| Age | Commit message (Collapse) | Author |
|---|
|
A few of the vioscsi functions have debug logging in DPRINTF's and
are the only use of some declared variables. This tucks any debug-only
variables into the DPRINTF or behind an #if DEBUG.
ok from deraadt@ caveated I don't add code before any declarations.
|
|
With recent changes to login.conf(5) to restrict daemon datasize
to a finite value, users can now hit resource limits when attempting
to start a vm.
This change fixes the error path when hitting the limit. vmd(8)
will no longer abort and memory error messages are relayed to the
user.
While here, address potential under-reads/writes using atomicio
when relaying data between the child vm process and vmd's vmm
process.
Original diff from tedu@. OK mlarkin@.
|
|
apostrophe.
|
|
Remove a warning that has outlived its usefulness.
From Brian Conway, thanks.
|
|
ok afresh sthen deraadt
|
|
to the caller instead of most probably crashing because of a NULL pointer
access. This fixes also another -Wunused-but-set-variable warning.
OK benno@ dv@
|
|
OK benno@ dv@
|
|
Based on input from dv@
|
|
OK benno@ dv@
|
|
results in an autoinstall. This can be used to quickly create new OpenBSD
installs.
OK dv@
|
|
macro-build a replacement for sccsid, and was done without any concern
for namespace damage. Unfortunately this practice started infecting
other code as others were unaware they didn't need the file.
ok millert guenther
|
|
ok mlarkin
|
|
adjust the man page as well.
OK sthen@ kn@ patrick@
|
|
|
|
ok mlarkin@
|
|
seabios fixes wrong LUN handling upstream. Thus, we have to adapt the LUN
of our cdrom bootorder string, too.
ok brynet@, dv@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
Discussed with mlarkin@. These functions were implemented but never
used. While in vmd.h, fix the order to match current vmd(8) reality.
|
|
viornd did not mask the descriptor value in the avialable ring
allowing guest values to read past the end of the descriptor table.
While here, change fatal to fatalx because errno is not set.
Reported by Ilja van Sprundel
ok mlarkin@
|
|
Guest can cause out of bounds read with a malformed descriptor. In same
loop, also fix a chunk size calculation.
Reported by Ilja van Sprundel.
ok mlarkin@
|
|
If {c,m}alloc fail, info could be NULL and result in NULL deref.
Reported by Ilja van Sprundel.
ok mlarkin@
|
|
Reported by Ilja van Sprundel.
ok mlarkin@
|
|
Used originally to aid dev. Unneeded.
ok mlarkin@
|
|
Refactor config_setvm to directly return error code on failure
instead of returning -1 and setting errno. It was setting unsupported
values not defined in <errno.h>.
OK mlarkin@
|
|
Remove legacy state handling on the ns8250 and virtio network devices
originally put in place before using libevent for async device
events. The vcpu thread doesn't need to process device data as it is
handled by the libevent thread.
This has the benefit of simplifying some of the message passing
between threads introduced to the ns8250 uart since both the vcpu
and libevent threads were processing read events.
No functional change intended. Tested by many, including abieber@,
weerd@, Mischa Peters, and Matthias Schmidt. (Thanks.)
OK mlarkin@
|
|
The original implementation of the virtio network device assumed a
driver would only provide a 2-descriptor chain for receiving packets.
The virtio spec allows for variable length chains and drivers, in
practice, construct them when they use a sufficiently large MTU.
This change lets the device use variable length chains provided by
the driver, thus allowing for drivers to set an MTU up to the
underlying host-side tap(4)'s limit of TUNMRU (16384).
Size limitations are now enforced on both tx and rx-side dropping
anything violating the underlying tap(4) min and max limits.
More work is needed to increase the read(2) buffer in use by vmd
to prevent packet truncation.
OK mlarkin@
|
|
Linux guests like to issue VIRTIO_BLK_T_GET_ID commands in attempts
to read the device serial number. It's not part of the virtio spec,
but has been part of QEMU and Bhyve for multiple years. It will be
landing in the next version of virtio (1.2), so this stubs out
handling for the request type. The added benefit is it helps squelch
log noise from Linux guests.
For now, no serial number is set and the request status is set to
VIRTIO_BLK_S_UNSUPP to tell the driver we don't support it.
While here, swap the response to VIRTIO_BLK_T_FLUSH{,_OUT} to be
also returning VIRTIO_BLK_S_UNSUPP. It's not negotiated nor
implemented. Lastly, add checks for validating the vioblk device
is only reading/writing descriptors with approrpriate read/write-only
flags per the virtio spec.
With input from claudio@, OK mlarkin@
|
|
Lots of organic growth other the years lead to unnecessary includes
(proc.h everywhere) and odd dependencies between header files. This
cleans things up a bit to help with upcoming cleanup around dhcp
code.
No functional change.
"go for it" mlarkin@
|
|
where this filtering was done in bpf but here vmd needs to make sure to
not look at non IPv4 packets.
OK florian@ and dv@
|
|
No need for each case in the switch block to have the same logic
for updating the used ring and writing the state back to the guest.
Move it outside the switch. No functional change.
ok mlarkin@
|
|
Instead of translating imsg types, update vmclt(8) to handle receiving
IMSG_VMDOP_TERMINATE_VM_EVENT messages on vm termination.
This finishes the work previously committed for supporting multiple
waiters or the cancellation of a client waiting on a vm shutdown.
vmd no longer needs to translate an IMSG_VMDOP_TERMINATE_VM_RESPONSE
into an *_EVENT.
ok mlarkin@
|
|
A sufficiently large dhcp packet can cause a stack overflow in vmd's
internal dhcp server used for providing ip addresses to local guest
interfaces. (This does not affect non-local interfaces.)
The primary changes drop larger packets and change the memory copying
logic to use a compile-time constant. The dhcp option processing
also additional prevention for out of bound reads.
While here, improve construction of the dhcp response's hostname
handling to guard against overflowing the response dhcp options.
Vulnerability reported by Maxime Villard.
ok claudio@
|
|
Provide a default value of a zero'd mac address so a user can still
specify the interface should be "locked" (only transmitting ethernet
packets with a matching source address). vmd will assign a random
address at vm launch.
As an example, this is now valid:
vm "name" {
interface {
locked lladdr
}
...
}
From Martin Vahlensieck
ok claudio@
|
|
reyk@ imported packet.c from (I think) dhclient(8). In dhclient,
the packets are already filtered down to just udp. This change has
vmd skip a non-udp ip packet sooner when it's trying to determine
if it is a dhcp/bootp packet that needs processing.
The counters (seen, bad checksums, etc) for ip and udp packets are
also removed as they aren't used by vmd.
This only affects "local" network interfaces for vmd.
OK mlarkin@
|
|
A vmd guest can craft invalid virtio descriptor lengths resulting
in reading and writing beyond stack-allocated buffer lengths providing
an escape vector to the host.
Instead of allowing the guest to dictate read/write lengths, this
commit has vmd just use compile-time lengths based on the source
or destination object sizes. For instances where vmd's virtio
implementation can't use this method, such as reading packets from
the vionet device, cap each read with a pre-computed max chunk size.
Reported by Maxime Villard.
Tested with help from Mischa Peters, OK mlarkin@
|
|
Don't print 'base' since it might not be initialized in all code paths.
From James Cook
|
|
vmd(8)'s vm_instance function set unsupported errno values. Change the
api to directly return an error (either errno or custom vmd error).
"go for it" -mlarkin@
|
|
Compression errors from libz don't set errno.
OK mlarkin@
|
|
Was added about 4 years ago, but hasn't been used and linked into
the build. Discussed with dlg@ and mlarkin@.
mlarkin@: "Let's remove for now..."
|
|
Error messages related to bad configuration were not flushing to
stderr.
OK mlarkin@
|
|
"sure" mlarkin@
|
|
Adds queue-based tracking of waiting client state to fix the cause of
state corruption when a vmctl(8) user cancels a wait and restarts it.
The socket fd value for the control process client was being used to
track the waiting party, but this also prevented multiple waiting
clients.
This moves all the state tracking of who to notify of a vm's stopping
to the control process and no longer requires the parent process to
track it in the global environment state.
Future work will be needed to smooth out the difference between the
IMSG_VMDOP_TERMINATE_VM_{EVENT,RESPONSE} events instead of needing to
translate before relaying to the vmctl(8) client.
Tested by Mischa Peters (thanks!)
ok mlarkin@
|
|
Add protections against guests with bad virtio-{blk,net,scsi}
drivers, specifically avoiding invalid descriptor chains and
invalid vionet packet sizes. This helps prevent possible lockup
of the host vm process due to a spinning device event loop thread.
Also fix an unneeded cast in the vioblk handling in case of invalid
buffer lengths.
OK mlarkin@
|
|
|
|
Because dhcpsz was an uninitialized ssize_t, it was possible that a
garbage "packet" would be queued on the receiving end of the virtio
network device.
Change the type to size_t and add proper checks based on it being
greater than zero. Remove the cast of ssize_t to uint64_t that also
caused garbage sizes when dhcpsz was unintialized and set at runtime
to something < 0.
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
|
|
Some vestigial code left over from when priv-sep was implemented.
ok mlarkin@
|
|
|
|
The bsd.rd ramdisk now ships gzip'd on amd64. Use libz in base to
transparently handle decompression of any compressed kernel images.
Patch from Josh Rickmar.
ok kn@
|
