2 files changed, 177 insertions, 2 deletions

diff --git a/main/libvirt/APKBUILD b/main/libvirt/APKBUILD
index b5bdb46f1a..f35f8db514 100644
--- a/main/libvirt/APKBUILD
+++ b/main/libvirt/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=libvirt
 pkgver=5.5.0
 _ver="${pkgver/_rc/-rc}"
-pkgrel=1
+pkgrel=2
 pkgdesc="A virtualization API for several hypervisor and container systems"
 url="https://libvirt.org/"
 arch="all"
@@ -32,6 +32,7 @@ source="https://libvirt.org/sources/$pkgname-$pkgver.tar.xz
 	musl-fix-includes.patch
 	stderr-fix.patch
 	CVE-2020-12430.patch
+	CVE-2019-20485.patch
 	"
 if [ "$CARCH" = "x86_64" ]; then
 	subpackages="$subpackages $pkgname-xen"
@@ -40,6 +41,8 @@ fi
 subpackages="$subpackages $pkgname-common-drivers:_common_drivers"
 
 # secfixes:
+#   5.5.0-r2:
+#     - CVE-2019-20485
 #   5.5.0-r1:
 #     - CVE-2020-12430
 #   5.5.0-r0:
@@ -189,4 +192,5 @@ sha512sums="47923aaca605fb43a53238ac535abc1f88f73435336b8f3e88cb01df277ed205d99c
 a4c4d26e4111931acbe7594451bf963a36c8db33c64b1bc447ab4758bb92803510bebee0511d6bc16ba80c289ab6f87e74377d47bf560412f9adb9c161a206d9  virtlockd.initd
 dfe042c596028125bf8548115de2922683829c4716f6b0efb8efc38518670e3e848481661b9714bb0664c1022b87e8f3c0773611fe10187b0bc588e2336ada0c  musl-fix-includes.patch
 d32551d56eae2c33bab7571964f76421336967918c293cd1d18fc66626a7ead3551b5672a9e3fc3d8b7bca82cc0abb17e428ee8271d04d73bc06fd16309918b3  stderr-fix.patch
-9f395a8be5c401b3e63f2a95154b2459ba4f9e5dffd0c9e0d96822f9e5b6b36c4b0b6e8e5de11fc280505d001ede0a196b477e60af95c6035daa7b29ca054d69  CVE-2020-12430.patch"
+9f395a8be5c401b3e63f2a95154b2459ba4f9e5dffd0c9e0d96822f9e5b6b36c4b0b6e8e5de11fc280505d001ede0a196b477e60af95c6035daa7b29ca054d69  CVE-2020-12430.patch
+f38df9102e6ae0c05428990043aefee379f0e40b4f1d253a90f5897a41e6fdde7b60d013c776afc7be2f006c1d930228b369f54fe71b137e981da1af464f3ea0  CVE-2019-20485.patch"
diff --git a/main/libvirt/CVE-2019-20485.patch b/main/libvirt/CVE-2019-20485.patch
new file mode 100644
index 0000000000..69e1a28573
--- /dev/null
+++ b/main/libvirt/CVE-2019-20485.patch
@@ -0,0 +1,171 @@
+From a663a860819287e041c3de672aad1d8543098ecc Mon Sep 17 00:00:00 2001
+From: Jonathon Jongsma <jjongsma@redhat.com>
+Date: Thu, 5 Dec 2019 10:08:52 -0600
+Subject: [PATCH] qemu: don't hold both jobs for suspend
+
+We have to assume that the guest agent may be malicious so we don't want
+to allow any agent queries to block any other libvirt API. By holding a
+monitor job while we're querying the agent, we open ourselves up to a
+DoS.
+
+So split the function up a bit to only hold the monitor job while
+querying qemu for whether the domain supports suspend. Then acquire only
+an agent job while issuing the agent suspend command.
+
+Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/qemu/qemu_driver.c |   94 ++++++++++++++++++++++++++++++------------------
+ 1 files changed, 59 insertions(+), 35 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 2891faf..52cf27f 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -19759,6 +19759,59 @@ qemuDomainProbeQMPCurrentMachine(virQEMUDriverPtr driver,
+ }
+ 
+ 
++/* returns -1 on error, or if query is not supported, 0 if query was successful */
++static int
++qemuDomainQueryWakeupSuspendSupport(virQEMUDriverPtr driver,
++                                    virDomainObjPtr vm,
++                                    bool *wakeupSupported)
++{
++    qemuDomainObjPrivatePtr priv = vm->privateData;
++    int ret = -1;
++
++    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
++        return -1;
++
++    if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
++        return -1;
++
++    if ((ret = virDomainObjCheckActive(vm)) < 0)
++        goto endjob;
++
++    ret = qemuDomainProbeQMPCurrentMachine(driver, vm, wakeupSupported);
++
++ endjob:
++    qemuDomainObjEndJob(driver, vm);
++    return ret;
++}
++
++
++static int
++qemuDomainPMSuspendAgent(virQEMUDriverPtr driver,
++                         virDomainObjPtr vm,
++                         unsigned int target)
++{
++    qemuAgentPtr agent;
++    int ret = -1;
++
++    if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
++        return -1;
++
++    if ((ret = virDomainObjCheckActive(vm)) < 0)
++        goto endjob;
++
++    if (!qemuDomainAgentAvailable(vm, true))
++        goto endjob;
++
++    agent = qemuDomainObjEnterAgent(vm);
++    ret = qemuAgentSuspend(agent, target);
++    qemuDomainObjExitAgent(vm, agent);
++
++ endjob:
++    qemuDomainObjEndAgentJob(vm);
++    return ret;
++}
++
++
+ static int
+ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int target,
+@@ -19766,11 +19819,9 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+                                unsigned int flags)
+ {
+     virQEMUDriverPtr driver = dom->conn->privateData;
+-    qemuDomainObjPrivatePtr priv;
+     virDomainObjPtr vm;
+-    qemuAgentPtr agent;
+-    qemuDomainJob job = QEMU_JOB_NONE;
+     int ret = -1;
++    bool wakeupSupported;
+ 
+     virCheckFlags(0, -1);
+ 
+@@ -19795,17 +19846,6 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+     if (virDomainPMSuspendForDurationEnsureACL(dom->conn, vm->def) < 0)
+         goto cleanup;
+ 
+-    priv = vm->privateData;
+-
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE))
+-        job = QEMU_JOB_MODIFY;
+-
+-    if (qemuDomainObjBeginJobWithAgent(driver, vm, job, QEMU_AGENT_JOB_MODIFY) < 0)
+-        goto cleanup;
+-
+-    if (virDomainObjCheckActive(vm) < 0)
+-        goto endjob;
+-
+     /*
+      * The case we want to handle here is when QEMU has the API (i.e.
+      * QEMU_CAPS_QUERY_CURRENT_MACHINE is set). Otherwise, do not interfere
+@@ -19813,16 +19853,11 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+      * that don't know about this cap, will keep their old behavior of
+      * suspending 'in the dark'.
+      */
+-    if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_QUERY_CURRENT_MACHINE)) {
+-        bool wakeupSupported;
+-
+-        if (qemuDomainProbeQMPCurrentMachine(driver, vm, &wakeupSupported) < 0)
+-            goto endjob;
+-
++    if (qemuDomainQueryWakeupSuspendSupport(driver, vm, &wakeupSupported) == 0) {
+         if (!wakeupSupported) {
+             virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                            _("Domain does not have suspend support"));
+-            goto endjob;
++            goto cleanup;
+         }
+     }
+ 
+@@ -19832,29 +19867,18 @@ qemuDomainPMSuspendForDuration(virDomainPtr dom,
+              target == VIR_NODE_SUSPEND_TARGET_HYBRID)) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S3 state is disabled for this domain"));
+-            goto endjob;
++            goto cleanup;
+         }
+ 
+         if (vm->def->pm.s4 == VIR_TRISTATE_BOOL_NO &&
+             target == VIR_NODE_SUSPEND_TARGET_DISK) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("S4 state is disabled for this domain"));
+-            goto endjob;
++            goto cleanup;
+         }
+     }
+ 
+-    if (!qemuDomainAgentAvailable(vm, true))
+-        goto endjob;
+-
+-    agent = qemuDomainObjEnterAgent(vm);
+-    ret = qemuAgentSuspend(agent, target);
+-    qemuDomainObjExitAgent(vm, agent);
+-
+- endjob:
+-    if (job)
+-        qemuDomainObjEndJobWithAgent(driver, vm);
+-    else
+-        qemuDomainObjEndAgentJob(vm);
++    ret = qemuDomainPMSuspendAgent(driver, vm, target);
+ 
+  cleanup:
+     virDomainObjEndAPI(&vm);
+-- 
+1.7.1
+