add ARM to NUMA platform exlcludes

Fix for CVE-2011-2178, regression introduced in disk probe logic,
Bug 709775

.gitignore

@@ -3,4 +3,3 @@
 i686
 x86_64
 libvirt-*.tar.gz
-libvirt-0.6.0.tar.gz

Makefile

@@ -4,7 +4,7 @@ NAME := libvirt
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

libvirt-0.6.0-autostart-timeout.patch

@@ -1,21 +0,0 @@
-diff -rup libvirt-0.6.0.orig/src/remote_internal.c libvirt-0.6.0.new/src/remote_internal.c
---- libvirt-0.6.0.orig/src/remote_internal.c	2009-02-18 10:56:34.000000000 +0000
-+++ libvirt-0.6.0.new/src/remote_internal.c	2009-02-18 13:35:26.000000000 +0000
-@@ -654,12 +654,13 @@ doRemoteOpen (virConnectPtr conn,
-              */
-             if (errno == ECONNREFUSED &&
-                 flags & VIR_DRV_OPEN_REMOTE_AUTOSTART &&
--                trials < 5) {
-+                trials < 20) {
-                 close(priv->sock);
-                 priv->sock = -1;
--                if (remoteForkDaemon(conn) == 0) {
-+                if (trials > 0 ||
-+                    remoteForkDaemon(conn) == 0) {
-                     trials++;
--                    usleep(5000 * trials * trials);
-+                    usleep(1000 * 100 * trials);
-                     goto autostart_retry;
-                 }
-             }
-Only in libvirt-0.6.0.new/src: remote_internal.c~

libvirt-0.6.0-dbus-threads.patch

@@ -1,44 +0,0 @@
-diff -rup libvirt-0.6.0.orig/qemud/qemud.c libvirt-0.6.0.new/qemud/qemud.c
---- libvirt-0.6.0.orig/qemud/qemud.c	2009-02-18 10:56:34.000000000 +0000
-+++ libvirt-0.6.0.new/qemud/qemud.c	2009-02-18 12:52:18.000000000 +0000
-@@ -860,6 +860,10 @@ static struct qemud_server *qemudNetwork
-     if (auth_unix_rw == REMOTE_AUTH_POLKIT ||
-         auth_unix_ro == REMOTE_AUTH_POLKIT) {
-         DBusError derr;
-+
-+        dbus_connection_set_change_sigpipe(FALSE);
-+        dbus_threads_init_default();
-+
-         dbus_error_init(&derr);
-         server->sysbus = dbus_bus_get(DBUS_BUS_SYSTEM, &derr);
-         if (!(server->sysbus)) {
-@@ -868,6 +872,7 @@ static struct qemud_server *qemudNetwork
-             dbus_error_free(&derr);
-             goto cleanup;
-         }
-+        dbus_connection_set_exit_on_disconnect(server->sysbus, FALSE);
-     }
- #endif
- 
-diff -rup libvirt-0.6.0.orig/src/node_device_hal.c libvirt-0.6.0.new/src/node_device_hal.c
---- libvirt-0.6.0.orig/src/node_device_hal.c	2009-01-16 12:44:22.000000000 +0000
-+++ libvirt-0.6.0.new/src/node_device_hal.c	2009-02-18 12:52:48.000000000 +0000
-@@ -685,6 +685,9 @@ static int halDeviceMonitorStartup(void)
-     nodeDeviceLock(driverState);
- 
-     /* Allocate and initialize a new HAL context */
-+    dbus_connection_set_change_sigpipe(FALSE);
-+    dbus_threads_init_default();
-+
-     dbus_error_init(&err);
-     hal_ctx = libhal_ctx_new();
-     if (hal_ctx == NULL) {
-@@ -696,6 +699,8 @@ static int halDeviceMonitorStartup(void)
-         fprintf(stderr, "%s: dbus_bus_get failed\n", __FUNCTION__);
-         goto failure;
-     }
-+    dbus_connection_set_exit_on_disconnect(dbus_conn, FALSE);
-+
-     if (!libhal_ctx_set_dbus_connection(hal_ctx, dbus_conn)) {
-         fprintf(stderr, "%s: libhal_ctx_set_dbus_connection failed\n",
-                 __FUNCTION__);

libvirt-0.6.0-qemu-startup.patch

@@ -1,109 +0,0 @@
-diff -rup libvirt-0.6.0.orig/src/qemu_driver.c libvirt-0.6.0.new/src/qemu_driver.c
---- libvirt-0.6.0.orig/src/qemu_driver.c	2009-01-31 09:04:18.000000000 +0000
-+++ libvirt-0.6.0.new/src/qemu_driver.c	2009-02-18 11:15:37.000000000 +0000
-@@ -633,6 +633,7 @@ qemudReadMonitorOutput(virConnectPtr con
- {
-     int got = 0;
-     buf[0] = '\0';
-+    timeout *= 1000; /* poll wants milli seconds */
- 
-     /* Consume & discard the initial greeting */
-     while (got < (buflen-1)) {
-@@ -694,6 +695,56 @@ qemudReadMonitorOutput(virConnectPtr con
- 
- }
- 
-+
-+/*
-+ * Returns -1 for error, 0 on success
-+ */
-+static int
-+qemudReadLogOutput(virConnectPtr conn,
-+                   virDomainObjPtr vm,
-+                   int fd,
-+                   char *buf,
-+                   int buflen,
-+                   qemudHandlerMonitorOutput func,
-+                   const char *what,
-+                   int timeout)
-+{
-+    int got = 0;
-+    int ret;
-+    int retries = timeout*10;
-+    buf[0] = '\0';
-+
-+    while (retries) {
-+        while((ret = read(fd, buf+got, buflen-got-1)) > 0) {
-+            got += ret;
-+            buf[got] = '\0';
-+            if ((buflen-got-1) == 0) {
-+                qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-+                                 _("Out of space while reading %s log output"), what);
-+                return -1;
-+            }
-+        }
-+
-+        if (ret < 0 && errno != EINTR) {
-+            virReportSystemError(conn, errno,
-+                                 _("Failure while reading %s log output"),
-+                                 what);
-+            return -1;
-+        }
-+
-+        ret = func(conn, vm, buf, fd);
-+        if (ret <= 0)
-+            return ret;
-+
-+        usleep(100*1000);
-+        retries--;
-+    }
-+    if (retries == 0)
-+        qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-+                         _("Timed out while reading %s log output"), what);
-+    return -1;
-+}
-+
- static int
- qemudCheckMonitorPrompt(virConnectPtr conn ATTRIBUTE_UNUSED,
-                         virDomainObjPtr vm,
-@@ -738,7 +789,7 @@ static int qemudOpenMonitor(virConnectPt
-                                    vm, monfd,
-                                    buf, sizeof(buf),
-                                    qemudCheckMonitorPrompt,
--                                   "monitor", 10000) <= 0)
-+                                   "monitor", 10) <= 0)
-             ret = -1;
-         else
-             ret = 0;
-@@ -770,6 +821,7 @@ static int qemudOpenMonitor(virConnectPt
-     return ret;
- }
- 
-+/* Returns -1 for error, 0 success, 1 continue reading */
- static int qemudExtractMonitorPath(virConnectPtr conn,
-                                    const char *haystack,
-                                    size_t *offset,
-@@ -873,19 +925,16 @@ static int qemudWaitForMonitor(virConnec
-         < 0)
-         return -1;
- 
--    ret = qemudReadMonitorOutput(conn, vm, logfd, buf, sizeof(buf),
--                                 qemudFindCharDevicePTYs,
--                                 "console", 3000);
-+    ret = qemudReadLogOutput(conn, vm, logfd, buf, sizeof(buf),
-+                             qemudFindCharDevicePTYs,
-+                             "console", 3);
-     if (close(logfd) < 0)
-         qemudLog(QEMUD_WARN, _("Unable to close logfile: %s\n"),
-                  strerror(errno));
- 
--    if (ret == 1) /* Success */
-+    if (ret == 0) /* success */
-         return 0;
- 
--    if (ret == -1)
--        return -1;
--
-     /* Unexpected end of file - inform user of QEMU log data */
-     qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-                      _("unable to start guest: %s"), buf);

libvirt-0.6.0-rpccall.patch

@@ -1,70 +0,0 @@
-diff -rup libvirt-0.6.0.orig/qemud/event.c libvirt-0.6.0.new/qemud/event.c
---- libvirt-0.6.0.orig/qemud/event.c	2009-02-06 19:30:58.000000000 +0000
-+++ libvirt-0.6.0.new/qemud/event.c	2009-02-06 19:30:00.000000000 +0000
-@@ -657,6 +657,8 @@ virPollEventToEventHandleType(int events
-         ret |= VIR_EVENT_HANDLE_WRITABLE;
-     if(events & POLLERR)
-         ret |= VIR_EVENT_HANDLE_ERROR;
-+    if(events & POLLNVAL) /* Treat NVAL as error, since libvirt doesn't distinguish */
-+        ret |= VIR_EVENT_HANDLE_ERROR;
-     if(events & POLLHUP)
-         ret |= VIR_EVENT_HANDLE_HANGUP;
-     return ret;
-diff -rup libvirt-0.6.0.orig/src/domain_conf.c libvirt-0.6.0.new/src/domain_conf.c
---- libvirt-0.6.0.orig/src/domain_conf.c	2009-01-31 09:04:17.000000000 +0000
-+++ libvirt-0.6.0.new/src/domain_conf.c	2009-02-06 19:30:00.000000000 +0000
-@@ -504,6 +504,7 @@ virDomainObjPtr virDomainAssignDef(virCo
-     domain->state = VIR_DOMAIN_SHUTOFF;
-     domain->def = def;
-     domain->monitor_watch = -1;
-+    domain->monitor = -1;
- 
-     if (VIR_REALLOC_N(doms->objs, doms->count + 1) < 0) {
-         virReportOOMError(conn);
-diff -rup libvirt-0.6.0.orig/src/remote_internal.c libvirt-0.6.0.new/src/remote_internal.c
---- libvirt-0.6.0.orig/src/remote_internal.c	2009-01-31 09:04:18.000000000 +0000
-+++ libvirt-0.6.0.new/src/remote_internal.c	2009-02-06 19:30:00.000000000 +0000
-@@ -6198,17 +6198,17 @@ processCalls(virConnectPtr conn,
-                 continue;
-             virReportSystemError(in_open ? NULL : conn, errno,
-                                  "%s", _("poll on socket failed"));
--            return -1;
-+            goto error;
-         }
- 
-         if (fds[0].revents & POLLOUT) {
-             if (processCallSend(conn, priv, in_open) < 0)
--                return -1;
-+                goto error;
-         }
- 
-         if (fds[0].revents & POLLIN) {
-             if (processCallRecv(conn, priv, in_open) < 0)
--                return -1;
-+                goto error;
-         }
- 
-         /* Iterate through waiting threads and if
-@@ -6259,9 +6259,21 @@ processCalls(virConnectPtr conn,
-         if (fds[0].revents & (POLLHUP | POLLERR)) {
-             errorf(in_open ? NULL : conn, VIR_ERR_INTERNAL_ERROR,
-                    "%s", _("received hangup / error event on socket"));
--            return -1;
-+            goto error;
-         }
-     }
-+
-+
-+error:
-+    priv->waitDispatch = thiscall->next;
-+    DEBUG("Giving up the buck due to I/O error %d %p %p", thiscall->proc_nr, thiscall, priv->waitDispatch);
-+    /* See if someone else is still waiting
-+     * and if so, then pass the buck ! */
-+    if (priv->waitDispatch) {
-+        DEBUG("Passing the buck to %d %p", priv->waitDispatch->proc_nr, priv->waitDispatch);
-+        virCondSignal(&priv->waitDispatch->cond);
-+    }
-+    return -1;
- }
- 
- /*

libvirt-0.6.0-timeout.patch

@@ -1,124 +0,0 @@
-diff -rup libvirt-0.6.0.orig/qemud/event.c libvirt-0.6.0.new/qemud/event.c
---- libvirt-0.6.0.orig/qemud/event.c	2008-12-22 13:02:54.000000000 +0000
-+++ libvirt-0.6.0.new/qemud/event.c	2009-02-06 19:29:28.000000000 +0000
-@@ -68,6 +68,7 @@ struct virEventTimeout {
- /* State for the main event loop */
- struct virEventLoop {
-     pthread_mutex_t lock;
-+    int running;
-     pthread_t leader;
-     int wakeupfd[2];
-     int handlesCount;
-@@ -521,6 +522,7 @@ int virEventRunOnce(void) {
-     int ret, timeout, nfds;
- 
-     virEventLock();
-+    eventLoop.running = 1;
-     eventLoop.leader = pthread_self();
-     if ((nfds = virEventMakePollFDs(&fds)) < 0) {
-         virEventUnlock();
-@@ -572,7 +574,7 @@ int virEventRunOnce(void) {
-         return -1;
-     }
- 
--    eventLoop.leader = 0;
-+    eventLoop.running = 0;
-     virEventUnlock();
-     return 0;
- }
-@@ -611,7 +613,9 @@ int virEventInit(void)
- static int virEventInterruptLocked(void)
- {
-     char c = '\0';
--    if (pthread_self() == eventLoop.leader)
-+
-+    if (!eventLoop.running ||
-+        pthread_self() == eventLoop.leader)
-         return 0;
- 
-     if (safewrite(eventLoop.wakeupfd[1], &c, sizeof(c)) != sizeof(c))
-diff -rup libvirt-0.6.0.orig/qemud/qemud.c libvirt-0.6.0.new/qemud/qemud.c
---- libvirt-0.6.0.orig/qemud/qemud.c	2009-01-31 09:04:17.000000000 +0000
-+++ libvirt-0.6.0.new/qemud/qemud.c	2009-02-06 19:29:28.000000000 +0000
-@@ -2013,11 +2013,15 @@ static int qemudOneLoop(void) {
-     return 0;
- }
- 
--static void qemudInactiveTimer(int timer ATTRIBUTE_UNUSED, void *data) {
-+static void qemudInactiveTimer(int timerid, void *data) {
-     struct qemud_server *server = (struct qemud_server *)data;
--    DEBUG0("Got inactive timer expiry");
--    if (!virStateActive()) {
--        DEBUG0("No state active, shutting down");
-+
-+    if (virStateActive() ||
-+        server->clients) {
-+        DEBUG0("Timer expired but still active, not shutting down");
-+        virEventUpdateTimeoutImpl(timerid, -1);
-+    } else {
-+        DEBUG0("Timer expired and inactive, shutting down");
-         server->shutdown = 1;
-     }
- }
-@@ -2048,9 +2052,18 @@ static void qemudFreeClient(struct qemud
- static int qemudRunLoop(struct qemud_server *server) {
-     int timerid = -1;
-     int ret = -1, i;
-+    int timerActive = 0;
- 
-     virMutexLock(&server->lock);
- 
-+    if (timeout > 0 &&
-+        (timerid = virEventAddTimeoutImpl(-1,
-+                                          qemudInactiveTimer,
-+                                          server, NULL)) < 0) {
-+        VIR_ERROR0(_("Failed to register shutdown timeout"));
-+        return -1;
-+    }
-+
-     if (min_workers > max_workers)
-         max_workers = min_workers;
- 
-@@ -2071,11 +2084,21 @@ static int qemudRunLoop(struct qemud_ser
-          * if any drivers have active state, if not
-          * shutdown after timeout seconds
-          */
--        if (timeout > 0 && !virStateActive() && !server->clients) {
--            timerid = virEventAddTimeoutImpl(timeout*1000,
--                                             qemudInactiveTimer,
--                                             server, NULL);
--            DEBUG("Scheduling shutdown timer %d", timerid);
-+        if (timeout > 0) {
-+            if (timerActive) {
-+                if (server->clients) {
-+                    DEBUG("Deactivating shutdown timer %d", timerid);
-+                    virEventUpdateTimeoutImpl(timerid, -1);
-+                    timerActive = 0;
-+                }
-+            } else {
-+                if (!virStateActive() &&
-+                    !server->clients) {
-+                    DEBUG("Activating shutdown timer %d", timerid);
-+                    virEventUpdateTimeoutImpl(timerid, timeout * 1000);
-+                    timerActive = 1;
-+                }
-+            }
-         }
- 
-         virMutexUnlock(&server->lock);
-@@ -2129,15 +2152,6 @@ static int qemudRunLoop(struct qemud_ser
-             }
-         }
- 
--        /* Unregister any timeout that's active, since we
--         * just had an event processed
--         */
--        if (timerid != -1) {
--            DEBUG("Removing shutdown timer %d", timerid);
--            virEventRemoveTimeoutImpl(timerid);
--            timerid = -1;
--        }
--
-         if (server->shutdown) {
-             ret = 0;
-             break;

libvirt-0.8.3-avoid-resetting-errors.patch

@@ -0,0 +1,51 @@
+From 452bf160e5bbe0789d706fda95f5919551eb2cac Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 25 Mar 2011 16:45:45 +0100
+Subject: [PATCH 2/2] daemon: Avoid resetting errors before they are reported
+
+https://bugzilla.redhat.com/show_bug.cgi?id=690733
+
+Commit f44bfb7 was supposed to make sure no additional libvirt API (esp.
+*Free) is called before remoteDispatchConnError() is called on error.
+However, the patch missed two instances.
+(cherry picked from commit 55cc591fc18e87b29febf78dc5b424b7c12f7349)
+---
+ daemon/remote.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index a8258ca..7464957 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -4547,12 +4547,13 @@ remoteDispatchStoragePoolListVolumes (struct qemud_server *server ATTRIBUTE_UNUS
+     ret->names.names_len =
+         virStoragePoolListVolumes (pool,
+                                    ret->names.names_val, args->maxnames);
+-    virStoragePoolFree(pool);
+     if (ret->names.names_len == -1) {
+         VIR_FREE(ret->names.names_val);
+         remoteDispatchConnError(rerr, conn);
++        virStoragePoolFree(pool);
+         return -1;
+     }
++    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+@@ -4576,11 +4577,12 @@ remoteDispatchStoragePoolNumOfVolumes (struct qemud_server *server ATTRIBUTE_UNU
+     }
+ 
+     ret->num = virStoragePoolNumOfVolumes (pool);
+-    virStoragePoolFree(pool);
+     if (ret->num == -1) {
+         remoteDispatchConnError(rerr, conn);
++        virStoragePoolFree(pool);
+         return -1;
+     }
++    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+-- 
+1.7.3.4
+

libvirt-0.8.3-boot-menu.patch

@@ -0,0 +1,12 @@
+diff -rup libvirt-0.8.3.orig/src/qemu/qemu_conf.c libvirt-0.8.3.new/src/qemu/qemu_conf.c
+--- libvirt-0.8.3.orig/src/qemu/qemu_conf.c	2010-08-04 13:21:27.000000000 +0100
++++ libvirt-0.8.3.new/src/qemu/qemu_conf.c	2010-08-23 21:08:13.239794362 +0100
+@@ -3651,7 +3651,7 @@ int qemudBuildCommandLine(virConnectPtr 
+ {
+     int i;
+     char memory[50];
+-    char boot[VIR_DOMAIN_BOOT_LAST];
++    char boot[VIR_DOMAIN_BOOT_LAST+1];
+     struct utsname ut;
+     int disableKQEMU = 0;
+     int disableKVM = 0;

libvirt-0.8.3-fix-var-lib-libvirt-permissions.patch

@@ -0,0 +1,44 @@
+From f970d802ab805f1a37af384f148f34e108714034 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 3 Nov 2010 15:20:24 -0600
+Subject: [PATCH] rpm: fix /var/lib/libvirt permissions
+
+https://bugzilla.redhat.com/show_bug.cgi?id=649511
+
+Regression of forcing 0700 permissions (which breaks guest startup
+because the qemu user can't see /var/lib/libvirt/*.monitor) was
+introduced in commit 66823690e, as part of libvirt 0.8.2.
+
+* libvirt.spec.in (%files): Drop %{_localstatedir}/lib/libvirt,
+since libvirt depends on libvirt-client.
+(%files client): Guarantee 755 permissions on
+%(_localstatedir}/lib/libvirt, since the qemu user must be able to
+do pathname resolution to a subdirectory.
+---
+ libvirt.spec.in |    3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index 813e0c0..f77626e 100644
+--- a/libvirt.spec.in
++++ b/libvirt.spec.in
+@@ -793,7 +793,6 @@ fi
+ 
+ %dir %{_localstatedir}/run/libvirt/
+ 
+-%dir %{_localstatedir}/lib/libvirt/
+ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
+ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
+ %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
+@@ -883,7 +882,7 @@ fi
+ 
+ %{_sysconfdir}/rc.d/init.d/libvirt-guests
+ %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
+-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt
++%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
+ 
+ %if %{with_sasl}
+ %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
+-- 
+1.7.3.4
+

libvirt-0.8.3-octal-addresses.patch

@@ -0,0 +1,53 @@
+From 8efebd1761700a0cc32736829aead7807cc7865d Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@gmail.com>
+Date: Tue, 26 Oct 2010 14:45:03 +0200
+Subject: [PATCH] qemu: don't use %.3d format for bus/addr of USB devices
+
+When using 0-prefixed numbers, QEmu will interpret them as octal numbers
+(as C convention says); this means that if you attach a device that has
+addr > 10 (decimal) you're going to attach a different device.
+---
+ src/qemu/qemu_conf.c                               |    4 ++--
+ .../qemuxml2argv-hostdev-usb-address-device.args   |    2 +-
+ .../qemuxml2argv-hostdev-usb-address.args          |    2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
+index 00e89a1..5bd3d4c 100644
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -3266,7 +3266,7 @@ qemuBuildUSBHostdevDevStr(virDomainHostdevDefPtr dev)
+         return NULL;
+     }
+ 
+-    if (virAsprintf(&ret, "usb-host,hostbus=%.3d,hostaddr=%.3d,id=%s",
++    if (virAsprintf(&ret, "usb-host,hostbus=%d,hostaddr=%d,id=%s",
+                     dev->source.subsys.u.usb.bus,
+                     dev->source.subsys.u.usb.device,
+                     dev->info.alias) < 0)
+@@ -3288,7 +3288,7 @@ qemuBuildUSBHostdevUsbDevStr(virDomainHostdevDefPtr dev)
+         return NULL;
+     }
+ 
+-    if (virAsprintf(&ret, "host:%.3d.%.3d",
++    if (virAsprintf(&ret, "host:%d.%d",
+                     dev->source.subsys.u.usb.bus,
+                     dev->source.subsys.u.usb.device) < 0)
+         virReportOOMError();
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address-device.args b/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address-device.args
+index 6900fd3..7e42542 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address-device.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address-device.args
+@@ -1 +1 @@
+-LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -usb -device usb-host,hostbus=014,hostaddr=006,id=hostdev0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
++LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -usb -device usb-host,hostbus=14,hostaddr=6,id=hostdev0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address.args b/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address.args
+index e57bec1..96e004d 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-hostdev-usb-address.args
+@@ -1 +1 @@
+-LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial none -parallel none -usb -usbdevice host:014.006
++LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial none -parallel none -usb -usbdevice host:14.6
+-- 
+1.7.3.4
+

libvirt-0.8.3-read-only-checks.patch

@@ -0,0 +1,95 @@
+From: Guido Günther <agx@sigxcpu.org>
+Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
+Subject: Add missing checks for read only connections
+X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
+
+Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+  - virConnectDomainXMLToNative
+  - virNodeDeviceDettach
+  - virNodeDeviceReAttach
+  - virNodeDeviceReset
+  - virDomainRevertToSnapshot
+  - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+                 connections
+
+Rebased to 0.8.2, mostly changed the call of the error routines
+---
+
+--- src/libvirt.c.orig	2011-03-14 17:03:45.000000000 +0800
++++ src/libvirt.c	2011-03-14 17:10:41.000000000 +0800
+@@ -3190,6 +3190,10 @@ char *virConnectDomainXMLToNative(virCon
+         virDispatchError(NULL);
+         return (NULL);
+     }
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(NULL, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (nativeFormat == NULL || domainXml == NULL) {
+         virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9432,6 +9436,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceDettach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9475,6 +9484,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReAttach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9520,6 +9534,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReset) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12775,6 +12794,10 @@ virDomainRevertToSnapshot(virDomainSnaps
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainRevertToSnapshot) {
+         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -12821,6 +12844,10 @@ virDomainSnapshotDelete(virDomainSnapsho
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainSnapshotDelete) {
+         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);

libvirt-0.8.3-remote-protect-against-integer-overflow.patch

@@ -0,0 +1,106 @@
+From 584f9cee6926b57a19cc8bb36ea77124bdcfed94 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Fri, 24 Jun 2011 12:16:05 -0600
+Subject: [PATCH] remote: protect against integer overflow
+
+https://bugzilla.redhat.com/show_bug.cgi?id=717204
+CVE-2011-2511 - integer overflow in VirDomainGetVcpus
+
+Integer overflow and remote code are never a nice mix.
+
+This has existed since commit 56cd414.
+
+* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
+* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
+  on sending rpc.
+* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
+  receiving rpc.
+
+(cherry picked from commit 774b21c163845170c9ffa873f5720d318812eaf6)
+
+Conflicts:
+
+	daemon/remote.c
+	src/remote/remote_driver.c
+        src/libvirt.c
+
+Change to internal.h required to avoid backporting 89d994ad.
+---
+ daemon/remote.c            |    3 ++-
+ src/internal.h             |   17 +++++++++++++++++
+ src/libvirt.c              |    4 ++--
+ src/remote/remote_driver.c |    3 ++-
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 7464957..c6f7007 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1697,7 +1697,8 @@ remoteDispatchDomainGetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED,
+         return -1;
+     }
+ 
+-    if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
++    if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
++        args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+         virDomainFree(dom);
+         remoteDispatchFormatError (rerr, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
+         return -1;
+diff --git a/src/internal.h b/src/internal.h
+index fab3e11..53447a9 100644
+--- a/src/internal.h
++++ b/src/internal.h
+@@ -226,4 +226,21 @@
+         }                                                               \
+     } while (0)
+ 
++/* branch-specific: we don't want to update gnulib on the branch, so this
++ * backports just one required macro from newer gnulib's intprops.h.
++ * This version requires that both a and b are 'int', rather than
++ * the fully type-generic version from gnulib.  */
++# define INT_MULTIPLY_OVERFLOW(a, b)            \
++    ((b) < 0                                    \
++     ? ((a) < 0                                 \
++        ? (a) < INT_MAX / (b)                   \
++        : (b) == -1                             \
++        ? 0                                     \
++        : INT_MIN / (b) < (a))                  \
++     : (b) == 0                                 \
++     ? 0                                        \
++     : ((a) < 0                                 \
++        ? (a) < INT_MIN / (b)                   \
++        : INT_MAX / (b) < (a)))
++
+ #endif                          /* __VIR_INTERNAL_H__ */
+diff --git a/src/libvirt.c b/src/libvirt.c
+index 1213ecf..6a584fb 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -5218,8 +5218,8 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,
+ 
+     /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
+        try to memcpy anything into a NULL pointer.  */
+-    if ((cpumaps == NULL && maplen != 0)
+-        || (cpumaps && maplen <= 0)) {
++    if (!cpumaps ? maplen != 0
++        : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
+         virLibDomainError(domain, VIR_ERR_INVALID_ARG, __FUNCTION__);
+         goto error;
+     }
+diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
+index cb0d8e1..0d9b425 100644
+--- a/src/remote/remote_driver.c
++++ b/src/remote/remote_driver.c
+@@ -2467,7 +2467,8 @@ remoteDomainGetVcpus (virDomainPtr domain,
+                     maxinfo, REMOTE_VCPUINFO_MAX);
+         goto done;
+     }
+-    if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
++    if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
++        maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+         remoteError(VIR_ERR_RPC,
+                     _("vCPU map buffer length exceeds maximum: %d > %d"),
+                     maxinfo * maplen, REMOTE_CPUMAPS_MAX);
+-- 
+1.7.3.4
+

sources

@@ -1 +1 @@
-8e0120d5452b37179f682031bf0895ea  libvirt-0.6.0.tar.gz
+ae8535ce119d32a2e9fb1f46e2c8f325  libvirt-0.8.3.tar.gz