dec 2019 16:09:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G959R024095 for ; Thu, 5 Dec 2019 11:09:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id 7DD3A600D1; Thu, 5 Dec 2019 16:09:05 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B91160132 for ; Thu, 5 Dec 2019 16:09:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562162; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=4UV4iWcwxIRBhnoZSSDYc2JCqD7eVbeGUjbm7GG+ums=; b=IXqOrQeoTMW75lIxvaIET7Uvqep1Z22lPUqmhkhDHQljCwrAuXH1gTbHvOF0PL74h5w9vD oHqNuqa3S8H0MSsAVtV23i6aJrPxALA9o302rpgoXAEnU1gDuR+3wrB+WdT36Qhpe/lBvX E0Oqpprahd0CZsNMreH+Jj1oq7UB35g= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:56 -0600 Message-Id: <20191205160857.30182-8-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 7/8] qemu: remove use of qemuDomainObjBeginJobWithAgent() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: MEbtuX4BPa6ytqOtRA23Sg-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" This function will be removed in a future commit because it allows the caller to acquire both monitor and agent jobs at the same time. Holding both job types creates a vulnerability to denial of service from a malicious guest agent. qemuDomainSetVcpusFlags() always passes NONE for either the monitor job or the agent job (and thus is not vulnerable to the DoS), so we can simply replace this function with the functions for acquiring the appropriate type of job. Signed-off-by: Jonathon Jongsma --- src/qemu/qemu_driver.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 1cf54cda8a..921230b8ce 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5045,8 +5045,6 @@ qemuDomainSetVcpusFlags(virDomainPtr dom, virDomainDefPtr persistentDef; bool hotpluggable =3D !!(flags & VIR_DOMAIN_VCPU_HOTPLUGGABLE); bool useAgent =3D !!(flags & VIR_DOMAIN_VCPU_GUEST); - qemuDomainJob job =3D QEMU_JOB_NONE; - qemuDomainAgentJob agentJob =3D QEMU_AGENT_JOB_NONE; int ret =3D -1; =20 virCheckFlags(VIR_DOMAIN_AFFECT_LIVE | @@ -5061,13 +5059,14 @@ qemuDomainSetVcpusFlags(virDomainPtr dom, if (virDomainSetVcpusFlagsEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; =20 - if (useAgent) - agentJob =3D QEMU_AGENT_JOB_MODIFY; - else - job =3D QEMU_JOB_MODIFY; =20 - if (qemuDomainObjBeginJobWithAgent(driver, vm, job, agentJob) < 0) - goto cleanup; + if (useAgent) { + if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) = < 0) + goto cleanup; + } else { + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + } =20 if (virDomainObjGetDefs(vm, flags, &def, &persistentDef) < 0) goto endjob; @@ -5081,7 +5080,7 @@ qemuDomainSetVcpusFlags(virDomainPtr dom, nvcpus, hotpluggable); =20 endjob: - if (agentJob) + if (useAgent) qemuDomainObjEndAgentJob(vm); else qemuDomainObjEndJob(driver, vm); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon May 6 00:04:22 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1575562213; cv=none; d=zohomail.com; s=zohoarc; b=elj5H/IIWFFIC1/JPhEPQRQN9gETOC78T5bty9egK3DYBWeBjbu2mgp4J4e6KXZf0Gl+cF7Qu7h/9WieZXdOw266+IEYz/6WmvuPldvludbQILJcOrVW5TRMnpyfw4shi73zFIS5xBCGcsrafobflqq0Bc5CS4wSCkTtdZ4q6zc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575562213; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=SF9VqGT5GaINpjtvqFgIj2AGJm5AtsTGD5e7jju/ipI=; b=lzghrkagPqHq0P0z6DWG+OeOm7LKGuluCzb3CzDdp8WSDSKkIPmDes1xAFiaLNz25E594oDv7Rrb2S7BoUGN+vGMk+GT/pRWCMh3mcgGLriQuwLCWZd06a8h8Jz/l45fjXMs89Zm0RsMEJiIIkPZLgSA2dIQa6pcTBH6RxTz0C4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1575562213516441.6852048421914; Thu, 5 Dec 2019 08:10:13 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-363-p8O17BvkO2KuZ9grzv5SYA-1; Thu, 05 Dec 2019 11:09:26 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 418468E692C; Thu, 5 Dec 2019 16:09:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 147595DA60; Thu, 5 Dec 2019 16:09:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C3C37180880C; Thu, 5 Dec 2019 16:09:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id xB5G9576024100 for ; Thu, 5 Dec 2019 11:09:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id D065D600D1; Thu, 5 Dec 2019 16:09:05 +0000 (UTC) Received: from himantopus.redhat.com (ovpn-116-111.phx2.redhat.com [10.3.116.111]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9D90760132 for ; Thu, 5 Dec 2019 16:09:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575562212; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=SF9VqGT5GaINpjtvqFgIj2AGJm5AtsTGD5e7jju/ipI=; b=GuDt61CVrKueH3QYieSGnfdO6NV93u4gl3a9gLzEMfoqj8JY5dJ8FszVDxJFhW+sb89llg aFm0WAvYDTlW3DQAtvN+0YyhjHao+T0VOIdAi5kRhvGpqJ8KlNEpar0964K1xc2UXCrPlw xJ5sNTgb5M1QlDouO9NsPgqGImHvgzM= From: Jonathon Jongsma To: libvir-list@redhat.com Date: Thu, 5 Dec 2019 10:08:57 -0600 Message-Id: <20191205160857.30182-9-jjongsma@redhat.com> In-Reply-To: <20191205160857.30182-1-jjongsma@redhat.com> References: <20191205160857.30182-1-jjongsma@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 8/8] qemu: remove qemuDomainObjBegin/EndJobWithAgent() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: p8O17BvkO2KuZ9grzv5SYA-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" This function potentially grabs both a monitor job and an agent job at the same time. This is problematic because it means that a malicious (or just buggy) guest agent can cause a denial of service on the host. The presence of this function makes it easy to do the wrong thing and hold both jobs at the same time. All existing uses have already been removed by previous commits. Signed-off-by: Jonathon Jongsma --- src/qemu/THREADS.txt | 58 +++++------------------------------------- src/qemu/qemu_domain.c | 56 ++++------------------------------------ src/qemu/qemu_domain.h | 7 ----- 3 files changed, 11 insertions(+), 110 deletions(-) diff --git a/src/qemu/THREADS.txt b/src/qemu/THREADS.txt index aa428fda6a..a7d8709a43 100644 --- a/src/qemu/THREADS.txt +++ b/src/qemu/THREADS.txt @@ -61,11 +61,12 @@ There are a number of locks on various objects =20 Agent job condition is then used when thread wishes to talk to qemu agent monitor. It is possible to acquire just agent job - (qemuDomainObjBeginAgentJob), or only normal job - (qemuDomainObjBeginJob) or both at the same time - (qemuDomainObjBeginJobWithAgent). Which type of job to grab depends - whether caller wishes to communicate only with agent socket, or only - with qemu monitor socket or both, respectively. + (qemuDomainObjBeginAgentJob), or only normal job (qemuDomainObjBeginJo= b) + but not both at the same time. Holding an agent job and a normal job w= ould + allow an unresponsive or malicious agent to block normal libvirt API a= nd + potentially result in a denial of service. Which type of job to grab + depends whether caller wishes to communicate only with agent socket, or + only with qemu monitor socket. =20 Immediately after acquiring the virDomainObjPtr lock, any method which intends to update state must acquire asynchronous, normal or @@ -141,18 +142,6 @@ To acquire the agent job condition =20 =20 =20 -To acquire both normal and agent job condition - - qemuDomainObjBeginJobWithAgent() - - Waits until there is no normal and no agent job set - - Sets both job.active and job.agentActive with required job types - - qemuDomainObjEndJobWithAgent() - - Sets both job.active and job.agentActive to 0 - - Signals on job.cond condition - - - To acquire the asynchronous job condition =20 qemuDomainObjBeginAsyncJob() @@ -292,41 +281,6 @@ Design patterns virDomainObjEndAPI(&obj); =20 =20 - * Invoking both monitor and agent commands on a virDomainObjPtr - - virDomainObjPtr obj; - qemuAgentPtr agent; - - obj =3D qemuDomObjFromDomain(dom); - - qemuDomainObjBeginJobWithAgent(obj, QEMU_JOB_TYPE, QEMU_AGENT_JOB_TYP= E); - - if (!virDomainObjIsActive(dom)) - goto cleanup; - - ...do prep work... - - if (!qemuDomainAgentAvailable(obj, true)) - goto cleanup; - - agent =3D qemuDomainObjEnterAgent(obj); - qemuAgentXXXX(agent, ..); - qemuDomainObjExitAgent(obj, agent); - - ... - - qemuDomainObjEnterMonitor(obj); - qemuMonitorXXXX(priv->mon); - qemuDomainObjExitMonitor(obj); - - /* Alternatively, talk to the monitor first and then talk to the agen= t. */ - - ...do final work... - - qemuDomainObjEndJobWithAgent(obj); - virDomainObjEndAPI(&obj); - - * Running asynchronous job =20 virDomainObjPtr obj; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 470d342afc..97cf6b2255 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -8569,26 +8569,6 @@ qemuDomainObjBeginAgentJob(virQEMUDriverPtr driver, QEMU_ASYNC_JOB_NONE, false); } =20 -/** - * qemuDomainObjBeginJobWithAgent: - * - * Grabs both monitor and agent types of job. Use if caller talks to - * both monitor and guest agent. However, if @job (or @agentJob) is - * QEMU_JOB_NONE (or QEMU_AGENT_JOB_NONE) only agent job is acquired (or - * monitor job). - * - * To end job call qemuDomainObjEndJobWithAgent. - */ -int -qemuDomainObjBeginJobWithAgent(virQEMUDriverPtr driver, - virDomainObjPtr obj, - qemuDomainJob job, - qemuDomainAgentJob agentJob) -{ - return qemuDomainObjBeginJobInternal(driver, obj, job, agentJob, - QEMU_ASYNC_JOB_NONE, false); -} - int qemuDomainObjBeginAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj, qemuDomainAsyncJob asyncJob, @@ -8703,31 +8683,6 @@ qemuDomainObjEndAgentJob(virDomainObjPtr obj) virCondBroadcast(&priv->job.cond); } =20 -void -qemuDomainObjEndJobWithAgent(virQEMUDriverPtr driver, - virDomainObjPtr obj) -{ - qemuDomainObjPrivatePtr priv =3D obj->privateData; - qemuDomainJob job =3D priv->job.active; - qemuDomainAgentJob agentJob =3D priv->job.agentActive; - - priv->jobs_queued--; - - VIR_DEBUG("Stopping both jobs: %s %s (async=3D%s vm=3D%p name=3D%s)", - qemuDomainJobTypeToString(job), - qemuDomainAgentJobTypeToString(agentJob), - qemuDomainAsyncJobTypeToString(priv->job.asyncJob), - obj, obj->def->name); - - qemuDomainObjResetJob(priv); - qemuDomainObjResetAgentJob(priv); - if (qemuDomainTrackJob(job)) - qemuDomainObjSaveStatus(driver, obj); - /* We indeed need to wake up ALL threads waiting because - * grabbing a job requires checking more variables. */ - virCondBroadcast(&priv->job.cond); -} - void qemuDomainObjEndAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj) { @@ -8761,9 +8716,9 @@ qemuDomainObjAbortAsyncJob(virDomainObjPtr obj) * obj must be locked before calling * * To be called immediately before any QEMU monitor API call - * Must have already either called qemuDomainObjBeginJob() or - * qemuDomainObjBeginJobWithAgent() and checked that the VM is - * still active; may not be used for nested async jobs. + * Must have already called qemuDomainObjBeginJob() and checked + * that the VM is still active; may not be used for nested async + * jobs. * * To be followed with qemuDomainObjExitMonitor() once complete */ @@ -8885,9 +8840,8 @@ qemuDomainObjEnterMonitorAsync(virQEMUDriverPtr drive= r, * obj must be locked before calling * * To be called immediately before any QEMU agent API call. - * Must have already called qemuDomainObjBeginAgentJob() or - * qemuDomainObjBeginJobWithAgent() and checked that the VM is - * still active. + * Must have already called qemuDomainObjBeginAgentJob() and + * checked that the VM is still active. * * To be followed with qemuDomainObjExitAgent() once complete */ diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f626d3a54c..fb4c9e0467 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -622,11 +622,6 @@ int qemuDomainObjBeginAgentJob(virQEMUDriverPtr driver, virDomainObjPtr obj, qemuDomainAgentJob agentJob) G_GNUC_WARN_UNUSED_RESULT; -int qemuDomainObjBeginJobWithAgent(virQEMUDriverPtr driver, - virDomainObjPtr obj, - qemuDomainJob job, - qemuDomainAgentJob agentJob) - G_GNUC_WARN_UNUSED_RESULT; int qemuDomainObjBeginAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj, qemuDomainAsyncJob asyncJob, @@ -645,8 +640,6 @@ int qemuDomainObjBeginJobNowait(virQEMUDriverPtr driver, void qemuDomainObjEndJob(virQEMUDriverPtr driver, virDomainObjPtr obj); void qemuDomainObjEndAgentJob(virDomainObjPtr obj); -void qemuDomainObjEndJobWithAgent(virQEMUDriverPtr driver, - virDomainObjPtr obj); void qemuDomainObjEndAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj); void qemuDomainObjAbortAsyncJob(virDomainObjPtr obj); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list