diff options
-rw-r--r-- | recipes-devtools/qemu/qemu/CVE-2017-7471.patch | 70 | ||||
-rw-r--r-- | recipes-devtools/qemu/qemu_%.bbappend | 1 |
2 files changed, 71 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch new file mode 100644 index 0000000..af233d3 --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 96bae145e27d4df62671b4eebd6c735f412016cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Mon, 17 Apr 2017 10:53:23 +0200 | ||
4 | Subject: [PATCH] 9pfs: local: set the path of the export root to "." | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The local backend was recently converted to using "at*()" syscalls in order | ||
10 | to ensure all accesses happen below the shared directory. This requires that | ||
11 | we only pass relative paths, otherwise the dirfd argument to the "at*()" | ||
12 | syscalls is ignored and the path is treated as an absolute path in the host. | ||
13 | This is actually the case for paths in all fids, with the notable exception | ||
14 | of the root fid, whose path is "/". This causes the following backend ops to | ||
15 | act on the "/" directory of the host instead of the virtfs shared directory | ||
16 | when the export root is involved: | ||
17 | - lstat | ||
18 | - chmod | ||
19 | - chown | ||
20 | - utimensat | ||
21 | |||
22 | ie, chmod /9p_mount_point in the guest will be converted to chmod / in the | ||
23 | host for example. This could cause security issues with a privileged QEMU. | ||
24 | |||
25 | All "*at()" syscalls are being passed an open file descriptor. In the case | ||
26 | of the export root, this file descriptor points to the path in the host that | ||
27 | was passed to -fsdev. | ||
28 | |||
29 | The fix is thus as simple as changing the path of the export root fid to be | ||
30 | "." instead of "/". | ||
31 | |||
32 | This is CVE-2017-7471. | ||
33 | |||
34 | CVE: CVE-2017-7471 | ||
35 | Upstream-Status: Backport | ||
36 | |||
37 | Cc: qemu-stable@nongnu.org | ||
38 | Reported-by: Léo Gaspard <leo@gaspard.io> | ||
39 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
40 | Reviewed-by: Eric Blake <eblake@redhat.com> | ||
41 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
42 | (cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e) | ||
43 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
44 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
45 | --- | ||
46 | hw/9pfs/9p-local.c | 7 ++++++- | ||
47 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
48 | |||
49 | diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c | ||
50 | index 227de61..293e0dc 100644 | ||
51 | --- a/hw/9pfs/9p-local.c | ||
52 | +++ b/hw/9pfs/9p-local.c | ||
53 | @@ -1099,8 +1099,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, | ||
54 | { | ||
55 | if (dir_path) { | ||
56 | v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); | ||
57 | - } else { | ||
58 | + } else if (strcmp(name, "/")) { | ||
59 | v9fs_path_sprintf(target, "%s", name); | ||
60 | + } else { | ||
61 | + /* We want the path of the export root to be relative, otherwise | ||
62 | + * "*at()" syscalls would treat it as "/" in the host. | ||
63 | + */ | ||
64 | + v9fs_path_sprintf(target, "%s", "."); | ||
65 | } | ||
66 | return 0; | ||
67 | } | ||
68 | -- | ||
69 | 1.9.1 | ||
70 | |||
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend index 96a45b8..8a73d1f 100644 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ b/recipes-devtools/qemu/qemu_%.bbappend | |||
@@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | |||
3 | 3 | ||
4 | SRC_URI += "file://0001-CVE-2017-2620.patch \ | 4 | SRC_URI += "file://0001-CVE-2017-2620.patch \ |
5 | file://0002-CVE-2017-2620.patch \ | 5 | file://0002-CVE-2017-2620.patch \ |
6 | file://CVE-2017-7471.patch \ | ||
6 | " | 7 | " |