Fix multiple crashes listing interfaces

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

0001-Fix-off-by-one-error-in-udevListInterfacesByStatus.patch

@@ -0,0 +1,40 @@
+From 6f3ee0c553bafec957e69df7fc42f83985d55c0f Mon Sep 17 00:00:00 2001
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Tue, 27 Feb 2024 16:20:12 +0100
+Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ever since this function was introduced in 2012 it could've tried
+filling in an extra interface name.  That was made worse in 2019 when
+the caller functions started accepting NULL arrays of size 0.
+
+This is assigned CVE-2024-1441.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
+Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8)
+---
+ src/interface/interface_backend_udev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index ef334f175b..abeb766294 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+         /* Ensure we won't exceed the size of our array */
+-        if (count > names_len)
++        if (count >= names_len)
+             break;
+ 
+         path = udev_list_entry_get_name(dev_entry);
+-- 
+2.43.0
+

0001-interface-fix-udev_device_get_sysattr_value-return-v.patch

@@ -0,0 +1,90 @@
+From 13ea81b22cde0a429aa1de8b58655296084ce8d7 Mon Sep 17 00:00:00 2001
+From: Dmitry Frolov <frolov@swemel.ru>
+Date: Tue, 12 Sep 2023 15:56:47 +0300
+Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value
+ check
+
+Reviewing the code I found that return value of function
+udev_device_get_sysattr_value() is dereferenced without a check.
+udev_device_get_sysattr_value() may return NULL by number of reasons.
+
+v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
+v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
+
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 2ca94317ac642a70921947150ced8acc674ccdc8)
+---
+ src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index 54b43fb999..ef334f175b 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -23,6 +23,7 @@
+ #include <dirent.h>
+ #include <libudev.h>
+ 
++#include "virlog.h"
+ #include "virerror.h"
+ #include "virfile.h"
+ #include "datatypes.h"
+@@ -40,6 +41,8 @@
+ 
+ #define VIR_FROM_THIS VIR_FROM_INTERFACE
+ 
++VIR_LOG_INIT("interface.interface_backend_udev");
++
+ struct udev_iface_driver {
+     struct udev *udev;
+     /* pid file FD, ensures two copies of the driver can't use the same root */
+@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
+         const char *macaddr;
+         g_autoptr(virInterfaceDef) def = NULL;
+ 
+-        path = udev_list_entry_get_name(dev_entry);
+-        dev = udev_device_new_from_syspath(udev, path);
+-        name = udev_device_get_sysname(dev);
++        if (!(path = udev_list_entry_get_name(dev_entry))) {
++            VIR_DEBUG("Skipping interface, path == NULL");
++            continue;
++        }
++        if (!(dev = udev_device_new_from_syspath(udev, path))) {
++            VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
++            continue;
++        }
++        if (!(name = udev_device_get_sysname(dev))) {
++            VIR_DEBUG("Skipping interface '%s', name == NULL", path);
++            continue;
++        }
+         macaddr = udev_device_get_sysattr_value(dev, "address");
+-        status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++        status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+         def = udevGetMinimalDefForDevice(dev);
+         if (!virConnectListAllInterfacesCheckACL(conn, def)) {
+@@ -962,9 +974,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)
+ 
+     /* MTU */
+     mtu_str = udev_device_get_sysattr_value(dev, "mtu");
+-    if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
++    if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+         virReportError(VIR_ERR_INTERNAL_ERROR,
+-                _("Could not parse MTU value '%s'"), mtu_str);
++                       _("Could not parse MTU value '%s'"), NULLSTR(mtu_str));
+         goto error;
+     }
+     ifacedef->mtu = mtu;
+@@ -1087,7 +1099,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
+        goto cleanup;
+ 
+     /* Check if it's active or not */
+-    status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++    status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+ 
+     udev_device_unref(dev);
+ 
+-- 
+2.43.0
+

0001-lxc-containter-fix-build-with-glibc-2.36.patch

@@ -1,35 +0,0 @@
-From 9493c9b79dc541ec9e0fd73c6d87bdf8d30aaa90 Mon Sep 17 00:00:00 2001
-From: Cole Robinson <crobinso@redhat.com>
-Date: Mon, 1 Aug 2022 15:20:38 -0400
-Subject: [PATCH] lxc: containter: fix build with glibc 2.36
-Content-type: text/plain
-
-With glibc 2.36, sys/mount.h and linux/mount.h conflict:
-https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-lxc_container.c imports sys/mount.h and linux/fs.h, which pulls in
-linux/mount.h.
-
-linux/fs.h isn't required here though. glibc sys/mount.h has had
-MS_MOVE since 2.12 in 2010
-
-Reviewed-by: Erik Skultety <eskultet@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/lxc/lxc_container.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
-index b5278831da..a5401c2186 100644
---- a/src/lxc/lxc_container.c
-+++ b/src/lxc/lxc_container.c
-@@ -33,9 +33,6 @@
- /* Yes, we want linux private one, for _syscall2() macro */
- #include <linux/unistd.h>
- 
--/* For MS_MOVE */
--#include <linux/fs.h>
--
- #if WITH_CAPNG
- # include <cap-ng.h>
- #endif

0001-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-i.patch

@@ -0,0 +1,58 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 9 Feb 2023 09:40:32 +0100
+Subject: [PATCH] qemuProcessRefreshDisks: Don't skip filling of disk
+ information if tray state didn't change
+Content-type: text/plain
+
+Commit 5ef2582646eb98 added emitting of even when refreshign disk state,
+where it wanted to avoid sending the event if disk state didn't change.
+This was achieved by using 'continue' in the loop filling the
+information. Unfortunately this skips extraction of whether the device
+has a tray which is propagated into internal structures, which in turn
+broke cdrom media change as the code thought there's no tray for the
+device.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2166411
+Fixes: 5ef2582646eb98af208ce37355f82bdef39931fa
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Kristina Hanicova <khanicov@redhat.com>
+(cherry picked from commit 86cfe93ef7fdc2d665a2fc88b79af89e7978ba78)
+---
+ src/qemu/qemu_process.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index ee9f0784d3..0c408ee547 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -8724,16 +8724,13 @@ qemuProcessRefreshDisks(virDomainObj *vm,
+             continue;
+ 
+         if (info->removable) {
+-            virObjectEvent *event = NULL;
++            bool emitEvent = info->tray_open != disk->tray_status;
+             int reason;
+ 
+             if (info->empty)
+                 virDomainDiskEmptySource(disk);
+ 
+             if (info->tray) {
+-                if (info->tray_open == disk->tray_status)
+-                    continue;
+-
+                 if (info->tray_open) {
+                     reason = VIR_DOMAIN_EVENT_TRAY_CHANGE_OPEN;
+                     disk->tray_status = VIR_DOMAIN_DISK_TRAY_OPEN;
+@@ -8742,8 +8739,10 @@ qemuProcessRefreshDisks(virDomainObj *vm,
+                     disk->tray_status = VIR_DOMAIN_DISK_TRAY_CLOSED;
+                 }
+ 
+-                event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
+-                virObjectEventStateQueue(driver->domainEventState, event);
++                if (emitEvent) {
++                    virObjectEvent *event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
++                    virObjectEventStateQueue(driver->domainEventState, event);
++                }
+             }
+         }
+ 

0001-tests-Fix-libxlxml2domconfigtest-with-latest-xen.patch

@@ -1,239 +0,0 @@
-From 99b40587e8cd83a136d94e208d32a80be76dc22a Mon Sep 17 00:00:00 2001
-Message-Id: <99b40587e8cd83a136d94e208d32a80be76dc22a.1666875466.git.crobinso@redhat.com>
-From: Cole Robinson <crobinso@redhat.com>
-Date: Thu, 27 Oct 2022 08:51:25 -0400
-Subject: [PATCH] tests: Fix libxlxml2domconfigtest with latest xen
-Content-type: text/plain
-
-shadow_memkb is populated from a libxl API call, and the value can
-change. For example:
-https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=2c992810854a15b41be920519ce83a4a328d5168
-
-Mock libxl_get_required_shadow_memory to give consistent output
-
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- tests/libxlmock.c                                     | 11 +++++++++++
- tests/libxlxml2domconfigdata/basic-hvm.json           |  2 +-
- tests/libxlxml2domconfigdata/basic-pv.json            |  2 +-
- tests/libxlxml2domconfigdata/basic-pvh.json           |  2 +-
- tests/libxlxml2domconfigdata/cpu-shares-hvm.json      |  2 +-
- tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json  |  2 +-
- .../fullvirt-cpuid-legacy-nest.json                   |  2 +-
- tests/libxlxml2domconfigdata/fullvirt-cpuid.json      |  2 +-
- .../libxlxml2domconfigdata/max-eventchannels-hvm.json |  2 +-
- tests/libxlxml2domconfigdata/max-gntframes-hvm.json   |  2 +-
- tests/libxlxml2domconfigdata/moredevs-hvm.json        |  2 +-
- tests/libxlxml2domconfigdata/multiple-ip.json         |  2 +-
- tests/libxlxml2domconfigdata/variable-clock-hvm.json  |  2 +-
- .../libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json |  2 +-
- tests/libxlxml2domconfigdata/vnuma-hvm.json           |  2 +-
- 15 files changed, 25 insertions(+), 14 deletions(-)
-
-diff --git a/tests/libxlmock.c b/tests/libxlmock.c
-index 0e4bf7df52..4754597e5b 100644
---- a/tests/libxlmock.c
-+++ b/tests/libxlmock.c
-@@ -109,6 +109,17 @@ VIR_MOCK_STUB_RET_ARGS(bind,
-                        const struct sockaddr *, addr,
-                        socklen_t, addrlen)
- 
-+VIR_MOCK_IMPL_RET_ARGS(libxl_get_required_shadow_memory,
-+                       unsigned long,
-+                       unsigned long, maxmem_kb,
-+                       unsigned int, smp_cpus)
-+{
-+    /* silence gcc warning about unused function */
-+    if (0)
-+        real_libxl_get_required_shadow_memory(maxmem_kb, smp_cpus);
-+    return 1234;
-+}
-+
- VIR_MOCK_IMPL_RET_ARGS(__xstat, int,
-                        int, ver,
-                        const char *, path,
-diff --git a/tests/libxlxml2domconfigdata/basic-hvm.json b/tests/libxlxml2domconfigdata/basic-hvm.json
-index 87f8cb7d8a..d30875420d 100644
---- a/tests/libxlxml2domconfigdata/basic-hvm.json
-+++ b/tests/libxlxml2domconfigdata/basic-hvm.json
-@@ -15,7 +15,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-         "sched_params": {
-diff --git a/tests/libxlxml2domconfigdata/basic-pv.json b/tests/libxlxml2domconfigdata/basic-pv.json
-index b71c3b0f49..32d188fabd 100644
---- a/tests/libxlxml2domconfigdata/basic-pv.json
-+++ b/tests/libxlxml2domconfigdata/basic-pv.json
-@@ -14,7 +14,7 @@
-         ],
-         "max_memkb": 524288,
-         "target_memkb": 524288,
--        "shadow_memkb": 8192,
-+        "shadow_memkb": 1234,
-         "sched_params": {
- 
-         },
-diff --git a/tests/libxlxml2domconfigdata/basic-pvh.json b/tests/libxlxml2domconfigdata/basic-pvh.json
-index 48365c9026..f51957aa85 100644
---- a/tests/libxlxml2domconfigdata/basic-pvh.json
-+++ b/tests/libxlxml2domconfigdata/basic-pvh.json
-@@ -14,7 +14,7 @@
-         ],
-         "max_memkb": 524288,
-         "target_memkb": 524288,
--        "shadow_memkb": 8192,
-+        "shadow_memkb": 1234,
-         "sched_params": {
- 
-         },
-diff --git a/tests/libxlxml2domconfigdata/cpu-shares-hvm.json b/tests/libxlxml2domconfigdata/cpu-shares-hvm.json
-index 2aa97e88c5..15105c83ad 100644
---- a/tests/libxlxml2domconfigdata/cpu-shares-hvm.json
-+++ b/tests/libxlxml2domconfigdata/cpu-shares-hvm.json
-@@ -15,7 +15,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-         "sched_params": {
-diff --git a/tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json b/tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json
-index a2d46797aa..26f5abefee 100644
---- a/tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json
-+++ b/tests/libxlxml2domconfigdata/fullvirt-acpi-slic.json
-@@ -11,7 +11,7 @@
-         ],
-         "max_memkb": 592896,
-         "target_memkb": 403456,
--        "shadow_memkb": 5656,
-+        "shadow_memkb": 1234,
-         "sched_params": {
-         },
-         "apic": "True",
-diff --git a/tests/libxlxml2domconfigdata/fullvirt-cpuid-legacy-nest.json b/tests/libxlxml2domconfigdata/fullvirt-cpuid-legacy-nest.json
-index 6290655c20..740b82d2e6 100644
---- a/tests/libxlxml2domconfigdata/fullvirt-cpuid-legacy-nest.json
-+++ b/tests/libxlxml2domconfigdata/fullvirt-cpuid-legacy-nest.json
-@@ -11,7 +11,7 @@
-         ],
-         "max_memkb": 592896,
-         "target_memkb": 403456,
--        "shadow_memkb": 5656,
-+        "shadow_memkb": 1234,
-         "cpuid": [
-             {
-                 "leaf": 1,
-diff --git a/tests/libxlxml2domconfigdata/fullvirt-cpuid.json b/tests/libxlxml2domconfigdata/fullvirt-cpuid.json
-index 811a4f0ac7..8bf41894a5 100644
---- a/tests/libxlxml2domconfigdata/fullvirt-cpuid.json
-+++ b/tests/libxlxml2domconfigdata/fullvirt-cpuid.json
-@@ -11,7 +11,7 @@
-         ],
-         "max_memkb": 592896,
-         "target_memkb": 403456,
--        "shadow_memkb": 5656,
-+        "shadow_memkb": 1234,
-         "cpuid": [
-             {
-                 "leaf": 1,
-diff --git a/tests/libxlxml2domconfigdata/max-eventchannels-hvm.json b/tests/libxlxml2domconfigdata/max-eventchannels-hvm.json
-index 4a5b0ca65f..6f0daa065f 100644
---- a/tests/libxlxml2domconfigdata/max-eventchannels-hvm.json
-+++ b/tests/libxlxml2domconfigdata/max-eventchannels-hvm.json
-@@ -15,7 +15,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "event_channels": 2047,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-diff --git a/tests/libxlxml2domconfigdata/max-gntframes-hvm.json b/tests/libxlxml2domconfigdata/max-gntframes-hvm.json
-index 2883d057ff..35de588abc 100644
---- a/tests/libxlxml2domconfigdata/max-gntframes-hvm.json
-+++ b/tests/libxlxml2domconfigdata/max-gntframes-hvm.json
-@@ -15,7 +15,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "max_grant_frames": 64,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-diff --git a/tests/libxlxml2domconfigdata/moredevs-hvm.json b/tests/libxlxml2domconfigdata/moredevs-hvm.json
-index 58cf32a8d4..bdc9afc29b 100644
---- a/tests/libxlxml2domconfigdata/moredevs-hvm.json
-+++ b/tests/libxlxml2domconfigdata/moredevs-hvm.json
-@@ -17,7 +17,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-         "sched_params": {
-diff --git a/tests/libxlxml2domconfigdata/multiple-ip.json b/tests/libxlxml2domconfigdata/multiple-ip.json
-index 2db98b82f6..e0b37aa795 100644
---- a/tests/libxlxml2domconfigdata/multiple-ip.json
-+++ b/tests/libxlxml2domconfigdata/multiple-ip.json
-@@ -14,7 +14,7 @@
-         ],
-         "max_memkb": 524288,
-         "target_memkb": 524288,
--        "shadow_memkb": 8192,
-+        "shadow_memkb": 1234,
-         "sched_params": {
- 
-         },
-diff --git a/tests/libxlxml2domconfigdata/variable-clock-hvm.json b/tests/libxlxml2domconfigdata/variable-clock-hvm.json
-index 9a25d51da2..3c131c603c 100644
---- a/tests/libxlxml2domconfigdata/variable-clock-hvm.json
-+++ b/tests/libxlxml2domconfigdata/variable-clock-hvm.json
-@@ -15,7 +15,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 12288,
-+        "shadow_memkb": 1234,
-         "rtc_timeoffset": 3600,
-         "localtime": "True",
-         "device_model_version": "qemu_xen",
-diff --git a/tests/libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json b/tests/libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json
-index 6cda8d0252..6725df9112 100644
---- a/tests/libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json
-+++ b/tests/libxlxml2domconfigdata/vnuma-hvm-legacy-nest.json
-@@ -103,7 +103,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 14336,
-+        "shadow_memkb": 1234,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-         "sched_params": {
-diff --git a/tests/libxlxml2domconfigdata/vnuma-hvm.json b/tests/libxlxml2domconfigdata/vnuma-hvm.json
-index f578ccd3d3..2556c82d5f 100644
---- a/tests/libxlxml2domconfigdata/vnuma-hvm.json
-+++ b/tests/libxlxml2domconfigdata/vnuma-hvm.json
-@@ -103,7 +103,7 @@
-         "max_memkb": 1048576,
-         "target_memkb": 1048576,
-         "video_memkb": 8192,
--        "shadow_memkb": 14336,
-+        "shadow_memkb": 1234,
-         "device_model_version": "qemu_xen",
-         "device_model": "/bin/true",
-         "sched_params": {
--- 
-2.37.3
-

0002-ch-use-CURLOPT_UPLOAD-instead-of-CURLOPT_PUT.patch

@@ -0,0 +1,39 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 18 Jan 2023 09:45:52 +0000
+Subject: [PATCH] ch: use CURLOPT_UPLOAD instead of CURLOPT_PUT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+The CURLOPT_PUT constant causes a deprecation warning when compiling on
+Alpine Edge.  The docs indicate it is deprecated since 7.2.1
+
+  https://curl.se/libcurl/c/CURLOPT_PUT.html
+
+Since 7.87 the deprecation is now exposed at build time via a compiler
+warning.
+
+We already use CURLOPT_UPLOAD in the ESX driver, so this brings the CH
+driver into line.
+
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9cd70fb25cad171e415fb05a4e01f244304c602e)
+---
+ src/ch/ch_monitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ch/ch_monitor.c b/src/ch/ch_monitor.c
+index 8d8654332f..7b8f0a8077 100644
+--- a/src/ch/ch_monitor.c
++++ b/src/ch/ch_monitor.c
+@@ -660,7 +660,7 @@ virCHMonitorPutNoContent(virCHMonitor *mon, const char *endpoint)
+ 
+     curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath);
+     curl_easy_setopt(mon->handle, CURLOPT_URL, url);
+-    curl_easy_setopt(mon->handle, CURLOPT_PUT, true);
++    curl_easy_setopt(mon->handle, CURLOPT_UPLOAD, 1L);
+     curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, NULL);
+ 
+     responseCode = virCHMonitorCurlPerform(mon->handle);

0002-virfile-Fix-build-with-glibc-2.36.patch

@@ -1,40 +0,0 @@
-From c0d9adf220dc0d223330a7bac37b174132d330ba Mon Sep 17 00:00:00 2001
-From: Cole Robinson <crobinso@redhat.com>
-Date: Mon, 1 Aug 2022 15:24:01 -0400
-Subject: [PATCH] virfile: Fix build with glibc 2.36
-Content-type: text/plain
-
-With glibc 2.36, sys/mount.h and linux/mount.h conflict:
-https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
-
-virfile.c imports sys/mount.h and linux/fs.h, which pulls in
-linux/mount.h.
-
-Manually define the constants we need from linux/fs.h, like was
-done in llvm:
-
-https://reviews.llvm.org/rGb379129c4beb3f26223288627a1291739f33af02
-
-Reviewed-by: Erik Skultety <eskultet@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/util/virfile.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/virfile.c b/src/util/virfile.c
-index 99da058db3..ce541b8946 100644
---- a/src/util/virfile.c
-+++ b/src/util/virfile.c
-@@ -71,7 +71,11 @@
- # endif
- # include <sys/ioctl.h>
- # include <linux/cdrom.h>
--# include <linux/fs.h>
-+/* These come from linux/fs.h, but that header conflicts with
-+ * sys/mount.h on glibc 2.36+ */
-+# define FS_IOC_GETFLAGS _IOR('f', 1, long)
-+# define FS_IOC_SETFLAGS _IOW('f', 2, long)
-+# define FS_NOCOW_FL 0x00800000
- #endif
- 
- #if WITH_LIBATTR

0003-storage-Fix-returning-of-locked-objects-from-virStor.patch

@@ -0,0 +1,56 @@
+From 9a47442366fcf8a7b6d7422016d7bbb6764a1098 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 13 Jul 2023 16:16:37 +0200
+Subject: [PATCH] storage: Fix returning of locked objects from
+ 'virStoragePoolObjListSearch'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2023-3750
+
+'virStoragePoolObjListSearch' explicitly documents that it's returning
+a pointer to a locked and ref'd pool that maches the lookup function.
+
+This was not the case as in commit 0c4b391e2a9 (released in
+libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD'
+which auto-unlocked it when leaving the scope, even when the code was
+originally "leaking" the lock.
+
+Revert the corresponding conversion and add a comment that this function
+is intentionally leaking a locked object.
+
+Fixes: 0c4b391e2a9
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Han Han <hhan@redhat.com>
+---
+ src/conf/virstorageobj.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
+index 7010e97d61..59fa5da372 100644
+--- a/src/conf/virstorageobj.c
++++ b/src/conf/virstorageobj.c
+@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
+     virStoragePoolObj *obj = (virStoragePoolObj *) payload;
+     struct _virStoragePoolObjListSearchData *data =
+         (struct _virStoragePoolObjListSearchData *)opaque;
+-    VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
+ 
++    virObjectLock(obj);
++
++    /* If we find the matching pool object we must return while the object is
++     * locked as the caller wants to return a locked object. */
+     if (data->searcher(obj, data->opaque))
+         return 1;
+ 
++    virObjectUnlock(obj);
++
+     return 0;
+ }
+ 
+-- 
+2.41.0
+

0004-virpci-Resolve-leak-in-virPCIVirtualFunctionList-cle.patch

@@ -0,0 +1,51 @@
+From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001
+From: Tim Shearer <TShearer@adva.com>
+Date: Mon, 1 May 2023 13:15:48 +0000
+Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Repeatedly querying an SR-IOV PCI device's capabilities exposes a
+memory leak caused by a failure to free the virPCIVirtualFunction
+array within the parent struct's g_autoptr cleanup.
+
+Valgrind output after getting a single interface's XML description
+1000 times:
+
+==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635
+==325982==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
+==325982==    by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4)
+==325982==    by 0x4EE1F52: virReallocN (viralloc.c:52)
+==325982==    by 0x4EE1FB7: virExpandN (viralloc.c:78)
+==325982==    by 0x4EE219A: virInsertElementInternal (viralloc.c:183)
+==325982==    by 0x4EE23B2: virAppendElement (viralloc.c:288)
+==325982==    by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389)
+==325982==    by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256)
+==325982==    by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969)
+==325982==    by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099)
+==325982==    by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677)
+==325982==    by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355)
+
+Signed-off-by: Tim Shearer <tshearer@adva.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Han Han <hhan@redhat.com>
+---
+ src/util/virpci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/virpci.c b/src/util/virpci.c
+index 9e564e4a4f..cc2b07bbba 100644
+--- a/src/util/virpci.c
++++ b/src/util/virpci.c
+@@ -2245,6 +2245,7 @@ virPCIVirtualFunctionListFree(virPCIVirtualFunctionList *list)
+         g_free(list->functions[i].ifname);
+     }
+ 
++    g_free(list->functions);
+     g_free(list);
+ }
+ 
+-- 
+2.41.0
+

sources

@@ -1 +1 @@
-SHA512 (libvirt-8.6.0.tar.xz) = 6198ac33ea718045bfd12a2740d5a7fa70c754b1ecda7c0cad5791fbdf7311091587056254fde88ebe3c2f927a8fb56909fe4c3a115595854b18d3a704db73de
+SHA512 (libvirt-9.0.0.tar.xz) = 135f690f9fe722161c22579166f10a54d52941a371439165fd0e3d391ca7835049a3bcbff33fc81c50153046230db8a5a318d707383bad3141d489d2faa09ecb