Bug 1454367
| Summary: | QEMU fails to reject IPv4 connections when IPv4 listening is disabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> |
| Component: | qemu-kvm-rhev | Assignee: | Eric Blake <eblake> |
| Status: | CLOSED ERRATA | QA Contact: | Yiqian Wei <yiwei> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | areis, chayang, eblake, jinzhao, juzhang, knoel, michen, mrezanin, mtessun, pezhang, virt-maint, xfu, xiywang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-rhev-2.10.0-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-11 00:23:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Daniel Berrangé
2017-05-22 14:48:26 UTC
The scenarios describe are fixed by patches 3 & 4 in this small series https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg04707.html Will be picked up for 7.5 via rebase, because it is included in upstream 2.10:
commit 563a3987b980a36e6941720a99d5cf36960f78ea
Author: Daniel P. Berrange <berrange>
Date: Wed May 17 14:34:36 2017 +0100
io: preserve ipv4/ipv6 flags when resolving InetSocketAddress
The original InetSocketAddress struct may have has_ipv4 and
has_ipv6 fields set, which will control both the ai_family
used during DNS resolution, and later use of the V6ONLY
flag.
Currently the standalone DNS resolver code drops the
has_ipv4 & has_ipv6 flags after resolving, which means
the later bind() code won't correctly set V6ONLY.
This fixes the following scenarios
-vnc :0,ipv4=off
-vnc :0,ipv6=on
-vnc :::0,ipv4=off
-vnc :::0,ipv6=on
which all mistakenly accepted IPv4 clients
Acked-by: Gerd Hoffmann <kraxel>
Reviewed-by: Philippe Mathieu-Daudé <f4bug>
Reviewed-by: Eric Blake <eblake>
Signed-off-by: Daniel P. Berrange <berrange>
commit 94bc0d19789b6f5ce881c4a06a3e1c431874cbbd
Author: Daniel P. Berrange <berrange>
Date: Wed May 17 14:17:55 2017 +0100
sockets: ensure we don't accept IPv4 clients when IPv4 is disabled
Currently if you disable listening on IPv4 addresses, via the
CLI flag ipv4=off, we still mistakenly accept IPv4 clients via
the IPv6 listener socket due to IPV6_V6ONLY flag being unset.
We must ensure IPV6_V6ONLY is always set if ipv4=off
This fixes the following scenarios
-incoming tcp::9000,ipv6=on
-incoming tcp:[::]:9000,ipv6=on
-chardev socket,id=cdev0,host=,port=9000,server,nowait,ipv4=off
-chardev socket,id=cdev0,host=,port=9000,server,nowait,ipv6=on
-chardev socket,id=cdev0,host=::,port=9000,server,nowait,ipv4=off
-chardev socket,id=cdev0,host=::,port=9000,server,nowait,ipv6=on
which all mistakenly accepted IPv4 clients
Acked-by: Gerd Hoffmann <kraxel>
Reviewed-by: Philippe Mathieu-Daudé <f4bug>
Reviewed-by: Eric Blake <eblake>
Signed-off-by: Daniel P. Berrange <berrange>
Reproduce host version: qemu-kvm-rhev-2.9.0-1.el7.x86_64 kernel-3.10.0-737.el7.x86_64 test scenarios: # /usr/libexec/qemu-kvm -monitor stdio -vnc :0,ipv4=off # /usr/libexec/qemu-kvm -monitor stdio -vnc :::0,ipv4=off # /usr/libexec/qemu-kvm -monitor stdio -vnc :0,ipv6=on # /usr/libexec/qemu-kvm -monitor stdio -vnc :::0,ipv6=on # /usr/libexec/qemu-kvm -monitor stdio -incoming tcp::9000,ipv6=on # /usr/libexec/qemu-kvm -monitor stdio -incoming tcp:[::]:9000,ipv6=on # /usr/libexec/qemu-kvm -monitor stdio -chardev socket,id=cdev0,host=,port=9000,server,nowait,ipv4=off # /usr/libexec/qemu-kvm -monitor stdio -chardev socket,id=cdev0,host=,port=9000,server,nowait,ipv6=on # /usr/libexec/qemu-kvm -monitor stdio -chardev socket,id=cdev0,host=::,port=9000,server,nowait,ipv4=off # /usr/libexec/qemu-kvm -monitor stdio -chardev socket,id=cdev0,host=::,port=9000,server,nowait,ipv6=on test steps: 1.usr/libexec/qemu-kvm -monitor stdio -incoming tcp::9000,ipv6=on 2.telnet 127.0.0.1 9000 (Repeat for test scenarios shown earlier) Actual results: Client succesfully connects to 127.0.0.1, port 9000 # telnet 127.0.0.1 9000 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]' ---------------------------- Verify this bug on qemu-kvm-rhev-2.10.0-2.el7.x86_64 as same steps above. Actual results: Client fails to connect to 127.0.0.1 with "Connection refused" message. # telnet 127.0.0.1 9000 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused According to result above,this bug has been fixed. According to comment 10, change to verified status Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1104 |