[pve-devel] [PATCH v3 qemu-server] remote migration: fix online migration via API clients

[pve-devel] [PATCH v3 qemu-server] remote migration: fix online migration via API clients

[Fiona Ebner]

As reported in the community forum [0], when a remote migration
request comes in via an API client, the -T flag for Perl is set, so an
insecure dependency in a call like unlink() in forward_unix_socket()
will fail with:

> failed to write forwarding command - Insecure dependency in unlink while running with -T switch

To fix it, untaint the problematic socket addresses coming from the
remote side. Require that all sockets are below '/run/qemu-server/'
and end with '.migrate' with the main socket being matched more
strictly. This allows extensions in the future while still being quite
strict.

[0]: https://forum.proxmox.com/threads/123048/post-691958

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v3:
* Match main socket address more strictly as suggested by Fabian.

 PVE/QemuMigrate.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index e71face4..6591f3f7 100644
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -1095,7 +1095,9 @@ sub phase2 {
 	die "only UNIX sockets are supported for remote migration\n"
 	    if $tunnel_info->{proto} ne 'unix';
 
-	my $remote_socket = $tunnel_info->{addr};
+	# untaint
+	my ($remote_socket) = $tunnel_info->{addr} =~ m|^(/run/qemu-server/\d+\.migrate)$|
+	    or die "unexpected socket address '$tunnel_info->{addr}'\n";
 	my $local_socket = $remote_socket;
 	$local_socket =~ s/$remote_vmid/$vmid/g;
 	$tunnel_info->{addr} = $local_socket;
@@ -1104,6 +1106,9 @@ sub phase2 {
 	PVE::Tunnel::forward_unix_socket($self->{tunnel}, $local_socket, $remote_socket);
 
 	foreach my $remote_socket (@{$tunnel_info->{unix_sockets}}) {
+	    # untaint
+	    ($remote_socket) = $remote_socket =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|
+		or die "unexpected socket address '$remote_socket'\n";
 	    my $local_socket = $remote_socket;
 	    $local_socket =~ s/$remote_vmid/$vmid/g;
 	    next if $self->{tunnel}->{forwarded}->{$local_socket};
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH v3 qemu-server] remote migration: fix online migration via API clients

[Thomas Lamprecht]

Am 04/09/2024 um 13:12 schrieb Fiona Ebner:
> As reported in the community forum [0], when a remote migration
> request comes in via an API client, the -T flag for Perl is set, so an
> insecure dependency in a call like unlink() in forward_unix_socket()
> will fail with:
> 
>> failed to write forwarding command - Insecure dependency in unlink while running with -T switch
> 
> To fix it, untaint the problematic socket addresses coming from the
> remote side. Require that all sockets are below '/run/qemu-server/'
> and end with '.migrate' with the main socket being matched more
> strictly. This allows extensions in the future while still being quite
> strict.
> 
> [0]: https://forum.proxmox.com/threads/123048/post-691958
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> 
> Changes in v3:
> * Match main socket address more strictly as suggested by Fabian.
> 
>  PVE/QemuMigrate.pm | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
>

applied, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel