Add cloud-hypervisor v51.1 with backwards-compatible version flag (CVE-2026-27211)#200
Open
ulziibay-kernel wants to merge 10 commits into
Open
Add cloud-hypervisor v51.1 with backwards-compatible version flag (CVE-2026-27211)#200ulziibay-kernel wants to merge 10 commits into
ulziibay-kernel wants to merge 10 commits into
Conversation
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR updates Cloud Hypervisor binaries and related build tooling, but does not modify API endpoints (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal) that the filter targets. To monitor this PR anyway, reply with |
Contributor
Author
Changes between v49.0 and v51.1 -- reviewer notes
Breaking changes addressed
Upgrade path
Medium Impact
Low Impact / Positive (v50.0-v51.1)
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
ulziibay-kernel
changed the title
ulziibay-kernel
force-pushed
the
hypeship/upgrade-ch-v50.1
branch
from
bb7f53e to
ef4be42
Compare
ulziibay-kernel
changed the title
sjmiller609
reviewed
May 12, 2026
Collaborator
sjmiller609
left a comment
sjmiller609
left a comment
There was a problem hiding this comment.
excellent, just a few small feedbacks
|
|
||
| var ( | ||
| defaultVersionMu sync.RWMutex | ||
| defaultVersion = vmm.V49_0 |
Collaborator
There was a problem hiding this comment.
I think we don't need this block and the default version will be somewhere else
Contributor
Author
There was a problem hiding this comment.
Done — removed the hardcoded default here. defaultVersionOverride is now a nullable pointer; when nil (the default), GetDefaultVersion() falls back to vmm.DefaultVersion defined in binaries_linux.go.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4cb1544. Configure here.
Fixes GHSA-jmr4-g2hv-mjj6 (CVE-2026-27211): VMM host file exfiltration via malicious QCOW2 headers. Affects versions 34.0 through 50.0; fixed in 50.1. - Drop embedded v48.0 and v49.0 binaries; embed v50.1 only - Update Makefile downloads, spec source, and ensure-ch-binaries check to v50.1 - Update SupportedVersions, ParseVersion, and the default GetVersion() returned by the cloud-hypervisor Starter - Update tests and docs to reference v50.1 Cloud Hypervisor API remains at v0.3.0 (new /vm.resize-disk endpoint and optional `nested` field are additive, no regen needed unless the new surface is used). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CH v50.1 prevents sector-zero writes on autodetected raw images as part of the CVE-2026-27211 fix. Without explicit image_type, the overlay disk (vdb) fails with I/O errors because CH treats it as a potential QCOW2 spoof: I/O error, dev vdb, sector 0 op 0x1:(WRITE) EXT4-fs (vdb): mount failed FATAL: dropping to shell for debugging Fix: 1. Regenerate lib/vmm/vmm.go from the v50.1 OpenAPI spec to pick up the new image_type and backing_files fields in DiskConfig 2. Fix malformed enum in the upstream spec (type: enum [...] -> type: string with enum list) matching cloud-hypervisor PR #7734 3. Set ImageType: Raw on all disk configs in ToVMConfig so CH skips format autodetection and allows sector-zero writes on raw images Made-with: Cursor
Made-with: Cursor
v51.1 is the latest release and includes: - Same CVE-2026-27211 fix as v50.1 - Fixed image_type enum in OpenAPI spec (PR #7734) -- we no longer need our manual spec patch - QCOW2 v3 improvements (live resize, variable refcount, dirty bit) - DISCARD/WRITE_ZEROES support for virtio-blk - THP for anonymous shared memory (performance) - ACPI NUMA affinity for VFIO-PCI (GPU passthrough) Regenerated lib/vmm/vmm.go from v51.1's native spec (includes Unknown as an additional ImageType variant). Made-with: Cursor
Instead of replacing v49.0 with v51.1, embed both versions and add a config flag (hypervisor.cloud_hypervisor_version) to control which version new instances use. Default remains v49.0 for safe rollout. - Re-add v49.0 binaries alongside v51.1 in Makefile and embed directives - Add CloudHypervisorVersion field to HypervisorConfig (default "v49.0") - Add SetDefaultVersion/GetDefaultVersion to CH starter, wired from providers.go at startup - Existing standby instances restore using their stored version (already the case via stored.HypervisorVersion in restore.go) - New E2E test (TestCloudHypervisorVersionUpgradeRestore) verifies: create on v49.0 -> standby -> switch default to v51.1 -> restore still uses v49.0 -> new instance uses v51.1 - ImageType: Raw (v51.1 CVE fix) is safe for v49.0 (serde ignores unknown fields) Operators can flip to v51.1 when ready: HYPERVISOR__CLOUD_HYPERVISOR_VERSION=v51.1 No drain strategy needed -- snapshot restore works across both versions. Made-with: Cursor
Cursor Bugbot correctly identified that RestoreSnapshot and ForkFromSnapshot in snapshot.go call starter.GetVersion() and overwrite HypervisorVersion. With the configurable default, flipping to v51.1 would break standby snapshot restores of v49.0 instances. Fix: only overwrite HypervisorVersion when the target hypervisor TYPE differs from the source (stopped snapshot cross-hypervisor restore). When the type is the same, preserve the source snapshot's version so CH gets the exact binary match it requires. Also fix ParseVersion to use regex extraction + SupportedVersions lookup instead of substring Contains, addressing the Bugbot note about "v50.1" matching "v50.10" (now moot but the pattern was still fragile). Made-with: Cursor
- Move DefaultVersion to binaries_linux.go as single source of truth (not duplicated in config defaults) - Rename config to cloud_hypervisor_default_version, default empty (empty = use vmm.DefaultVersion from code) - SetDefaultVersion now returns error on invalid versions (Bugbot fix) - Add HypervisorVersion to CreateInstanceRequest so callers can pin a specific version at creation time - Add per-version Capabilities pattern: CapabilitiesForVersion() with SupportsDiskResize=true for v51.1+ (establishes the pattern) - Add API versioning comment in Makefile (single spec for now) - Update README with multi-version architecture docs - Update E2E test to use explicit HypervisorVersion on create request Made-with: Cursor
Made-with: Cursor
Made-with: Cursor
- Validate req.HypervisorVersion against supported versions before storing in metadata (Bugbot: unsupported version would persist and fail at VM start) - Replace regex-based ParseVersion with direct string matching against SupportedVersions, longest-first to avoid "v49.0" matching "v49.0.1" (Bugbot: greedy regex could match three-part version strings) Made-with: Cursor
ulziibay-kernel
force-pushed
the
hypeship/upgrade-ch-v50.1
branch
from
4cb1544 to
32e6820
Compare
sjmiller609
approved these changes
May 14, 2026
Collaborator
sjmiller609
left a comment
sjmiller609
left a comment
There was a problem hiding this comment.
Optional feedbacks. Looks great! Thanks
Comment on lines
+90
to
+92
| // GetVersion returns the configured default Cloud Hypervisor version. | ||
| // This controls which version is used for new instances; existing instances | ||
| // use the version stored in their metadata. |
| V51_1 CHVersion = "v51.1" | ||
| ) | ||
|
|
||
| const DefaultVersion = V49_0 |
Collaborator
There was a problem hiding this comment.
should we be defaulting to V51_1?
| ) | ||
|
|
||
| var SupportedVersions = []CHVersion{V48_0, V49_0} | ||
| const DefaultVersion = V49_0 |
Collaborator
There was a problem hiding this comment.
should we be defaulting to V51_1? It would be OK in follow up if intentional
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Cloud Hypervisor v51.1 alongside existing v49.0 with a config flag to control which version new instances use. This enables a safe, no-downtime upgrade path for CVE-2026-27211.
What changed
hypervisor.cloud_hypervisor_version(default:v49.0)HYPERVISOR__CLOUD_HYPERVISOR_VERSION=v51.1ImageType: Rawon all disks (CVE fix)Upgrade path
HYPERVISOR__CLOUD_HYPERVISOR_VERSION=v51.1Security fix (CVE-2026-27211)
Fixes GHSA-jmr4-g2hv-mjj6: arbitrary host file exfiltration via crafted QCOW2 disk headers. Affects CH versions 34.0 through 50.0. Fixed in 50.1+.
v51.1 additionally includes:
Files changed
Makefile-- download both v49.0 and v51.1 binariescmd/api/config/config.go-- addcloud_hypervisor_versionfield (defaultv49.0)lib/vmm/binaries_linux.go-- embed both v49.0 and v51.1lib/vmm/binaries_darwin.go-- version constants for compile compatlib/vmm/version.go-- ParseVersion matches both versionslib/vmm/vmm.go-- regenerated from v51.1 OpenAPI speclib/vmm/client_test.go-- tests for both versionslib/hypervisor/cloudhypervisor/process.go-- SetDefaultVersion/GetDefaultVersion, configurable GetVersionlib/hypervisor/cloudhypervisor/config.go-- ImageType: Raw on all disks (CVE fix, safe for v49.0)lib/providers/providers.go-- wire config flag at startuplib/instances/version_upgrade_test.go-- new E2E test: create v49.0 -> standby -> switch to v51.1 -> restore -> verify version preserved -> create new instance on v51.1Test plan
go build ./lib/vmm/... ./lib/hypervisor/cloudhypervisor/...go vetcleango test ./lib/vmm/...-- both versions extract and startgo test ./lib/hypervisor/cloudhypervisor/...passesTestCloudHypervisorVersionUpgradeRestore-- standby/restore across version changego test ./lib/instances/...(requires KVM, CI)Note
Medium Risk
Changes which Cloud Hypervisor binary can be selected for new VM instances and updates the generated VMM API client; mistakes could break VM start/restore or lead to mismatched snapshot restores across versions.
Overview
Adds Cloud Hypervisor
v51.1as an additional embedded VMM binary (keepingv49.0) and updates build tooling to download/ensure both versions, enabling backwards-compatible upgrades.Introduces a new config field
hypervisor.cloud_hypervisor_default_versionand runtime override (cloudhypervisor.SetDefaultVersion/GetDefaultVersion) so new instances can use a chosen CH version, while existing instances continue to restore using the version stored in metadata;CreateInstanceRequestnow supports an explicitHypervisorVersionwith validation.Regenerates the Cloud Hypervisor OpenAPI client/spec from
v51.1(including/vm.resize-diskand new schema fields) and sets CH diskImageTypetoRawin VM config generation; adds version-aware capabilities (e.g., disk resize onv51.1) and an integration test covering standby/restore across a default-version flip.Reviewed by Cursor Bugbot for commit 32e6820. Bugbot is set up for automated code reviews on this repo. Configure here.