Hello community, here is the log from the commit of package hyper-v for openSUSE:Factory checked in at 2012-11-30 12:21:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hyper-v (Old) and /work/SRC/openSUSE:Factory/.hyper-v.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "hyper-v", Maintainer is "OHering@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/hyper-v/hyper-v.changes 2012-11-02 17:36:59.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.hyper-v.new/hyper-v.changes 2012-11-30 12:25:40.000000000 +0100 @@ -1,0 +2,29 @@ +Tue Nov 27 11:19:32 CET 2012 - ohering@suse.de + +- update hv_set_ifconfig, use single index for static ipv4/ipv6 [bnc#790469] + +------------------------------------------------------------------- +Sun Nov 25 17:50:40 CET 2012 - ohering@suse.de + +- update hv_set_ifconfig further to work with our ifcfg [bnc#790469] + +------------------------------------------------------------------- +Thu Nov 22 18:14:12 CET 2012 - ohering@suse.de + +- update hv_get_dhcp_info to work with our ifcfg [bnc#790469] +- remove cat usage from hv_get_dns_info +- add quoting to hv_set_ifconfig to make it more robust + +------------------------------------------------------------------- +Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de + +- remove code to build kmp, it was not enabled because the + drivers are now in kernel since a long time. [bnc#676890] + +------------------------------------------------------------------- +Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de + +- Netlink source address validation allows DoS [bnc#791605, CVE-2012-5532] + bugfix for recvfrom check from bnc#761200 + +------------------------------------------------------------------- @@ -33 +62 @@ -- check origin of netlink messages, use recvfrom() [bnc#761200] +- check origin of netlink messages, use recvfrom() [bnc#761200, CVE-2012-2669] Old: ---- Module.supported full-kernel-version.patch hyper-v.dummy_ko.c hyper-v.supplements.txt hyperv_pvdrivers.conf kmp_filelist no-loopback.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hyper-v.spec ++++++ --- /var/tmp/diff_new_pack.27S5S3/_old 2012-11-30 12:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.27S5S3/_new 2012-11-30 12:25:41.000000000 +0100 @@ -16,21 +16,9 @@ # -%define with_kmp 0 -%define with_modprobe 0 -%if %{with_kmp} -%define with_drivers_in_kmp 0 -%endif %define hv_kvp_daemon hv_kvp_daemon Name: hyper-v -%if %{with_kmp} -BuildRequires: kernel-default-devel -BuildRequires: module-init-tools -%ifarch %ix86 -BuildRequires: kernel-pae-devel -%endif -%endif ExclusiveArch: %ix86 x86_64 PreReq: %insserv_prereq Summary: Microsoft Hyper-V tools @@ -41,11 +29,6 @@ Url: http://www.kernel.org Version: 4 Release: 0 -Source: Module.supported -Source1: hyperv_pvdrivers.conf -Source2: kmp_filelist -Source3: hyper-v.supplements.txt -Source4: hyper-v.dummy_ko.c Source5: hyper-v.kvptest.ps1.txt Source9: hyper-v.include.linux.hyperv.h Source10: hyper-v.tools.hv.hv_kvp_daemon.c @@ -53,44 +36,17 @@ Source20: hyper-v.tools.hv.hv_get_dhcp_info.sh Source21: hyper-v.tools.hv.hv_get_dns_info.sh Source22: hyper-v.tools.hv.hv_set_ifconfig.sh -Patch0: full-kernel-version.patch -Patch1: no-loopback.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %{with_kmp} -%if %{with_drivers_in_kmp} -%suse_kernel_module_package -n hyper-v um xen -f kmp_filelist -%else -%suse_kernel_module_package -n hyper-v um xen -f kmp_filelist -p hyper-v.supplements.txt -%endif -%endif %description This package contains the Microsoft Hyper-V tools. - - -%if %{with_kmp} - -%package KMP - -Summary: Microsoft Hyper-V drivers -Group: System/Kernel - -%description KMP -This package contains the Microsoft Hyper-V drivers. - - - -%endif - %prep %setup -Tc cp -avL %{S:5} kvptest.ps1.txt cp -vL %{S:9} %{hv_kvp_daemon}.h cp -vL %{S:10} %{hv_kvp_daemon}.c -%patch0 -p3 -%patch1 -p3 %build sed -i~ '/#include <linux.hyperv.h>/d' %{hv_kvp_daemon}.c @@ -104,31 +60,8 @@ -DCN_KVP_IDX=0x9 \ -DCN_KVP_VAL=0x1 \ -o %{hv_kvp_daemon} -%if %{with_kmp} -for flavor in %flavors_to_build; do -%if %{with_drivers_in_kmp} - krel=$(make -s -C %{kernel_source $flavor} kernelrelease) - cp -a /lib/modules/$krel/source/drivers/staging/hv $flavor -%else - rm -rfv $flavor - mkdir -p $flavor - cp %_sourcedir/hyper-v.dummy_ko.c $flavor/hyper-v.suse_kmp_dummy.c - cat > $flavor/Makefile <<-EOF -obj-m += hyper-v.suse_kmp_dummy.o -EOF -%endif - cp %_sourcedir/Module.supported $flavor - make -C %{kernel_source $flavor} modules M=$PWD/$flavor -done -%endif %install -%if %{with_kmp} -export INSTALL_MOD_PATH=$RPM_BUILD_ROOT -for flavor in %flavors_to_build; do - make -C %{kernel_source $flavor} modules_install M=$PWD/$flavor -done -%endif mkdir -p $RPM_BUILD_ROOT/usr/sbin install -m755 %{hv_kvp_daemon} $RPM_BUILD_ROOT/usr/sbin mkdir -p $RPM_BUILD_ROOT/usr/lib/%{name}/bin @@ -139,20 +72,10 @@ mkdir -p $RPM_BUILD_ROOT/etc/init.d install -m755 %{S:11} $RPM_BUILD_ROOT/etc/init.d/%{hv_kvp_daemon} ln -sfvbn ../../etc/init.d/%{hv_kvp_daemon} $RPM_BUILD_ROOT/usr/sbin/rc%{hv_kvp_daemon} -%if %{with_modprobe} -mkdir -p $RPM_BUILD_ROOT/etc/modprobe.d -install -m644 %SOURCE1 $RPM_BUILD_ROOT/etc/modprobe.d/hyperv_pvdrivers.conf -%endif %files %defattr (-,root,root) %doc kvptest.ps1.txt -%if %{with_modprobe} -%if !%{with_kmp} -%dir /etc/modprobe.d -%config /etc/modprobe.d/hyperv_pvdrivers.conf -%endif -%endif /etc/init.d/%{hv_kvp_daemon} /usr/sbin/rc%{hv_kvp_daemon} /usr/sbin/%{hv_kvp_daemon} ++++++ hyper-v.tools.hv.hv_get_dhcp_info.sh ++++++ --- /var/tmp/diff_new_pack.27S5S3/_old 2012-11-30 12:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.27S5S3/_new 2012-11-30 12:25:41.000000000 +0100 @@ -1,6 +1,6 @@ #!/bin/bash -# This example script retrieves the DHCP state of a given interface. +# This script retrieves the DHCP state of a given interface. # In the interest of keeping the KVP daemon code free of distro specific # information; the kvp daemon code invokes this external script to gather # DHCP setting for the specific interface. @@ -16,9 +16,9 @@ # this script can be based on the Network Manager APIs for retrieving DHCP # information. -if_file="/etc/sysconfig/network-scripts/ifcfg-"$1 +if_file="/etc/sysconfig/network/ifcfg-$1" -dhcp=$(grep "dhcp" $if_file 2>/dev/null) +dhcp=$(grep -- '^BOOTPROTO=.*dhcp' "$if_file" 2>/dev/null) if [ "$dhcp" != "" ]; then ++++++ hyper-v.tools.hv.hv_get_dns_info.sh ++++++ --- /var/tmp/diff_new_pack.27S5S3/_old 2012-11-30 12:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.27S5S3/_new 2012-11-30 12:25:41.000000000 +0100 @@ -1,6 +1,6 @@ #!/bin/bash -# This example script parses /etc/resolv.conf to retrive DNS information. +# This script parses /etc/resolv.conf to retrive DNS information. # In the interest of keeping the KVP daemon code free of distro specific # information; the kvp daemon code invokes this external script to gather # DNS information. @@ -10,4 +10,7 @@ # this script can be based on the Network Manager APIs for retrieving DNS # entries. -cat /etc/resolv.conf 2>/dev/null | awk '/^nameserver/ { print $2 }' +if test -r /etc/resolv.conf +then + awk -- '/^nameserver/ { print $2 }' /etc/resolv.conf +fi ++++++ hyper-v.tools.hv.hv_kvp_daemon.c ++++++ --- /var/tmp/diff_new_pack.27S5S3/_old 2012-11-30 12:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.27S5S3/_new 2012-11-30 12:25:41.000000000 +0100 @@ -43,6 +43,7 @@ #include <sys/stat.h> #include <fcntl.h> #include <dirent.h> +#include <net/if.h> /* * KVP protocol: The user mode component first registers with the @@ -88,6 +89,7 @@ static char *os_minor = ""; static char *processor_arch; static char *os_build; +static char *os_version; static char *lic_version = "Unknown version"; static struct utsname uts_buf; @@ -453,7 +455,9 @@ char *p, buf[512]; uname(&uts_buf); - os_build = uts_buf.release; + os_version = uts_buf.release; + os_build = strdup(uts_buf.release); + os_name = uts_buf.sysname; processor_arch = uts_buf.machine; @@ -462,7 +466,7 @@ * string to be of the form: x.y.z * Strip additional information we may have. */ - p = strchr(os_build, '-'); + p = strchr(os_version, '-'); if (p) *p = '\0'; @@ -879,7 +883,7 @@ addr_length = INET6_ADDRSTRLEN; } - if ((length - *offset) < addr_length + 1) + if ((length - *offset) < addr_length + 2) return HV_E_FAIL; if (str == NULL) { strcpy(buffer, "inet_ntop failed\n"); @@ -887,11 +891,13 @@ } if (*offset == 0) strcpy(buffer, tmp); - else + else { + strcat(buffer, ";"); strcat(buffer, tmp); - strcat(buffer, ";"); + } *offset += strlen(str) + 1; + return 0; } @@ -953,7 +959,9 @@ * supported address families; if not we gather info on * the specified address family. */ - if ((family != 0) && (curp->ifa_addr->sa_family != family)) { + if ((((family != 0) && + (curp->ifa_addr->sa_family != family))) || + (curp->ifa_flags & IFF_LOOPBACK)) { curp = curp->ifa_next; continue; } @@ -1478,13 +1486,19 @@ len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, addr_p, &addr_l); - if (len < 0 || addr.nl_pid) { + if (len < 0) { syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", addr.nl_pid, errno, strerror(errno)); close(fd); return -1; } + if (addr.nl_pid) { + syslog(LOG_WARNING, "Received packet from untrusted pid:%u", + addr.nl_pid); + continue; + } + incoming_msg = (struct nlmsghdr *)kvp_recv_buffer; incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg); hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data; @@ -1649,7 +1663,7 @@ strcpy(key_name, "OSMinorVersion"); break; case OSVersion: - strcpy(key_value, os_build); + strcpy(key_value, os_version); strcpy(key_name, "OSVersion"); break; case ProcessorArchitecture: ++++++ hyper-v.tools.hv.hv_set_ifconfig.sh ++++++ --- /var/tmp/diff_new_pack.27S5S3/_old 2012-11-30 12:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.27S5S3/_new 2012-11-30 12:25:41.000000000 +0100 @@ -41,43 +41,145 @@ : expect configuration datafile as first argument exit 1 fi -# +# send subshell output to syslog ( +f=/etc/sysconfig/network/scripts/functions +if test -f ${f} +then + . ${f} +else + echo "MISSING ${f}" + exit 1 +fi +# remove known config variables from environment +unset HWADDR unset DHCP unset IF_NAME +unset ${!IPADDR*} +unset ${!NETMASK*} +unset ${!GATEWAY*} +unset ${!IPV6ADDR*} +unset ${!IPV6NETMASK*} +unset ${!IPV6_DEFAULTGW*} +unset ${!DNS*} . "$1" +# if test -z "${IF_NAME}" then echo "Missing IF_NAME= in ${cfg}" exit 1 fi # -t=`mktemp` -if test -z "${t}" -then - exit 1 -fi - +t_ifcfg=`mktemp` +t_ifroute=`mktemp` _exit() { - rm -f "${t}" + rm -f "${t_ifcfg}" "${t_ifroute}" } trap _exit EXIT # -cat >> "${t}" <<_EOF_ -# contents from $0 $* -`cat "${cfg}"` +if test -z "${t_ifcfg}" || test -z "${t_ifroute}" +then + exit 1 +fi # -# additional options: -STARTMODE=auto -_EOF_ +# Create ifcfg-* file +( + echo "STARTMODE=auto" + # + if test -n "${HWADDR}" + then + : # ignore HWADDR, it just repeats the existing MAC value + fi + # + if test "${DHCP}" = "yes" + then + echo "BOOTPROTO=dhcp" + fi + # single index for all ipv4 and ipv6 adresses in final ifcfg file + i=0 + idx="" + # loop through all ipv4 adresses + for var in ${!IPADDR*} + do + index=${var#IPADDR} + pfx= + # find corresponding NETMASK variable + eval nm=\$NETMASK${index} + # if specified, calculate prefix + if test -n "${nm}" + then + pfx=`mask2pfxlen "${nm}" 2>/dev/null` + fi + # if not specified, force prefix + if test -z "${pfx}" + then + pfx="32" + fi + # construct actual value + eval val=\$IPADDR${index} + # write config variable + echo "IPADDR${idx}='${val}/${pfx}'" + idx="_$((++i))" + done + # loop through all ipv6 adresses + for var in ${!IPV6ADDR*} + do + index=${var#IPV6ADDR} + # find corresponding IPV6NETMASK variable + eval pfx=\$IPV6NETMASK${index} + # if not specified, force prefix + if test -z "${pfx}" + then + pfx=128 + fi + # construct actual value + eval val=\$IPV6ADDR${index} + # write config variable + echo "IPADDR${idx}='${val}/${pfx}'" + idx="_$((++i))" + done + +) >> "${t_ifcfg}" -if test "${DHCP}" = "yes" +# Create ifroute-* file +( + if test -n "${GATEWAY}" + then + echo "default $GATEWAY - $IF_NAME" + fi + if test -n "${IPV6_DEFAULTGW}" + then + echo "default $IPV6_DEFAULTGW - $IF_NAME" + fi +) >> "${t_ifroute}" +# Only a single default gateway is supported +unset GATEWAY IPV6_DEFAULTGW +if test -n "${!GATEWAY*}${!IPV6_DEFAULTGW*}" then - echo "BOOTPROTO=dhcp" >> ${t}; + echo "WARNING: multiple gateways not supported: ${!GATEWAY*} ${!IPV6_DEFAULTGW*}" fi +# collect DNS info +_DNS_= +for var in ${!DNS*} +do + eval val=\$${var} + if test -n "${_DNS_}" + then + _DNS_="${_DNS_} ${val}" + else + _DNS_=${val} + fi +done +# echo "$0: working on network interface ifcfg-${IF_NAME}" -cp -b ${t} /etc/sysconfig/network/ifcfg-${IF_NAME} -ifdown ${IF_NAME} -o hotplug -ifup ${IF_NAME} -o hotplug +cp -fb ${t_ifcfg} "/etc/sysconfig/network/ifcfg-${IF_NAME}" +cp -fb ${t_ifroute} "/etc/sysconfig/network/ifroute-${IF_NAME}" +if test -w /etc/sysconfig/network/config +then + sed -i "s@^NETCONFIG_DNS_STATIC_SERVERS=.*@NETCONFIG_DNS_STATIC_SERVERS='$_DNS_'@" /etc/sysconfig/network/config + netconfig update -m dns +fi +ifdown "${IF_NAME}" +ifup "${IF_NAME}" ) 2>&1 | logger -t "${0##*/}[$PPID / $$]" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org