summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Security: Mitigate possible privilege escalation via SG_IO ioctl ↵Richard W.M. Jones2011-12-221-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (CVE-2011-4127, RHBZ#757071) CVE-2011-4127 is a serious qemu & kernel privilege escalation bug found by Paolo Bonzini. http://seclists.org/oss-sec/2011/q4/536 An untrusted guest kernel is able to issue special SG_IO ioctls on virtio devices which qemu passes through to the host kernel without filtering or sanitizing. These ioctls allow raw sectors from the underlying host device to be read and written. Significantly, neither qemu nor the host kernel checks that the range of sectors is within the partition / LV assigned to the guest. For example, if the guest is assigned host partition /dev/sda3, it would be able to read or write any part of /dev/sda including other partitions and the boot sector. Exploits through LVs passed to the guest are also possible, with some limitations. File-backed virtual block devices are not vulnerable. Non-virtio block devices are not vulnerable. This patch mitigates the problem by disabling the SG_IO ioctl passthrough in qemu. Thus if libguestfs is examining an untrusted guest and the libguestfs appliance/daemon is compromised (eg. by executing guest commands, or through some other compromise), then the compromised appliance will not be able to issue the above SG_IO ioctls and exploit the host. Note that this is just mitigation for libguestfs. Users will still want to fully update their host kernel, qemu/KVM and libvirt, in order to prevent other (non-libguestfs) routes to compromise. The following versions of libguestfs (will/have) this patch applied. libguestfs >= 1.15.13 libguestfs >= 1.14.8 libguestfs >= 1.12.11 libguestfs >= 1.10.12 libguestfs >= 1.8.16 Earlier versions may be vulnerable unless a downstream packager has applied this patch. Cc: Hilko Bengen <bengen@hilluzination.de> (cherry picked from commit 9a5f784d511a8f00a8386f316eab41fe660430db)
* Add test for qemu broken -machine option (RHBZ#748266).Richard W.M. Jones2011-10-311-0/+12
| | | | | | | | Also add this option, if necessary, when testing for virtio-serial support. When the workaround is enabled, we specify machine type 'pc'. (cherry picked from commit 3814680423984b3c46c2f99e944c2a71862bde9f)
* Allow compilation without hivex (RHBZ#723474).Richard W.M. Jones2011-10-313-96/+97
| | | | (cherry picked from commit f5172902bc9d92451c83dc3c1a85b5aeb975b43a)
* inspection: Return root devices sorted.Richard W.M. Jones2011-10-191-0/+11
| | | | (cherry picked from commit c46bedf925cd9c6c9a9cbaee115358fd1dffcbfe)
* inspect: Don't assume number of captures in match functionsMatthew Booth2011-10-191-30/+13
| | | | | | | | | | | | | | | | It is possible for the pcre library to return a variable number of captures for a single regular expression. e.g.: ^/dev/(cciss/c\d+d\d+)(?:p(\d+))?$ This will return either 1 or 2 captures depending on whether the device has a partition suffix. The current match wrappers don't allow for this, and require that a predictable number of matches are returned. This change updates match, match1, match2, and match3 to ignore the specific number of matches returned. Instead, any returned captures are assigned to the given arguments, and any remaining arguments are set to NULL. (cherry picked from commit f5c9f0e9ee1729b1260cef3e51ca91936e1868c4)
* NFC: Remove unnecessary gotoMatthew Booth2011-10-191-7/+5
| | | | | Cherry picked from commit 1f615fddaffd33afc75a582021769583c8f4db4e and backported to libguestfs-1.12 branch.
* launch: Ensure g->cmdline is allocated before assigning g->cmdline[0].Richard W.M. Jones2011-10-191-7/+14
| | | | (cherry picked from commit 138e118d62046b197b715462072256082ecfc0f7)
* docs: Add directory section for resize/Richard W.M. Jones2011-10-191-0/+4
| | | | | Based on commit f3341222b37f91d7f7fcdafe30b107ea9da9ad02, but modified since only resize exists in this branch of libguestfs.
* docs: Add virt-resize to list of links in guestfs(3).Richard W.M. Jones2011-10-191-0/+1
| | | | (cherry picked from commit 293772bf7511dee41a1f3e842424678c1a6bf9e4)
* docs: virt-win-reg is written in Perl, not virt-resize.Richard W.M. Jones2011-10-191-1/+1
| | | | (cherry picked from commit b39b3c5c74f1dfb88a6074aac476df877f1bfc4d)
* Add no_timer_check to disable faulty test during boot (RHBZ#502058).Richard W.M. Jones2011-10-191-0/+1
| | | | | | | | | | See: https://bugzilla.redhat.com/show_bug.cgi?id=502058#c15 https://bugzilla.redhat.com/show_bug.cgi?id=698842#c8 This updates commit 79e66f89e2f6c27486476d7857da58feb491bf5c. (cherry picked from commit 322106521f546d7c70c5a38255db7d243a456a6b)
* docs: Show how to use a qemu wrapper to edit the qemu command line.Richard W.M. Jones2011-10-191-0/+23
| | | | (cherry picked from commit 3c7b3634b2c86a4c41fec044ccb59a1fe3224e66)
* inspection: Handle /dev/root in /etc/fstab.Richard W.M. Jones2011-09-161-0/+3
| | | | | | | | This means "the device that holds /etc/fstab", so map it correctly. This fixes support for ttylinux and also some other guests that use /dev/root instead of a real device name. (cherry picked from commit 917f947590c92318fee2545ba88245d0de012e31)
* docs: Add a section explaining the appliance boot process.Richard W.M. Jones2011-09-161-0/+93
| | | | (cherry picked from commit b3f1457fddd19b1e540866fa01c665aeb371cb44)
* Coverity: fix memory leak along error path.Richard W.M. Jones2011-08-281-0/+12
| | | | (cherry picked from commit ce18be33cd5279a8d4120eedd037400c275585c0)
* pclose: Fix other places where we only tested pclose == -1.Richard W.M. Jones2011-08-282-2/+2
| | | | | pclose can return > 0 when the status of the command was non-zero. (cherry picked from commit 631faad97171d7c1238b2e413c663cf61476f440)
* test_qemu: Improve the error message.Richard W.M. Jones2011-08-281-1/+2
| | | | | | Note that errno is probably not set to a useful value here, so there is not much point recording it. (cherry picked from commit f15961911316460f7d45342d63c2d784a483f0d1)
* test_qemu: pclose may return any != 0 on error.Richard W.M. Jones2011-08-281-1/+1
| | | | | In particular pclose returns a status > 0 if the command fails. (cherry picked from commit a24652c7b27e8494268ccb6c9a5a2e5541ba5efd)
* qemu detection: Free up previous qemu help/version strings if they exist.Richard W.M. Jones2011-08-281-0/+5
| | | | (cherry picked from commit 2ace9be4cd69e84cd88e5b0fd74de861a4973c91)
* Coverity: test_qemu: Ensure FILE * is not leaked along error paths.Richard W.M. Jones2011-08-281-15/+21
| | | | | | This refactors the code in test_qemu slightly to ensure that FILE *fp is not leaked on error paths. (cherry picked from commit 08e77ad8cb4e8ac70d4217ebd5d236eba81645b5)
* Escape special/non-printing characters in debug output (RHBZ#731744).Richard W.M. Jones2011-08-281-12/+42
| | | | | | | | | | | | | | | | | | | The default event handler in libguestfs was simply writing all debug output directly to stderr. However if the output contains non-printable characters such as terminal control codes then these would also be sent directly. With newer SeaBIOS there is a lame attempt to implement a splash screen using terminal control codes, thus when libguestfs tries to display debugging output it would cause the screen to clear and debug output to be lost. This commit causes all non-printing characters to be escaped. (\n and \r characters from the appliance are treated somewhat specially). Furthermore, instead of using write(2), use buffered stderr calls. (cherry picked from commit 06019bc82e107f7715ebc59e491610e06dad1e39)
* Remove guestfs___print_timestamped_argv.Richard W.M. Jones2011-08-283-48/+90
| | | | | | | | | | | | | | | | | | | | | | | | This function was used to print the qemu and febootstrap-supermin-helper command lines. Unfortunately in the qemu case it was used incorrectly: it called the internal debug function (ie. event API callback) from the forked qemu subprocess, which meant that higher level event callbacks might have been invoked from the child process. To fix this, convert the qemu case into a new function called print_qemu_command line which just prints the command line directly to stderr. This is called after stderr has been redirected into the pipe to the main process. Thus the qemu command line will be marshalled into the event API along with other qemu and appliance output. After fixing this, only one use of guestfs___print_timestamped_argv remained, for printing the febootstrap-supermin-helper command line. This is converted to a local function print_febootstrap_command_line. Also print_febootstrap_command_line is now called before we fork febootstrap-supermin-helper, so that messages no longer overlap. (cherry picked from commit 635af5be04265f845186b40e9a9fe7b102ad6909)
* out-of-tree build: fix building libraryHilko Bengen2011-08-281-3/+3
| | | | (cherry picked from commit 0241c753937e577d51a070f7db471260bf931f9c)
* out-of-tree build: fix documentation generationHilko Bengen2011-08-281-4/+4
| | | | (cherry picked from commit ff101adf7ead7bcdb46bccdb227ef18d844b965f)
* inspection: Better checking for Windows root disks (RHBZ#729075).Richard W.M. Jones2011-08-173-30/+75
| | | | | | | | | | | | | | | | | | Previously any disk that had /autoexec.bat or /boot.ini or /ntldr would be picked up as a candidate for a Windows root disk. If further checking could not find any systemroot (eg. /windows) then this would result in complete failure of inspection. In particular, this got confused by Hp_recovery partitions which have /autoexec.bat, but don't have a systemroot in one of the usual places (they have /MiniNT instead). What we do now is to properly investigate all possible systemroot places before deciding this is a Windows systemroot, so the subsequent failure cannot occur. (Thanks to lorimar for reporting this bug). (cherry picked from commit 2c57305f72cd6181d1849ae6e1b892aa01c7f844)
* docs: guestfs_set_out_of_memory_handler returns void, not int.Richard W.M. Jones2011-08-071-2/+2
| | | | | It always has done. The documentation was wrong. (cherry picked from commit 70f44cc0ea0bcdd025ed657461e07f6778be44ba)
* Change link, since PostgreSQL switched to using git.Richard W.M. Jones2011-08-071-1/+1
| | | | (cherry picked from commit 3cf31c2fe0b356ea5c04117c5235b0a3cfe34971)
* Don't fail if HOSTNAME field is missing on Red Hat guests (RHBZ#726739).Richard W.M. Jones2011-08-071-3/+10
| | | | (cherry picked from commit bad3f4b54a959685f3c0697238fc5753096834fb)
* launch: Add qemu_supports_re function.Richard W.M. Jones2011-07-261-0/+43
| | | | | | | | This function is like qemu_supports, but allows us to grep the help text using regular expressions. Note the function is not used yet. (cherry picked from commit 5d7dc0dfb65f367dab3560ee23e404fe21373f45)
* Require PCRE library.Richard W.M. Jones2011-07-2610-51/+24
| | | | | This library is widely available in distros. (cherry picked from commit 41cd0e302d6554facd6b9f7daaa78304361efaef)
* docs: Document FEBOOTSTRAP_KERNEL, FEBOOTSTRAP_MODULES (RHBZ#671082).Richard W.M. Jones2011-07-261-0/+11
| | | | (cherry picked from commit 316817b5ad98e294a9d2498a4403e82911a75b4a)
* blkid: Detect when value not found and return empty string.Richard W.M. Jones2011-07-201-0/+4
| | | | | | | | | | | | | | If the blkid command returns 2, that means the value was not found. Note that this changes the output of the vfs-type API when the filesystem has no type (eg when it is empty). Previously this would return an error. Now it returns empty string "". We did not document this either way. Making it return empty string is consistent with vfs-label and vfs-uuid. This change broke list-filesystems, since that code was assuming that vfs-type could only return a filesystem type or an error.
* docs: Update stable release instructions.Richard W.M. Jones2011-07-201-0/+5
|
* appliance: Capture stderr from qemu to the event system.Richard W.M. Jones2011-07-201-1/+9
|
* appliance: Document pipe fds.Richard W.M. Jones2011-07-201-0/+2
|
* java: Add guestfs-java(3) man page.Richard W.M. Jones2011-07-191-1/+2
|
* Add missing reference to guestfs-perl(3) to guestfs(3).Richard W.M. Jones2011-07-191-0/+1
|
* Add notes on making a libguestfs stable release.Richard W.M. Jones2011-07-171-0/+50
|
* Update API support.Richard W.M. Jones2011-07-163-0/+869
|
* Update API support.Richard W.M. Jones2011-07-154-0/+1304
|
* Add user cancellation to the C API.Richard W.M. Jones2011-07-154-7/+70
| | | | | | | | | This allows long transfers (FileIn and FileOut operations) to be cancelled by calling the signal and thread safe guestfs_user_cancel function. Most of this commit consists of a multithreaded program that tests user cancellation of uploads and downloads.
* New APIs: set-pgroup, get-pgroupRichard W.M. Jones2011-07-153-6/+26
| | | | | | | | | | | If the pgroup flag is set in the handle, then the qemu and recovery subprocesses are placed in separate process groups. The default is false. The purpose for setting up a process group is that ^C will not be passed from the main process down to these processes (killing them). This allows ^C and other keyboard events to be caught and handled in the main process.
* New API: write-appendRichard W.M. Jones2011-07-141-1/+1
| | | | Append content to the end of a file.
* New API: btrfs-filesystem-resize (RHBZ#721160).Richard W.M. Jones2011-07-141-1/+1
| | | | This resizes a btrfs filesystem.
* docs: Update API support.Richard W.M. Jones2011-07-134-0/+1307
|
* New API: ntfsresize-opts (RHBZ#685009).Richard W.M. Jones2011-07-121-1/+1
| | | | | | This is a more comprehensive fix for RHBZ#685009. Add a new API which allows the --force flag to be passed, allowing multiple NTFS resize operations in a single session.
* New API: list-dm-devices (RHBZ#688062).Richard W.M. Jones2011-07-121-1/+1
| | | | List device mapper devices.
* Add caution subdirectory containing safety and liveness tests.Richard W.M. Jones2011-06-301-0/+5
| | | | | Not that I'm paranoid about qemu breaking snapshots of anything like that ...
* docs: Update API support.Richard W.M. Jones2011-06-2945-10/+18672
|
* New API: inspect-get-icon returns the guest icon.Richard W.M. Jones2011-06-283-0/+474
| | | | | | | | | | This API returns the guest's favicon if found, else an icon representing the guest operating system. Currently supported by this patch: Fedora, RHEL and derivatives, Debian (but not Ubuntu), Windows XP, Windows 7. This also updates virt-inspector to include an <icon> element containing the icon in base64 encoding.
generated by cgit (git 2.34.1) at 2025-08-31 09:23:43 +0000