[Qemu-commits] [qemu/qemu] 63659f: virtiofsd: Whitelist fchmod

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 63659f: virtiofsd: Whitelist fchmod

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] 63659f: virtiofsd: Whitelist fchmod
Date:	Thu, 18 Jun 2020 09:00:30 -0700
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 63659fe74e76f5c5285466f0c5cfbdca65b3688e
      
https://github.com/qemu/qemu/commit/63659fe74e76f5c5285466f0c5cfbdca65b3688e
  Author: Max Reitz <mreitz@redhat.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M tools/virtiofsd/seccomp.c

  Log Message:
  -----------
  virtiofsd: Whitelist fchmod

lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.

Said code path can be triggered for example as follows:

On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo

Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):

int main(int argc, char *argv[])
{
    capng_setpid(getpid());
    capng_clear(CAPNG_SELECT_BOTH);
    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
    capng_apply(CAPNG_SELECT_BOTH);

    ftruncate(open(argv[1], O_RDWR), 0);
}

This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().

(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200608093111.14942-1-mreitz@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 246da7db3cc103c537b0dd3c1adadbfd9a94ecd7
      
https://github.com/qemu/qemu/commit/246da7db3cc103c537b0dd3c1adadbfd9a94ecd7
  Author: Pan Nengyuan <pannengyuan@huawei.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M qom/qom-hmp-cmds.c

  Log Message:
  -----------
  qom-hmp-cmds: fix a memleak in hmp_qom_get

'obj' forgot to free at the end of hmp_qom_get(). Fix that.

The leak stack:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x7f4e3a779ae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
    #1 0x7f4e398f91d5 in g_malloc (/lib64/libglib-2.0.so.0+0x531d5)
    #2 0x55c9fd9a3999 in qstring_from_substr 
/build/qemu/src/qobject/qstring.c:45
    #3 0x55c9fd894bd3 in qobject_output_type_str 
/build/qemu/src/qapi/qobject-output-visitor.c:175
    #4 0x55c9fd894bd3 in qobject_output_type_str 
/build/qemu/src/qapi/qobject-output-visitor.c:168
    #5 0x55c9fd88b34d in visit_type_str 
/build/qemu/src/qapi/qapi-visit-core.c:308
    #6 0x55c9fd59aa6b in property_get_str /build/qemu/src/qom/object.c:2064
    #7 0x55c9fd5adb8a in object_property_get_qobject 
/build/qemu/src/qom/qom-qobject.c:38
    #8 0x55c9fd4a029d in hmp_qom_get /build/qemu/src/qom/qom-hmp-cmds.c:66

Fixes: 89cf4fe34f4
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
Message-Id: <20200603070338.7922-1-pannengyuan@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Tested-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 2d9e3dd9be1de3bbdca113673084dd19a8d957c3
      
https://github.com/qemu/qemu/commit/2d9e3dd9be1de3bbdca113673084dd19a8d957c3
  Author: David Hildenbrand <david@redhat.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M hmp-commands.hx
    M qom/qom-hmp-cmds.c

  Log Message:
  -----------
  hmp: Make json format optional for qom-set

Commit 7d2ef6dcc1cf ("hmp: Simplify qom-set") switched to the json
parser, making it possible to specify complex types. However, with this
change it is no longer possible to specify proper sizes (e.g., 2G, 128M),
turning the interface harder to use for properties that consume sizes.

Let's switch back to the previous handling and allow to specify passing
json via the "-j" parameter.

Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20200610075153.33892-1-david@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: f663492f40c1e2b500c9eda0625ff8bbb04a478c
      
https://github.com/qemu/qemu/commit/f663492f40c1e2b500c9eda0625ff8bbb04a478c
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M tests/migration/stress.c

  Log Message:
  -----------
  tests/migration: mem leak fix

‘data’ has the possibility of memory leaks， so use the
glib macros g_autofree recommended by CODING_STYLE.rst
to automatically release the memory that returned from
g_malloc().

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20200603080904.997083-2-maozhongyi@cmss.chinamobile.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 71cfce73f454fcdd5b4e8e9629cd6f41900cef13
      
https://github.com/qemu/qemu/commit/71cfce73f454fcdd5b4e8e9629cd6f41900cef13
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M tests/migration/stress.c

  Log Message:
  -----------
  tests/migration: fix unreachable path in stress test

If stressone() or stress() exits it's because of a failure
because the test runs forever otherwise, so change stressone
and stress type to void to make the exit_failure() as the exit
function of main().

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20200603080904.997083-3-maozhongyi@cmss.chinamobile.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 39337f121192c9ca305cb5c1a695f25c35e967ff
      
https://github.com/qemu/qemu/commit/39337f121192c9ca305cb5c1a695f25c35e967ff
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M monitor/hmp-cmds.c

  Log Message:
  -----------
  monitor/hmp-cmds: add units for migrate_parameters

When running:
(qemu) info migrate_parameters
announce-initial: 50 ms
announce-max: 550 ms
announce-step: 100 ms
compress-wait-thread: on
...
max-bandwidth: 33554432 bytes/second
downtime-limit: 300 milliseconds
x-checkpoint-delay: 20000
...
xbzrle-cache-size: 67108864

add units for the parameters 'x-checkpoint-delay' and
'xbzrle-cache-size', it's easier to read, also move
milliseconds to ms to keep the same style.

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200603080904.997083-4-maozhongyi@cmss.chinamobile.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: fe025508c0c98ff1349c02e6f99b13844d7079b1
      
https://github.com/qemu/qemu/commit/fe025508c0c98ff1349c02e6f99b13844d7079b1
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M monitor/hmp-cmds.c

  Log Message:
  -----------
  monitor/hmp-cmds: don't silently output when running 'migrate_set_downtime' 
fails

Although 'migrate_set_downtime' has been deprecated and replaced
with 'migrate_set_parameter downtime_limit', it has not been
completely eliminated, possibly due to compatibility with older
versions. I think as long as this old parameter is running, we
should report appropriate message when something goes wrong, not
be silent.

before:
(qemu) migrate_set_downtime -1
(qemu)

after:
(qemu) migrate_set_downtime -1
Error: Parameter 'downtime_limit' expects an integer in the range of 0 to 2000 
seconds

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200603080904.997083-5-maozhongyi@cmss.chinamobile.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 0705ecc4ade74f03df00e8528987e7876a293f3b
      
https://github.com/qemu/qemu/commit/0705ecc4ade74f03df00e8528987e7876a293f3b
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M monitor/hmp-cmds.c

  Log Message:
  -----------
  monitor/hmp-cmds: delete redundant Error check before invoke 
hmp_handle_error()

hmp_handle_error() does Error check internally.

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Message-Id: <20200603080904.997083-6-maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: ac9c95b13fc1ccd097834b29d846f25795bd76de
      
https://github.com/qemu/qemu/commit/ac9c95b13fc1ccd097834b29d846f25795bd76de
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M monitor/hmp-cmds.c

  Log Message:
  -----------
  monitor/hmp-cmds: add 'goto end' to reduce duplicate code.

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Message-Id: <20200603080904.997083-7-maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: afb5d01cb6eb05abfe46a6e6a821df4674f13f2f
      
https://github.com/qemu/qemu/commit/afb5d01cb6eb05abfe46a6e6a821df4674f13f2f
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M docs/xbzrle.txt
    M monitor/hmp-cmds.c

  Log Message:
  -----------
  monitor/hmp-cmds: improvements for the 'info migrate'

When running:

(qemu) info migrate
globals:
store-global-state: on
only-migratable: off
...
xbzrle transferred: 640892 kbytes
xbzrle pages: 16645936 pages
xbzrle cache miss: 1525426
xbzrle cache miss rate: 0.09
xbzrle encoding rate: 91.42
xbzrle overflow: 40896
...
compression pages: 377710 pages
compression busy: 0
compression busy rate: 0.00
compressed size: 463169457
compression rate: 3.33

Add units for 'xbzrle cache miss' and 'compressed size',
make it easier to read.

Suggested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Message-Id: <20200603080904.997083-8-maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 6bcd361a52e73889d2123033ce48450289a1933e
      
https://github.com/qemu/qemu/commit/6bcd361a52e73889d2123033ce48450289a1933e
  Author: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M docs/xbzrle.txt

  Log Message:
  -----------
  docs/xbzrle: update 'cache miss rate' and 'encoding rate' to docs

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Message-Id: <20200603080904.997083-9-maozhongyi@cmss.chinamobile.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: 7e89a1401a9674c9882948f05f4d17ea7be1c4eb
      
https://github.com/qemu/qemu/commit/7e89a1401a9674c9882948f05f4d17ea7be1c4eb
  Author: Laurent Vivier <lvivier@redhat.com>
  Date:   2020-06-17 (Wed, 17 Jun 2020)

  Changed paths:
    M migration/multifd.c

  Log Message:
  -----------
  migration: fix multifd_send_pages() next channel

multifd_send_pages() loops around the available channels,
the next channel to use between two calls to multifd_send_pages() is stored
inside a local static variable, next_channel.

It works well, except if the number of channels decreases between two calls
to multifd_send_pages(). In this case, the loop can try to access the
data of a channel that doesn't exist anymore.

The problem can be triggered if we start a migration with a given number of
channels and then we cancel the migration to restart it with a lower number.
This ends generally with an error like:
qemu-system-ppc64: .../util/qemu-thread-posix.c:77: qemu_mutex_lock_impl: 
Assertion `mutex->initialized' failed.

This patch fixes the error by capping next_channel with the current number
of channels before using it.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20200617113154.593233-1-lvivier@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>


  Commit: eefe34ea4b82c2b47abe28af4cc7247d51553626
      
https://github.com/qemu/qemu/commit/eefe34ea4b82c2b47abe28af4cc7247d51553626
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2020-06-18 (Thu, 18 Jun 2020)

  Changed paths:
    M docs/xbzrle.txt
    M hmp-commands.hx
    M migration/multifd.c
    M monitor/hmp-cmds.c
    M qom/qom-hmp-cmds.c
    M tests/migration/stress.c
    M tools/virtiofsd/seccomp.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200617a' 
into staging

Migration (and HMP and virtiofs) pull 2020-06-17

Migration:
   HMP/migration and test changes from Mao Zhongyi
   multifd fix from Laurent Vivier
HMP
   qom-set partial reversion/change from David Hildenbrand
      now you need -j to pass json format, but it's regained the
      old 100M type format.
  Memory leak fix from Pan Nengyuan

Virtiofs
  fchmod seccomp fix from Max Reitz

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

# gpg: Signature made Wed 17 Jun 2020 19:34:58 BST
# gpg:                using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>" 
[full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A  9FA9 0516 331E BC5B FDE7

* remotes/dgilbert/tags/pull-migration-20200617a:
  migration: fix multifd_send_pages() next channel
  docs/xbzrle: update 'cache miss rate' and 'encoding rate' to docs
  monitor/hmp-cmds: improvements for the 'info migrate'
  monitor/hmp-cmds: add 'goto end' to reduce duplicate code.
  monitor/hmp-cmds: delete redundant Error check before invoke 
hmp_handle_error()
  monitor/hmp-cmds: don't silently output when running 'migrate_set_downtime' 
fails
  monitor/hmp-cmds: add units for migrate_parameters
  tests/migration: fix unreachable path in stress test
  tests/migration: mem leak fix
  hmp: Make json format optional for qom-set
  qom-hmp-cmds: fix a memleak in hmp_qom_get
  virtiofsd: Whitelist fchmod

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/3b268766ecb7...eefe34ea4b82
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 63659f: virtiofsd: Whitelist fchmod, Peter Maydell <=
Prev by Date: [Qemu-commits] [qemu/qemu] ae0ceb: hw/ide: Make IDEDMAOps handlers take a const IDEDM...
Next by Date: [Qemu-commits] [qemu/qemu] 590790: virtio-net: implement RSS configuration command
Previous by thread: [Qemu-commits] [qemu/qemu] ae0ceb: hw/ide: Make IDEDMAOps handlers take a const IDEDM...
Next by thread: [Qemu-commits] [qemu/qemu] 590790: virtio-net: implement RSS configuration command
Index(es):
- Date
- Thread