* [PATCH for-4.7] XSA-180 patches for 4.7 @ 2016-05-26 15:19 Wei Liu 2016-05-26 15:21 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Wei Liu 0 siblings, 1 reply; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:19 UTC (permalink / raw) To: Xen-devel; +Cc: Anthony PERARD, Ian Jackson, Wei Liu Two patches for XSA-180 for Xen 4.7 release. Wei. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU 2016-05-26 15:19 [PATCH for-4.7] XSA-180 patches for 4.7 Wei Liu @ 2016-05-26 15:21 ` Wei Liu 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu 2016-05-26 15:41 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Ian Jackson 0 siblings, 2 replies; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:21 UTC (permalink / raw) To: Xen-devel; +Cc: Anthony PERARD, Wei Liu, Ian Jackson XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We explicitly set the limit in libxl for 4.7. Introduce a function for setting the environment variable and call it in the right places. Signed-off-by: Wei Liu <wei.liu2@citrix.com> --- tools/libxl/libxl_dm.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index 6bbc7c3..1412c29 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -365,6 +365,24 @@ int libxl__domain_device_construct_rdm(libxl__gc *gc, return ERROR_FAIL; } +/* XSA-180 / CVE-2014-3672 + * + * The QEMU shipped with Xen has a bodge. It checks for + * XEN_QEMU_CONSOLE_LIMIT to see how much data QEMU is allowed + * to write to stderr. We set that to 1MB if it is not set by + * system administrator. + */ +static void libxl__set_qemu_env_for_xsa_180(libxl__gc *gc, + flexarray_t *dm_envs) +{ + unsigned long limit = 0; + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); + + limit = s ? strtoul(s,0,0) : 1*1024*1024; + flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", + GCSPRINTF("%lu", limit)); +} + const libxl_vnc_info *libxl__dm_vnc(const libxl_domain_config *guest_config) { const libxl_vnc_info *vnc = NULL; @@ -415,6 +433,8 @@ static int libxl__build_device_model_args_old(libxl__gc *gc, dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + flexarray_vappend(dm_args, dm, "-d", GCSPRINTF("%d", domid), NULL); @@ -913,6 +933,8 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + flexarray_vappend(dm_args, dm, "-xen-domid", GCSPRINTF("%d", guest_domid), NULL); @@ -2193,8 +2215,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) { STATE_AO_GC(dmss->spawn.ao); - flexarray_t *dm_args; - char **args; + flexarray_t *dm_args, *dm_envs; + char **args, **envs; const char *dm; int logfile_w, null = -1, rc; uint32_t domid = dmss->guest_domid; @@ -2203,6 +2225,8 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) dm = qemu_xen_path(gc); dm_args = flexarray_make(gc, 15, 1); + dm_envs = flexarray_make(gc, 1, 1); + flexarray_vappend(dm_args, dm, "-xen-domid", GCSPRINTF("%d", domid), NULL); flexarray_append(dm_args, "-xen-attach"); @@ -2216,6 +2240,9 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) flexarray_append(dm_args, NULL); args = (char **) flexarray_contents(dm_args); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + envs = (char **) flexarray_contents(dm_envs); + logfile_w = libxl__create_qemu_logfile(gc, GCSPRINTF("qdisk-%u", domid)); if (logfile_w < 0) { rc = logfile_w; @@ -2253,7 +2280,7 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) goto out; if (!rc) { /* inner child */ setsid(); - libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL); + libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs); } rc = 0; -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 15:21 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Wei Liu @ 2016-05-26 15:21 ` Wei Liu 2016-05-26 15:36 ` George Dunlap ` (2 more replies) 2016-05-26 15:41 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Ian Jackson 1 sibling, 3 replies; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:21 UTC (permalink / raw) To: Xen-devel; +Cc: Anthony PERARD, Wei Liu, Ian Jackson From: Ian Jackson <ian.jackson@eu.citrix.com> Each time round the main loop, we now fstat stderr. If it is too big, we dup2 /dev/null onto it. This is not a very pretty patch but it is very simple, easy to see that it's correct, and has a low risk of collateral damage. The limit is 1Mby by default but can be adjusted by setting a new environment variable. This fixes CVE-2014-3672. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Set the default to 0 so that it won't affect non-xen installation. The limit will be set by Xen toolstack. Signed-off-by: Wei Liu <wei.liu2@citrix.com> --- main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/main-loop.c b/main-loop.c index 3997043..aa32f5b 100644 --- a/main-loop.c +++ b/main-loop.c @@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp) return 0; } +static void check_cve_2014_3672_xen(void) +{ + static unsigned long limit = ~0UL; + const int fd = 2; + struct stat stab; + + if (limit == ~0UL) { + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); + /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ + limit = s ? strtoul(s,0,0) : 0; + } + if (limit == 0) + return; + + int r = fstat(fd, &stab); + if (r) { + perror("fstat stderr (for CVE-2014-3672 check)"); + exit(-1); + } + if (!S_ISREG(stab.st_mode)) + return; + if (stab.st_size <= limit) + return; + + /* oh dear */ + fprintf(stderr,"\r\n" + "Closing stderr due to CVE-2014-3672 limit. " + " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," + " or 0 for no limit.\n"); + fflush(stderr); + + int nfd = open("/dev/null", O_WRONLY); + if (nfd < 0) { + perror("open /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + r = dup2(nfd, fd); + if (r != fd) { + perror("dup2 /dev/null (for CVE-2014-3672 check)"); + exit(-1); + } + close(nfd); +} + static int max_priority; #ifndef _WIN32 @@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout) int ret; static int spin_counter; + check_cve_2014_3672_xen(); + glib_pollfds_fill(&timeout); /* If the I/O thread is very busy or we are incorrectly busy waiting in @@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout) fd_set rfds, wfds, xfds; int nfds; + check_cve_2014_3672_xen(); + /* XXX: need to suppress polling by better using win32 events */ ret = 0; for (pe = first_polling_entry; pe != NULL; pe = pe->next) { -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu @ 2016-05-26 15:36 ` George Dunlap 2016-05-26 15:39 ` Wei Liu 2016-05-26 15:42 ` Ian Jackson 2016-05-26 16:10 ` Anthony PERARD 2 siblings, 1 reply; 11+ messages in thread From: George Dunlap @ 2016-05-26 15:36 UTC (permalink / raw) To: Wei Liu; +Cc: Anthony PERARD, Xen-devel, Ian Jackson On Thu, May 26, 2016 at 4:21 PM, Wei Liu <wei.liu2@citrix.com> wrote: > From: Ian Jackson <ian.jackson@eu.citrix.com> > > Each time round the main loop, we now fstat stderr. If it is too big, > we dup2 /dev/null onto it. This is not a very pretty patch but it is > very simple, easy to see that it's correct, and has a low risk of > collateral damage. > > The limit is 1Mby by default but can be adjusted by setting a new > environment variable. There is no limit by default; a companion patch for libxl sets this to 1MiB. This is so that this patch may be applied on a system qemu which is shared between multiple use cases (including non-Xen cases). -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 15:36 ` George Dunlap @ 2016-05-26 15:39 ` Wei Liu 0 siblings, 0 replies; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:39 UTC (permalink / raw) To: George Dunlap; +Cc: Anthony PERARD, Xen-devel, Wei Liu, Ian Jackson On Thu, May 26, 2016 at 04:36:57PM +0100, George Dunlap wrote: > On Thu, May 26, 2016 at 4:21 PM, Wei Liu <wei.liu2@citrix.com> wrote: > > From: Ian Jackson <ian.jackson@eu.citrix.com> > > > > Each time round the main loop, we now fstat stderr. If it is too big, > > we dup2 /dev/null onto it. This is not a very pretty patch but it is > > very simple, easy to see that it's correct, and has a low risk of > > collateral damage. > > > > The limit is 1Mby by default but can be adjusted by setting a new > > environment variable. > > There is no limit by default; a companion patch for libxl sets this to > 1MiB. This is so that this patch may be applied on a system qemu > which is shared between multiple use cases (including non-Xen cases). > I added a paragraph in that patch and have my S-o-B. Did you miss that? Or do you mean I should rewrite the commit message altogether? Wei. > -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu 2016-05-26 15:36 ` George Dunlap @ 2016-05-26 15:42 ` Ian Jackson 2016-05-26 16:10 ` Anthony PERARD 2 siblings, 0 replies; 11+ messages in thread From: Ian Jackson @ 2016-05-26 15:42 UTC (permalink / raw) To: Wei Liu; +Cc: Anthony PERARD, Xen-devel Wei Liu writes ("[PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups"): > The limit is 1Mby by default but can be adjusted by setting a new > environment variable. > > This fixes CVE-2014-3672. > > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > > Set the default to 0 so that it won't affect non-xen installation. The > limit will be set by Xen toolstack. Maybe the commit message, earlier, could be adjusted ? But otherwise Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu 2016-05-26 15:36 ` George Dunlap 2016-05-26 15:42 ` Ian Jackson @ 2016-05-26 16:10 ` Anthony PERARD 2016-05-26 16:50 ` Anthony PERARD 2 siblings, 1 reply; 11+ messages in thread From: Anthony PERARD @ 2016-05-26 16:10 UTC (permalink / raw) To: Wei Liu; +Cc: Xen-devel, Ian Jackson On Thu, May 26, 2016 at 04:21:56PM +0100, Wei Liu wrote: > From: Ian Jackson <ian.jackson@eu.citrix.com> > > Each time round the main loop, we now fstat stderr. If it is too big, > we dup2 /dev/null onto it. This is not a very pretty patch but it is > very simple, easy to see that it's correct, and has a low risk of > collateral damage. > > The limit is 1Mby by default but can be adjusted by setting a new > environment variable. > > This fixes CVE-2014-3672. > > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > > Set the default to 0 so that it won't affect non-xen installation. The > limit will be set by Xen toolstack. > > Signed-off-by: Wei Liu <wei.liu2@citrix.com> Beside the confusing commit message and the call in the WIN32 specific mainloop, the patch look good. So, Acked-by: Anthony PERARD <anthony.perard@citrix.com> > --- > main-loop.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 48 insertions(+) > > diff --git a/main-loop.c b/main-loop.c > index 3997043..aa32f5b 100644 > --- a/main-loop.c > +++ b/main-loop.c > @@ -164,6 +164,50 @@ int qemu_init_main_loop(Error **errp) > return 0; > } > > +static void check_cve_2014_3672_xen(void) > +{ > + static unsigned long limit = ~0UL; > + const int fd = 2; > + struct stat stab; > + > + if (limit == ~0UL) { > + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); > + /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ > + limit = s ? strtoul(s,0,0) : 0; > + } > + if (limit == 0) > + return; > + > + int r = fstat(fd, &stab); > + if (r) { > + perror("fstat stderr (for CVE-2014-3672 check)"); > + exit(-1); > + } > + if (!S_ISREG(stab.st_mode)) > + return; > + if (stab.st_size <= limit) > + return; > + > + /* oh dear */ > + fprintf(stderr,"\r\n" > + "Closing stderr due to CVE-2014-3672 limit. " > + " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," > + " or 0 for no limit.\n"); > + fflush(stderr); > + > + int nfd = open("/dev/null", O_WRONLY); > + if (nfd < 0) { > + perror("open /dev/null (for CVE-2014-3672 check)"); > + exit(-1); > + } > + r = dup2(nfd, fd); > + if (r != fd) { > + perror("dup2 /dev/null (for CVE-2014-3672 check)"); > + exit(-1); > + } > + close(nfd); > +} > + > static int max_priority; > > #ifndef _WIN32 > @@ -216,6 +260,8 @@ static int os_host_main_loop_wait(int64_t timeout) > int ret; > static int spin_counter; > > + check_cve_2014_3672_xen(); > + > glib_pollfds_fill(&timeout); > > /* If the I/O thread is very busy or we are incorrectly busy waiting in > @@ -407,6 +453,8 @@ static int os_host_main_loop_wait(int64_t timeout) > fd_set rfds, wfds, xfds; > int nfds; > > + check_cve_2014_3672_xen(); > + That's the call within an #ifdef _WIN32. > /* XXX: need to suppress polling by better using win32 events */ > ret = 0; > for (pe = first_polling_entry; pe != NULL; pe = pe->next) { -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups 2016-05-26 16:10 ` Anthony PERARD @ 2016-05-26 16:50 ` Anthony PERARD 0 siblings, 0 replies; 11+ messages in thread From: Anthony PERARD @ 2016-05-26 16:50 UTC (permalink / raw) To: Wei Liu; +Cc: Xen-devel, Ian Jackson On Thu, May 26, 2016 at 05:10:52PM +0100, Anthony PERARD wrote: > On Thu, May 26, 2016 at 04:21:56PM +0100, Wei Liu wrote: > > From: Ian Jackson <ian.jackson@eu.citrix.com> > > > > Each time round the main loop, we now fstat stderr. If it is too big, > > we dup2 /dev/null onto it. This is not a very pretty patch but it is > > very simple, easy to see that it's correct, and has a low risk of > > collateral damage. > > > > The limit is 1Mby by default but can be adjusted by setting a new > > environment variable. > > > > This fixes CVE-2014-3672. > > > > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > > Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > > > > Set the default to 0 so that it won't affect non-xen installation. The > > limit will be set by Xen toolstack. > > > > Signed-off-by: Wei Liu <wei.liu2@citrix.com> > > Beside the confusing commit message and the call in the WIN32 specific > mainloop, the patch look good. So, > > Acked-by: Anthony PERARD <anthony.perard@citrix.com> I have ajusted the commit message with `s/The limit is 1Mby/There is no limit/` and going to push to staging. -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU 2016-05-26 15:21 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Wei Liu 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu @ 2016-05-26 15:41 ` Ian Jackson 2016-05-26 15:47 ` Wei Liu 1 sibling, 1 reply; 11+ messages in thread From: Ian Jackson @ 2016-05-26 15:41 UTC (permalink / raw) To: Wei Liu; +Cc: Anthony PERARD, Xen-devel Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"): > XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We > explicitly set the limit in libxl for 4.7. ... > + unsigned long limit = 0; > + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); > + > + limit = s ? strtoul(s,0,0) : 1*1024*1024; > + flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", > + GCSPRINTF("%lu", limit)); This is rather more complex than it needs to be. What would be wrong with if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return; flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576"); ? But I guess I don't object enough to care, so Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> > + flexarray_t *dm_args, *dm_envs; > + char **args, **envs; All these parts are a bit of a palaver but I don't see a better way. Thanks for doing this work! Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU 2016-05-26 15:41 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Ian Jackson @ 2016-05-26 15:47 ` Wei Liu 2016-05-26 15:54 ` Wei Liu 0 siblings, 1 reply; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:47 UTC (permalink / raw) To: Ian Jackson; +Cc: Anthony PERARD, Xen-devel, Wei Liu On Thu, May 26, 2016 at 04:41:53PM +0100, Ian Jackson wrote: > Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"): > > XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We > > explicitly set the limit in libxl for 4.7. > ... > > + unsigned long limit = 0; > > + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); > > + > > + limit = s ? strtoul(s,0,0) : 1*1024*1024; > > + flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", > > + GCSPRINTF("%lu", limit)); > > This is rather more complex than it needs to be. What would be wrong > with > if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return; > flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576"); > ? > Nice, this is simpler. I will use this version and keep your ack. > But I guess I don't object enough to care, so > > Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> > > > > + flexarray_t *dm_args, *dm_envs; > > + char **args, **envs; > > All these parts are a bit of a palaver but I don't see a better way. > Thanks for doing this work! > YW. Wei. > Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU 2016-05-26 15:47 ` Wei Liu @ 2016-05-26 15:54 ` Wei Liu 0 siblings, 0 replies; 11+ messages in thread From: Wei Liu @ 2016-05-26 15:54 UTC (permalink / raw) To: Ian Jackson; +Cc: Anthony PERARD, Xen-devel, Wei Liu On Thu, May 26, 2016 at 04:47:59PM +0100, Wei Liu wrote: > On Thu, May 26, 2016 at 04:41:53PM +0100, Ian Jackson wrote: > > Wei Liu writes ("[PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU"): > > > XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We > > > explicitly set the limit in libxl for 4.7. > > ... > > > + unsigned long limit = 0; > > > + const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); > > > + > > > + limit = s ? strtoul(s,0,0) : 1*1024*1024; > > > + flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", > > > + GCSPRINTF("%lu", limit)); > > > > This is rather more complex than it needs to be. What would be wrong > > with > > if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return; > > flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576"); > > ? > > > > Nice, this is simpler. I will use this version and keep your ack. > I will push this patch soon. ---8<--- From 1d915bc7805bde9fe90341e9bcea01bf50154d87 Mon Sep 17 00:00:00 2001 From: Wei Liu <wei.liu2@citrix.com> Date: Thu, 26 May 2016 16:11:42 +0100 Subject: [PATCH] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU XSA-180 provides a patch to QEMU to bodge QEMU logging issue. We explicitly set the limit in libxl for 4.7. Introduce a function for setting the environment variable and call it in the right places. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> --- tools/libxl/libxl_dm.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index 6bbc7c3..155a653 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -365,6 +365,20 @@ int libxl__domain_device_construct_rdm(libxl__gc *gc, return ERROR_FAIL; } +/* XSA-180 / CVE-2014-3672 + * + * The QEMU shipped with Xen has a bodge. It checks for + * XEN_QEMU_CONSOLE_LIMIT to see how much data QEMU is allowed + * to write to stderr. We set that to 1MB if it is not set by + * system administrator. + */ +static void libxl__set_qemu_env_for_xsa_180(libxl__gc *gc, + flexarray_t *dm_envs) +{ + if (getenv("XEN_QEMU_CONSOLE_LIMIT")) return; + flexarray_append_pair(dm_envs, "XEN_QEMU_CONSOLE_LIMIT", "1048576"); +} + const libxl_vnc_info *libxl__dm_vnc(const libxl_domain_config *guest_config) { const libxl_vnc_info *vnc = NULL; @@ -415,6 +429,8 @@ static int libxl__build_device_model_args_old(libxl__gc *gc, dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + flexarray_vappend(dm_args, dm, "-d", GCSPRINTF("%d", domid), NULL); @@ -913,6 +929,8 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + flexarray_vappend(dm_args, dm, "-xen-domid", GCSPRINTF("%d", guest_domid), NULL); @@ -2193,8 +2211,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) { STATE_AO_GC(dmss->spawn.ao); - flexarray_t *dm_args; - char **args; + flexarray_t *dm_args, *dm_envs; + char **args, **envs; const char *dm; int logfile_w, null = -1, rc; uint32_t domid = dmss->guest_domid; @@ -2203,6 +2221,8 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) dm = qemu_xen_path(gc); dm_args = flexarray_make(gc, 15, 1); + dm_envs = flexarray_make(gc, 1, 1); + flexarray_vappend(dm_args, dm, "-xen-domid", GCSPRINTF("%d", domid), NULL); flexarray_append(dm_args, "-xen-attach"); @@ -2216,6 +2236,9 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) flexarray_append(dm_args, NULL); args = (char **) flexarray_contents(dm_args); + libxl__set_qemu_env_for_xsa_180(gc, dm_envs); + envs = (char **) flexarray_contents(dm_envs); + logfile_w = libxl__create_qemu_logfile(gc, GCSPRINTF("qdisk-%u", domid)); if (logfile_w < 0) { rc = logfile_w; @@ -2253,7 +2276,7 @@ void libxl__spawn_qdisk_backend(libxl__egc *egc, libxl__dm_spawn_state *dmss) goto out; if (!rc) { /* inner child */ setsid(); - libxl__exec(gc, null, logfile_w, logfile_w, dm, args, NULL); + libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs); } rc = 0; -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-05-26 16:50 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-05-26 15:19 [PATCH for-4.7] XSA-180 patches for 4.7 Wei Liu 2016-05-26 15:21 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Wei Liu 2016-05-26 15:21 ` [PATCH QEMU for-4.7] main loop: Big hammer to fix logfile disk DoS in Xen setups Wei Liu 2016-05-26 15:36 ` George Dunlap 2016-05-26 15:39 ` Wei Liu 2016-05-26 15:42 ` Ian Jackson 2016-05-26 16:10 ` Anthony PERARD 2016-05-26 16:50 ` Anthony PERARD 2016-05-26 15:41 ` [PATCH for-4.7] libxl: set XEN_QEMU_CONSOLE_LIMIT for QEMU Ian Jackson 2016-05-26 15:47 ` Wei Liu 2016-05-26 15:54 ` Wei Liu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).