Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/files/, sys-cluster/nova/
Date: Tue, 25 Aug 2020 16:54:01
Message-Id: 1598374433.440c9286ac4b1d2e10c25cb883250bc497611159.prometheanfire@gentoo
1 commit: 440c9286ac4b1d2e10c25cb883250bc497611159
2 Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
3 AuthorDate: Tue Aug 25 16:53:37 2020 +0000
4 Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
5 CommitDate: Tue Aug 25 16:53:53 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=440c9286
7
8 sys-cluster/nova: fix CVE-2020-17376 (live migration data leak)
9
10 Package-Manager: Portage-3.0.4, Repoman-2.3.23
11 RepoMan-Options: --force
12 Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org>
13
14 sys-cluster/nova/files/CVE-2020-17376.patch | 141 +++++++++++++++++++++
15 .../{nova-21.0.0.ebuild => nova-21.0.0-r1.ebuild} | 5 +-
16 2 files changed, 144 insertions(+), 2 deletions(-)
17
18 diff --git a/sys-cluster/nova/files/CVE-2020-17376.patch b/sys-cluster/nova/files/CVE-2020-17376.patch
19 new file mode 100644
20 index 00000000000..8cb2d4423f7
21 --- /dev/null
22 +++ b/sys-cluster/nova/files/CVE-2020-17376.patch
23 @@ -0,0 +1,141 @@
24 +From bbf9d1de06e9991acd968fceee899a8df3776d60 Mon Sep 17 00:00:00 2001
25 +From: Lee Yarwood <lyarwood@××××××.com>
26 +Date: Wed, 5 Aug 2020 23:00:06 +0100
27 +Subject: [PATCH] libvirt: Provide VIR_MIGRATE_PARAM_PERSIST_XML during live
28 + migration
29 +
30 +The VIR_MIGRATE_PARAM_PERSIST_XML parameter was introduced in libvirt
31 +v1.3.4 and is used to provide the new persistent configuration for the
32 +destination during a live migration:
33 +
34 +https://libvirt.org/html/libvirt-libvirt-domain.html#VIR_MIGRATE_PARAM_PERSIST_XML
35 +
36 +Without this parameter the persistent configuration on the destination
37 +will be the same as the original persistent configuration on the source
38 +when the VIR_MIGRATE_PERSIST_DEST flag is provided.
39 +
40 +As Nova does not currently provide the VIR_MIGRATE_PARAM_PERSIST_XML
41 +param but does provide the VIR_MIGRATE_PERSIST_DEST flag this means that
42 +a soft reboot by Nova of the instance after a live migration can revert
43 +the domain back to the original persistent configuration from the
44 +source.
45 +
46 +Note that this is only possible in Nova as a soft reboot actually
47 +results in the virDomainShutdown and virDomainLaunch libvirt APIs being
48 +called that recreate the domain using the persistent configuration.
49 +virDomainReboot does not result in this but is not called at this time.
50 +
51 +The impact of this on the instance after the soft reboot is pretty
52 +severe, host devices referenced in the original persistent configuration
53 +on the source may not exist or could even be used by other users on the
54 +destination. CPU and NUMA affinity could also differ drastically between
55 +the two hosts resulting in the instance being unable to start etc.
56 +
57 +As MIN_LIBVIRT_VERSION is now > v1.3.4 this change simply includes the
58 +VIR_MIGRATE_PARAM_PERSIST_XML param using the same updated XML for the
59 +destination as is already provided to VIR_MIGRATE_PARAM_DEST_XML.
60 +
61 +NOTE(lyarwood): A simple change to test_migrate_v3_unicode is included
62 +as Iccce0ab50eee515e533ab36c8e7adc10cb3f7019 had removed this from
63 +master.
64 +
65 +Co-authored-by: Tadayoshi Hosoya <tad-hosoya@×××××××××.com>
66 +Closes-Bug: #1890501
67 +Change-Id: Ia3f1d8e83cbc574ce5cb440032e12bbcb1e10e98
68 +(cherry picked from commit 1bb8ee95d4c3ddc3f607ac57526b75af1b7fbcff)
69 +Signed-off-by: Matthew Thode <prometheanfire@g.o>
70 +---
71 + nova/tests/unit/virt/libvirt/test_driver.py | 8 +++++++-
72 + nova/tests/unit/virt/libvirt/test_guest.py | 2 ++
73 + nova/virt/libvirt/guest.py | 1 +
74 + 3 files changed, 10 insertions(+), 1 deletion(-)
75 +
76 +diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py
77 +index b416641d362..99ce85a870b 100644
78 +--- a/nova/tests/unit/virt/libvirt/test_driver.py
79 ++++ b/nova/tests/unit/virt/libvirt/test_driver.py
80 +@@ -11196,6 +11196,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
81 + 'migrate_disks': disk_paths,
82 + 'bandwidth': _bandwidth,
83 + 'destination_xml': target_xml,
84 ++ 'persistent_xml': target_xml,
85 + }
86 +
87 + # start test
88 +@@ -11303,7 +11304,8 @@ class LibvirtConnTestCase(test.NoDBTestCase,
89 + 'migrate_disks': disk_paths,
90 + 'migrate_uri': 'tcp://127.0.0.2',
91 + 'bandwidth': CONF.libvirt.live_migration_bandwidth,
92 +- 'destination_xml': target_xml
93 ++ 'destination_xml': target_xml,
94 ++ 'persistent_xml': target_xml,
95 + }
96 +
97 + # Start test
98 +@@ -11462,6 +11464,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
99 + 'migrate_uri': 'tcp://127.0.0.2',
100 + 'bandwidth': CONF.libvirt.live_migration_bandwidth,
101 + 'destination_xml': target_xml,
102 ++ 'persistent_xml': target_xml,
103 + }
104 +
105 + # start test
106 +@@ -11813,6 +11816,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
107 + 'migrate_disks': ['vda', 'vdb'],
108 + 'bandwidth': CONF.libvirt.live_migration_bandwidth,
109 + 'destination_xml': target_xml,
110 ++ 'persistent_xml': target_xml,
111 + }
112 +
113 + # start test
114 +@@ -11939,6 +11943,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
115 + 'migrate_disks': device_names,
116 + 'bandwidth': CONF.libvirt.live_migration_bandwidth,
117 + 'destination_xml': '<xml/>',
118 ++ 'persistent_xml': '<xml/>',
119 + }
120 + if not params['migrate_disks']:
121 + del params['migrate_disks']
122 +@@ -12078,6 +12083,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,
123 + 'migrate_disks': disk_paths,
124 + 'bandwidth': CONF.libvirt.live_migration_bandwidth,
125 + 'destination_xml': '<xml/>',
126 ++ 'persistent_xml': '<xml/>',
127 + }
128 +
129 + # Prepare mocks
130 +diff --git a/nova/tests/unit/virt/libvirt/test_guest.py b/nova/tests/unit/virt/libvirt/test_guest.py
131 +index 55642c66f66..51899b730b3 100644
132 +--- a/nova/tests/unit/virt/libvirt/test_guest.py
133 ++++ b/nova/tests/unit/virt/libvirt/test_guest.py
134 +@@ -682,6 +682,7 @@ class GuestTestCase(test.NoDBTestCase):
135 + 'an-uri', flags=1, params={'migrate_uri': 'dest-uri',
136 + 'migrate_disks': 'disk1',
137 + 'destination_xml': '</xml>',
138 ++ 'persistent_xml': '</xml>',
139 + 'bandwidth': 2})
140 +
141 + @testtools.skipIf(not six.PY2, 'libvirt python3 bindings accept unicode')
142 +@@ -699,6 +700,7 @@ class GuestTestCase(test.NoDBTestCase):
143 + 'migrate_disks': ['disk1',
144 + 'disk2'],
145 + 'destination_xml': expect_dest_xml,
146 ++ 'persistent_xml': expect_dest_xml,
147 + 'bandwidth': 2})
148 +
149 + def test_abort_job(self):
150 +diff --git a/nova/virt/libvirt/guest.py b/nova/virt/libvirt/guest.py
151 +index 0d485eb86d9..46593247303 100644
152 +--- a/nova/virt/libvirt/guest.py
153 ++++ b/nova/virt/libvirt/guest.py
154 +@@ -638,6 +638,7 @@ class Guest(object):
155 +
156 + if destination_xml:
157 + params['destination_xml'] = destination_xml
158 ++ params['persistent_xml'] = destination_xml
159 + if migrate_disks:
160 + params['migrate_disks'] = migrate_disks
161 + if migrate_uri:
162 +--
163 +2.26.2
164 +
165
166 diff --git a/sys-cluster/nova/nova-21.0.0.ebuild b/sys-cluster/nova/nova-21.0.0-r1.ebuild
167 similarity index 99%
168 rename from sys-cluster/nova/nova-21.0.0.ebuild
169 rename to sys-cluster/nova/nova-21.0.0-r1.ebuild
170 index 8601ad73fd1..e96174c2c99 100644
171 --- a/sys-cluster/nova/nova-21.0.0.ebuild
172 +++ b/sys-cluster/nova/nova-21.0.0-r1.ebuild
173 @@ -148,8 +148,9 @@ RDEPEND="
174 acct-user/nova
175 acct-group/nova"
176
177 -#PATCHES=(
178 -#)
179 +PATCHES=(
180 + "${FILESDIR}/CVE-2020-17376.patch"
181 +)
182
183 pkg_setup() {
184 linux-info_pkg_setup
Report Message
Find on MARC Find on Google Groups