diff options
author | Dan Tran <msft.dantran@gmail.com> | 2019-10-05 11:08:17 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-08 22:51:35 +0100 |
commit | fd8df1bd0f84671b9133b4a0bc9f5e4f174974c0 (patch) | |
tree | da4ffbf459c54f1ec6dc4f6095c1e630493b8deb | |
parent | 959edeb83d9e211fb4dea5cc8dc77e687e6594c5 (diff) | |
download | poky-fd8df1bd0f84671b9133b4a0bc9f5e4f174974c0.tar.gz |
qemu: Fix CVE-2019-8934
(From OE-Core rev: 7f13e4e9ef51bf62729a9a955967aa4752d0d2e8)
Signed-off-by: Dan Tran <dantran@microsoft.com>
[Fix up against lastest warrior]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch | 215 |
2 files changed, 216 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3de87d3d78..e720ddf70f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
32 | file://CVE-2019-3812.patch \ | 32 | file://CVE-2019-3812.patch \ |
33 | file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ | 33 | file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ |
34 | file://CVE-2018-20815.patch \ | 34 | file://CVE-2018-20815.patch \ |
35 | file://CVE-2019-8934.patch \ | ||
35 | " | 36 | " |
36 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
37 | 38 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch new file mode 100644 index 0000000000..d1d7d23968 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch | |||
@@ -0,0 +1,215 @@ | |||
1 | From 8c2e30a92d95d89e2cf45d229bce274881026cf7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 18 Feb 2019 23:43:49 +0530 | ||
4 | Subject: [PATCH] ppc: add host-serial and host-model machine attributes | ||
5 | (CVE-2019-8934) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | On ppc hosts, hypervisor shares following system attributes | ||
11 | |||
12 | - /proc/device-tree/system-id | ||
13 | - /proc/device-tree/model | ||
14 | |||
15 | with a guest. This could lead to information leakage and misuse.[*] | ||
16 | Add machine attributes to control such system information exposure | ||
17 | to a guest. | ||
18 | |||
19 | [*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028 | ||
20 | |||
21 | Reported-by: Daniel P. Berrangé <berrange@redhat.com> | ||
22 | Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com> | ||
23 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
24 | Message-Id: <20190218181349.23885-1-ppandit@redhat.com> | ||
25 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
26 | Reviewed-by: Greg Kurz <groug@kaod.org> | ||
27 | Signed-off-by: David Gibson <david@gibson.dropbear.id.au> | ||
28 | |||
29 | CVE: CVE-2019-8934 | ||
30 | Upstream-Status: Backport | ||
31 | [https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b] | ||
32 | |||
33 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
34 | --- | ||
35 | hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++--- | ||
36 | include/hw/ppc/spapr.h | 2 + | ||
37 | 2 files changed, 123 insertions(+), 7 deletions(-) | ||
38 | |||
39 | diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c | ||
40 | index 7afd1a175b..bcee7c162d 100644 | ||
41 | --- a/hw/ppc/spapr.c | ||
42 | +++ b/hw/ppc/spapr.c | ||
43 | @@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, | ||
44 | * Add info to guest to indentify which host is it being run on | ||
45 | * and what is the uuid of the guest | ||
46 | */ | ||
47 | - if (kvmppc_get_host_model(&buf)) { | ||
48 | - _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); | ||
49 | - g_free(buf); | ||
50 | + if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { | ||
51 | + if (g_str_equal(spapr->host_model, "passthrough")) { | ||
52 | + /* -M host-model=passthrough */ | ||
53 | + if (kvmppc_get_host_model(&buf)) { | ||
54 | + _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); | ||
55 | + g_free(buf); | ||
56 | + } | ||
57 | + } else { | ||
58 | + /* -M host-model=<user-string> */ | ||
59 | + _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); | ||
60 | + } | ||
61 | } | ||
62 | - if (kvmppc_get_host_serial(&buf)) { | ||
63 | - _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); | ||
64 | - g_free(buf); | ||
65 | + | ||
66 | + if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { | ||
67 | + if (g_str_equal(spapr->host_serial, "passthrough")) { | ||
68 | + /* -M host-serial=passthrough */ | ||
69 | + if (kvmppc_get_host_serial(&buf)) { | ||
70 | + _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); | ||
71 | + g_free(buf); | ||
72 | + } | ||
73 | + } else { | ||
74 | + /* -M host-serial=<user-string> */ | ||
75 | + _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); | ||
76 | + } | ||
77 | } | ||
78 | |||
79 | buf = qemu_uuid_unparse_strdup(&qemu_uuid); | ||
80 | @@ -3031,6 +3048,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name, | ||
81 | visit_type_uint32(v, name, (uint32_t *)opaque, errp); | ||
82 | } | ||
83 | |||
84 | +static char *spapr_get_ic_mode(Object *obj, Error **errp) | ||
85 | +{ | ||
86 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
87 | + | ||
88 | + if (spapr->irq == &spapr_irq_xics_legacy) { | ||
89 | + return g_strdup("legacy"); | ||
90 | + } else if (spapr->irq == &spapr_irq_xics) { | ||
91 | + return g_strdup("xics"); | ||
92 | + } else if (spapr->irq == &spapr_irq_xive) { | ||
93 | + return g_strdup("xive"); | ||
94 | + } else if (spapr->irq == &spapr_irq_dual) { | ||
95 | + return g_strdup("dual"); | ||
96 | + } | ||
97 | + g_assert_not_reached(); | ||
98 | +} | ||
99 | + | ||
100 | +static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp) | ||
101 | +{ | ||
102 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
103 | + | ||
104 | + if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) { | ||
105 | + error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode"); | ||
106 | + return; | ||
107 | + } | ||
108 | + | ||
109 | + /* The legacy IRQ backend can not be set */ | ||
110 | + if (strcmp(value, "xics") == 0) { | ||
111 | + spapr->irq = &spapr_irq_xics; | ||
112 | + } else if (strcmp(value, "xive") == 0) { | ||
113 | + spapr->irq = &spapr_irq_xive; | ||
114 | + } else if (strcmp(value, "dual") == 0) { | ||
115 | + spapr->irq = &spapr_irq_dual; | ||
116 | + } else { | ||
117 | + error_setg(errp, "Bad value for \"ic-mode\" property"); | ||
118 | + } | ||
119 | +} | ||
120 | + | ||
121 | +static char *spapr_get_host_model(Object *obj, Error **errp) | ||
122 | +{ | ||
123 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
124 | + | ||
125 | + return g_strdup(spapr->host_model); | ||
126 | +} | ||
127 | + | ||
128 | +static void spapr_set_host_model(Object *obj, const char *value, Error **errp) | ||
129 | +{ | ||
130 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
131 | + | ||
132 | + g_free(spapr->host_model); | ||
133 | + spapr->host_model = g_strdup(value); | ||
134 | +} | ||
135 | + | ||
136 | +static char *spapr_get_host_serial(Object *obj, Error **errp) | ||
137 | +{ | ||
138 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
139 | + | ||
140 | + return g_strdup(spapr->host_serial); | ||
141 | +} | ||
142 | + | ||
143 | +static void spapr_set_host_serial(Object *obj, const char *value, Error **errp) | ||
144 | +{ | ||
145 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
146 | + | ||
147 | + g_free(spapr->host_serial); | ||
148 | + spapr->host_serial = g_strdup(value); | ||
149 | +} | ||
150 | + | ||
151 | static void spapr_instance_init(Object *obj) | ||
152 | { | ||
153 | sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
154 | @@ -3067,6 +3151,25 @@ static void spapr_instance_init(Object *obj) | ||
155 | " the host's SMT mode", &error_abort); | ||
156 | object_property_add_bool(obj, "vfio-no-msix-emulation", | ||
157 | spapr_get_msix_emulation, NULL, NULL); | ||
158 | + | ||
159 | + /* The machine class defines the default interrupt controller mode */ | ||
160 | + spapr->irq = smc->irq; | ||
161 | + object_property_add_str(obj, "ic-mode", spapr_get_ic_mode, | ||
162 | + spapr_set_ic_mode, NULL); | ||
163 | + object_property_set_description(obj, "ic-mode", | ||
164 | + "Specifies the interrupt controller mode (xics, xive, dual)", | ||
165 | + NULL); | ||
166 | + | ||
167 | + object_property_add_str(obj, "host-model", | ||
168 | + spapr_get_host_model, spapr_set_host_model, | ||
169 | + &error_abort); | ||
170 | + object_property_set_description(obj, "host-model", | ||
171 | + "Set host's model-id to use - none|passthrough|string", &error_abort); | ||
172 | + object_property_add_str(obj, "host-serial", | ||
173 | + spapr_get_host_serial, spapr_set_host_serial, | ||
174 | + &error_abort); | ||
175 | + object_property_set_description(obj, "host-serial", | ||
176 | + "Set host's system-id to use - none|passthrough|string", &error_abort); | ||
177 | } | ||
178 | |||
179 | static void spapr_machine_finalizefn(Object *obj) | ||
180 | @@ -3965,7 +4068,18 @@ static void spapr_machine_3_1_instance_options(MachineState *machine) | ||
181 | |||
182 | static void spapr_machine_3_1_class_options(MachineClass *mc) | ||
183 | { | ||
184 | - /* Defaults for the latest behaviour inherited from the base class */ | ||
185 | + sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc); | ||
186 | + static GlobalProperty compat[] = { | ||
187 | + { TYPE_SPAPR_MACHINE, "host-model", "passthrough" }, | ||
188 | + { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" }, | ||
189 | + }; | ||
190 | + | ||
191 | + spapr_machine_4_0_class_options(mc); | ||
192 | + compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len); | ||
193 | + compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat)); | ||
194 | + | ||
195 | + mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0"); | ||
196 | + smc->update_dt_enabled = false; | ||
197 | } | ||
198 | |||
199 | DEFINE_SPAPR_MACHINE(3_1, "3.1", true); | ||
200 | diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h | ||
201 | index 6279711fe8..63692a13bd 100644 | ||
202 | --- a/include/hw/ppc/spapr.h | ||
203 | +++ b/include/hw/ppc/spapr.h | ||
204 | @@ -171,6 +171,8 @@ struct sPAPRMachineState { | ||
205 | |||
206 | /*< public >*/ | ||
207 | char *kvm_type; | ||
208 | + char *host_model; | ||
209 | + char *host_serial; | ||
210 | |||
211 | const char *icp_type; | ||
212 | int32_t irq_map_nr; | ||
213 | -- | ||
214 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
215 | |||