Control: tag -1 patch
I ended up tracking this down - the problem is that the target qemu
accepts the NBD connection from the source but does not handle any of the
data on the socket. That plus Berni's comment that the NBD security
patches caused the regression helped me figure out what was going wrong
and get a proper fix to the security patches.
The patch
nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
was not backported / cherry-picked properly. It's taken from this commit
in qemu 2.10:
https://github.com/qemu/qemu/commit/df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af
Note that the backported patch moves around a call to nbd_set_handlers(),
which doesn't exist in the upstream commit. The upstream commit has a call
to nbd_client_receive_next_request() which _isn't_ moved by the patch;
that call doesn't exist in the backported commit. That's because this call
to nbd_set_handlers() was changed to nbd_client_receive_next_request() in
qemu 2.9:
https://github.com/qemu/qemu/commit/ff82911cd3f69f028f2537825c9720ff78bc3f19
If you adjust the backported patch to leave nbd_set_handlers() alone
instead of moving it around, the NBD server starts to work, and live
migration works again. I've tested this by patching the qemu on the target
hypervisor and doing a live migration using Stretch's versions of
OpenStack and libvirt (nova live-migration --block-migrate, VM disks are
qcow2 on local disk).
I've attached a debdiff of the local build I'm using. You should be able
to fix the version number in d/changelog and upload. If it would help for
me to prepare packages for upload (I'll need sponsorship, but I can upload
to mentors or something with my DM key) or open a pull request to Salsa, I
can do that too. (Not totally sure what the process is for an update to
stable.)
--
Geoffrey Thomas
https://ldpreload.com
geo...@ldpreload.com
diff -Nru qemu-2.8+dfsg/debian/changelog qemu-2.8+dfsg/debian/changelog
--- qemu-2.8+dfsg/debian/changelog 2018-11-08 15:41:45.000000000 +0000
+++ qemu-2.8+dfsg/debian/changelog 2019-04-05 19:02:53.000000000 +0000
@@ -1,3 +1,14 @@
+qemu (1:2.8+dfsg-6+deb9u5+geofft1) stretch-security; urgency=medium
+
+ * Fix improper backport of CVE-2017-9524 fix that caused NBD
+ connections to hang (Closes: #873012).
+ -
nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch:
+ Don't move nbd_set_handlers before nbd_negotiate.
+ - nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch:
+ Refresh.
+
+ -- Geoffrey Thomas <geo...@twosigma.com> Fri, 05 Apr 2019 19:02:53 +0000
+
qemu (1:2.8+dfsg-6+deb9u5) stretch-security; urgency=medium
* Backport SSBD support (Closes: #908682)
diff -Nru
qemu-2.8+dfsg/debian/patches/nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
qemu-2.8+dfsg/debian/patches/nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
---
qemu-2.8+dfsg/debian/patches/nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
2018-05-26 10:04:06.000000000 +0000
+++
qemu-2.8+dfsg/debian/patches/nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
2019-04-05 19:02:53.000000000 +0000
@@ -140,15 +140,15 @@
}
static void nbd_read(void *opaque)
-@@ -1410,7 +1410,7 @@ static coroutine_fn void nbd_co_client_start(void
*opaque)
- nbd_set_handlers(client);
+@@ -1409,7 +1409,7 @@ static coroutine_fn void nbd_co_client_s
+ qemu_co_mutex_init(&client->send_lock);
if (nbd_negotiate(data)) {
- client_close(client);
+ client_close(client, false);
goto out;
}
-
+ nbd_set_handlers(client);
@@ -1418,11 +1418,17 @@ out:
g_free(data);
}
diff -Nru
qemu-2.8+dfsg/debian/patches/nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
qemu-2.8+dfsg/debian/patches/nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
---
qemu-2.8+dfsg/debian/patches/nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
2018-05-26 10:04:06.000000000 +0000
+++
qemu-2.8+dfsg/debian/patches/nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
2019-04-05 19:02:53.000000000 +0000
@@ -51,14 +51,13 @@
+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
}
+ qemu_co_mutex_init(&client->send_lock);
-+ nbd_set_handlers(client);
+
if (nbd_negotiate(data)) {
client_close(client);
goto out;
}
- qemu_co_mutex_init(&client->send_lock);
-- nbd_set_handlers(client);
+ nbd_set_handlers(client);
- if (exp) {
- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
