Ubuntu
libvirt package

Merge ~noonedeadpunk/ubuntu/+source/libvirt:libvirt-sru-lp2133183-blokdev-tls-noble into ubuntu/+source/libvirt:ubuntu/noble-devel

  1. Git
  2. lp:~noonedeadpunk/ubuntu/+source/libvirt
  3. libvirt-sru-lp2133183-blokdev-tls-noble
  4. Merge into ubuntu/noble-devel
Proposed by Dmitriy Rabotyagov
Status: Needs review
Proposed branch: ~noonedeadpunk/ubuntu/+source/libvirt:libvirt-sru-lp2133183-blokdev-tls-noble
Merge into: ubuntu/+source/libvirt:ubuntu/noble-devel
Diff against target: 114 lines (+89/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch (+80/-0)
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Pending
Ubuntu Developers Pending
Review via email: mp+496518@code.launchpad.net

Description of the change

Cherry-picked existing bugfix for live-migrations with TLS and local storage from https://github.com/libvirt/libvirt/commit/5d48c5d215071526383b8fc50d81ecde62e4111b in pkg/ubuntu/noble-devel

* debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch:
  Don't use empty string for 'tls-hostname' NBD blockdev.
  Thanks to Peter Krempa <email address hidden>. (LP: #2133183)

To post a comment you must log in.
Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Hey folks!

Is there any way to get some attention to this PR and landing the backport to cover libvirt regression?

Reply

Unmerged commits

6d7d011... by Dmitriy Rabotyagov

* debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch:
  Don't use empty string for 'tls-hostname' NBD blockdev.
  Thanks to Peter Krempa <email address hidden>. (LP: #2133183)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e9441d9..6ee40c4 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+libvirt (10.0.0-2ubuntu8.12) noble; urgency=medium
7+
8+ * debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch:
9+ Don't use empty string for 'tls-hostname' NBD blockdev.
10+ Thanks to Peter Krempa <pkrempa@redhat.com>. (LP: #2133183)
11+
12+ -- Dmitriy Rabotyagov <noonedeadpunk@gmail.com> Thu, 27 Nov 2025 21:48:00 +0100
13+
14 libvirt (10.0.0-2ubuntu8.11) noble-security; urgency=medium
15
16 * SECURITY UPDATE: memory consumption DoS via XML parsing
17diff --git a/debian/patches/series b/debian/patches/series
18index e963811..eaa6f5d 100644
19--- a/debian/patches/series
20+++ b/debian/patches/series
21@@ -40,6 +40,7 @@ ubuntu/lp-2095488-virsysinfo-fix-RISC-V-detection.patch
22 ubuntu/lp2051239/1-qemu-capabilities-Add-QEMU_CAPS_VIRTIO_CCW_DEVICE.patch
23 ubuntu/lp2051239/2-qemu-command-add-multi-boot-device-support-on-s39.patch
24 ubuntu/lp-2117467-virdevmapper-device-name-for-targets.patch
25+ubuntu/lp-2133183-no-empty-string-tls-hostname.patch
26
27 # Ubuntu Apparmor Changes
28 ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
29diff --git a/debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch b/debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch
30new file mode 100644
31index 0000000..3496729
32--- /dev/null
33+++ b/debian/patches/ubuntu/lp-2133183-no-empty-string-tls-hostname.patch
34@@ -0,0 +1,80 @@
35+From 5d48c5d215071526383b8fc50d81ecde62e4111b Mon Sep 17 00:00:00 2001
36+From: Peter Krempa <pkrempa@redhat.com>
37+Date: Fri, 19 Apr 2024 15:51:35 +0200
38+Subject: [PATCH] qemu: migration: Don't use empty string for 'tls-hostname'
39+ NBD blockdev
40+
41+While QEMU accepts and interprets an empty string in the tls-hostname
42+field in migration parametes as if it's unset, the same does not apply
43+for the 'tls-hostname' field when 'blockdev-add'-ing a NBD backend for
44+non-shared storage migration.
45+
46+When libvirt sets up migation with TLS in 'qemuMigrationParamsEnableTLS'
47+the QEMU_MIGRATION_PARAM_TLS_HOSTNAME migration parameter will be set to
48+empty string in case when the 'hostname' argument is passed as NULL.
49+
50+Later on when setting up the NBD connections for non-shared storage
51+migration 'qemuMigrationParamsGetTLSHostname', which fetches the value
52+of the aforementioned TLS parameter.
53+
54+This bug was mostly latent until recently as libvirt used
55+MIGRATION_DEST_CONNECT_HOST mode in most cases which required the
56+hostname to be passed, thus the parameter was set properly.
57+
58+This changed with 8d693d79c40 for post-copy migration, where libvirt now
59+instructs qemu to connect and thus passes NULL hostname to
60+qemuMigrationParamsEnableTLS, which in turn causes libvirt to try to
61+add NBD connection with empty string as tls-hostname resulting in:
62+
63+ error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
64+
65+To address this modify 'qemuMigrationParamsGetTLSHostname' to undo the
66+weird semantics the migration code uses to handle TLS hostname and make
67+it return NULL if the hostname is an empty string.
68+
69+Fixes: e8fa09d66bc
70+Resolves: https://issues.redhat.com/browse/RHEL-32880
71+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
72+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
73+---
74+ src/qemu/qemu_migration_params.c | 15 +++++++++++++--
75+ 1 file changed, 13 insertions(+), 2 deletions(-)
76+
77+diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
78+index e955822f68f..48f8657f716 100644
79+--- a/src/qemu/qemu_migration_params.c
80++++ b/src/qemu/qemu_migration_params.c
81+@@ -1158,6 +1158,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
82+ *tlsAlias) < 0)
83+ return -1;
84+
85++ /* QEMU interprets an empty string for hostname as if it is not populated */
86+ if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set &&
87+ qemuMigrationParamsSetString(migParams,
88+ QEMU_MIGRATION_PARAM_TLS_HOSTNAME,
89+@@ -1659,13 +1660,23 @@ qemuMigrationCapsGet(virDomainObj *vm,
90+ * @migParams: Migration params object
91+ *
92+ * Fetches the value of the QEMU_MIGRATION_PARAM_TLS_HOSTNAME parameter which is
93+- * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION
94++ * passed from the user as VIR_MIGRATE_PARAM_TLS_DESTINATION.
95++ *
96++ * In contrast with the migration parameter semantics, where an empty string
97++ * is considered as if the hostname was not provided, this function will return
98++ * NULL instead of an empty string as other parts of QEMU expect that the
99++ * hostname is not provided at all.
100+ */
101+ const char *
102+ qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams)
103+ {
104++ const char *hostname = migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
105++
106+ if (!migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].set)
107+ return NULL;
108+
109+- return migParams->params[QEMU_MIGRATION_PARAM_TLS_HOSTNAME].value.s;
110++ if (STREQ(hostname, ""))
111++ return NULL;
112++
113++ return hostname;
114+ }

Subscribers

People subscribed via source and target branches