* [pve-devel] [PATCH v2 qemu-server] remote migration: fix online migration via API clients
@ 2024-08-13 8:42 Fiona Ebner
2024-09-03 9:37 ` Fabian Grünbichler
0 siblings, 1 reply; 3+ messages in thread
From: Fiona Ebner @ 2024-08-13 8:42 UTC (permalink / raw)
To: pve-devel
As reported in the community forum [0], when a remote migration
request comes in via an API client, the -T flag for Perl is set, so an
insecure dependency in a call like unlink() in forward_unix_socket()
will fail with:
> failed to write forwarding command - Insecure dependency in unlink while running with -T switch
To fix it, untaint the problematic socket addresses coming from the
remote side. Require that all sockets are below '/run/qemu-server/'
and end with '.migrate'. This allows extensions in the future while
still being quite strict.
[0]: https://forum.proxmox.com/threads/123048/post-691958
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Changes in v2:
* rule out '../' in path
PVE/QemuMigrate.pm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index e71face4..d31589e7 100644
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -1095,7 +1095,10 @@ sub phase2 {
die "only UNIX sockets are supported for remote migration\n"
if $tunnel_info->{proto} ne 'unix';
- my $remote_socket = $tunnel_info->{addr};
+ # untaint
+ my ($remote_socket) =
+ $tunnel_info->{addr} =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|;
+ die "unexpected socket address '$tunnel_info->{addr}'\n" if !$remote_socket;
my $local_socket = $remote_socket;
$local_socket =~ s/$remote_vmid/$vmid/g;
$tunnel_info->{addr} = $local_socket;
@@ -1104,6 +1107,9 @@ sub phase2 {
PVE::Tunnel::forward_unix_socket($self->{tunnel}, $local_socket, $remote_socket);
foreach my $remote_socket (@{$tunnel_info->{unix_sockets}}) {
+ # untaint
+ ($remote_socket) = $remote_socket =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|
+ or die "unexpected socket address '$remote_socket'\n";
my $local_socket = $remote_socket;
$local_socket =~ s/$remote_vmid/$vmid/g;
next if $self->{tunnel}->{forwarded}->{$local_socket};
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [pve-devel] [PATCH v2 qemu-server] remote migration: fix online migration via API clients
2024-08-13 8:42 [pve-devel] [PATCH v2 qemu-server] remote migration: fix online migration via API clients Fiona Ebner
@ 2024-09-03 9:37 ` Fabian Grünbichler
2024-09-04 11:14 ` Fiona Ebner
0 siblings, 1 reply; 3+ messages in thread
From: Fabian Grünbichler @ 2024-09-03 9:37 UTC (permalink / raw)
To: Proxmox VE development discussion
On August 13, 2024 10:42 am, Fiona Ebner wrote:
> As reported in the community forum [0], when a remote migration
> request comes in via an API client, the -T flag for Perl is set, so an
> insecure dependency in a call like unlink() in forward_unix_socket()
> will fail with:
>
>> failed to write forwarding command - Insecure dependency in unlink while running with -T switch
>
> To fix it, untaint the problematic socket addresses coming from the
> remote side. Require that all sockets are below '/run/qemu-server/'
> and end with '.migrate'. This allows extensions in the future while
> still being quite strict.
>
> [0]: https://forum.proxmox.com/threads/123048/post-691958
>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>
> Changes in v2:
> * rule out '../' in path
>
> PVE/QemuMigrate.pm | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
> index e71face4..d31589e7 100644
> --- a/PVE/QemuMigrate.pm
> +++ b/PVE/QemuMigrate.pm
> @@ -1095,7 +1095,10 @@ sub phase2 {
> die "only UNIX sockets are supported for remote migration\n"
> if $tunnel_info->{proto} ne 'unix';
>
> - my $remote_socket = $tunnel_info->{addr};
> + # untaint
> + my ($remote_socket) =
> + $tunnel_info->{addr} =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|;
should we just switch to `\d+`, like we do for regular migration? in
phase2_start_local_cluster we have:
elsif ($line =~ m!^migration listens on (unix):(/run/qemu-server/(\d+)\.migrate)$!) {
$tunnel_info->{addr} = $2;
die "Destination UNIX sockets VMID does not match source VMID" if $vmid ne $3;
$tunnel_info->{proto} = $1;
}
and I don't really see a reason to deviate from that scheme any time
soon?
> + die "unexpected socket address '$tunnel_info->{addr}'\n" if !$remote_socket;
> my $local_socket = $remote_socket;
> $local_socket =~ s/$remote_vmid/$vmid/g;
> $tunnel_info->{addr} = $local_socket;
> @@ -1104,6 +1107,9 @@ sub phase2 {
> PVE::Tunnel::forward_unix_socket($self->{tunnel}, $local_socket, $remote_socket);
>
> foreach my $remote_socket (@{$tunnel_info->{unix_sockets}}) {
> + # untaint
> + ($remote_socket) = $remote_socket =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|
> + or die "unexpected socket address '$remote_socket'\n";
> my $local_socket = $remote_socket;
> $local_socket =~ s/$remote_vmid/$vmid/g;
> next if $self->{tunnel}->{forwarded}->{$local_socket};
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [pve-devel] [PATCH v2 qemu-server] remote migration: fix online migration via API clients
2024-09-03 9:37 ` Fabian Grünbichler
@ 2024-09-04 11:14 ` Fiona Ebner
0 siblings, 0 replies; 3+ messages in thread
From: Fiona Ebner @ 2024-09-04 11:14 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
Am 03.09.24 um 11:37 schrieb Fabian Grünbichler:
> On August 13, 2024 10:42 am, Fiona Ebner wrote:
>> diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
>> index e71face4..d31589e7 100644
>> --- a/PVE/QemuMigrate.pm
>> +++ b/PVE/QemuMigrate.pm
>> @@ -1095,7 +1095,10 @@ sub phase2 {
>> die "only UNIX sockets are supported for remote migration\n"
>> if $tunnel_info->{proto} ne 'unix';
>>
>> - my $remote_socket = $tunnel_info->{addr};
>> + # untaint
>> + my ($remote_socket) =
>> + $tunnel_info->{addr} =~ m|^(/run/qemu-server/(?:(?!\.\./).)+\.migrate)$|;
>
> should we just switch to `\d+`, like we do for regular migration? in
> phase2_start_local_cluster we have:
>
> elsif ($line =~ m!^migration listens on (unix):(/run/qemu-server/(\d+)\.migrate)$!) {
> $tunnel_info->{addr} = $2;
> die "Destination UNIX sockets VMID does not match source VMID" if $vmid ne $3;
> $tunnel_info->{proto} = $1;
> }
>
> and I don't really see a reason to deviate from that scheme any time
> soon?
>
Sounds good, did so in v3:
https://lore.proxmox.com/pve-devel/20240904111231.106570-1-f.ebner@proxmox.com/T/#u
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-04 11:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-08-13 8:42 [pve-devel] [PATCH v2 qemu-server] remote migration: fix online migration via API clients Fiona Ebner
2024-09-03 9:37 ` Fabian Grünbichler
2024-09-04 11:14 ` Fiona Ebner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal