qemu: Security fix for CVE-2018-19489

Source: Qemu.org MR: 97453 Type: Security Fix Disposition: Backport from git.qemu.org/gemu.git ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace Description: In the spirt of YP Compatible, sending change upstream. fixes CVE CVE-2018-19489 Affect < = 4.0.0 (From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-29 11:14:38 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: e53f7d53f40df75c25e6cdbd1a19b16b296d307b (patch)
tree: c722dea047c60d6c8ed94be5e381731b6e7d5d30
parent: f381b778ae24e19a7c7f505c90e9e22d42acf9a9 (diff)
download: poky-e53f7d53f40df75c25e6cdbd1a19b16b296d307b.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
new file mode 100644
index 0000000000..7619e2a8ca
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
@@ -0,0 +1,83 @@
+From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Fri, 23 Nov 2018 13:28:03 +0100
+Subject: [PATCH] 9p: fix QEMU crash when renaming files
+When using the 9P2000.u version of the protocol, the following shell
+command line in the guest can cause QEMU to crash:
+    while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
+With 9P2000.u, file renaming is handled by the WSTAT command. The
+v9fs_wstat() function calls v9fs_complete_rename(), which calls
+v9fs_fix_path() for every fid whose path is affected by the change.
+The involved calls to v9fs_path_copy() may race with any other access
+to the fid path performed by some worker thread, causing a crash like
+shown below:
+Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
+ flags=65536, mode=0) at hw/9pfs/9p-local.c:59
+59          while (*path && fd != -1) {
+(gdb) bt
+#0  0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
+ path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
+#1  0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
+ path=0x0) at hw/9pfs/9p-local.c:92
+#2  0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
+ fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
+#3  0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
+ path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
+#4  0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
+ at hw/9pfs/9p.c:1083
+#5  0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
+ at util/coroutine-ucontext.c:116
+#6  0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
+#7  0x0000000000000000 in  ()
+(gdb)
+The fix is to take the path write lock when calling v9fs_complete_rename(),
+like in v9fs_rename().
+Impact:  DoS triggered by unprivileged guest users.
+Fixes: CVE-2018-19489
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Upstream-Status: Backport
+Affects: < 4.0.0
+CVE: CVE-2018-19489
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/9pfs/9p.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 267a255..bdf7919 100644
+--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
+@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque)
+     struct stat stbuf;
+     V9fsFidState *fidp;
+     V9fsPDU *pdu = opaque;
+    V9fsState *s = pdu->s;
+ 
+     v9fs_stat_init(&v9stat);
+     err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
+@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque)
+         }
+     }
+     if (v9stat.name.size != 0) {
+        v9fs_path_write_lock(s);
+         err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
+        v9fs_path_unlock(s);
+         if (err < 0) {
+             goto out;
+         }
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 59cfc38e4b..992cf7b1a8 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2018-18849.patch \
           file://CVE-2018-19364_p1.patch \
           file://CVE-2018-19364_p2.patch \
+           file://CVE-2018-19489.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
author	Armin Kuster <akuster@mvista.com>	2019-05-29 11:14:38 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	e53f7d53f40df75c25e6cdbd1a19b16b296d307b (patch)
tree	c722dea047c60d6c8ed94be5e381731b6e7d5d30
parent	f381b778ae24e19a7c7f505c90e9e22d42acf9a9 (diff)
download	poky-e53f7d53f40df75c25e6cdbd1a19b16b296d307b.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch new file mode 100644 index 0000000000..7619e2a8ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
@@ -0,0 +1,83 @@
		1	From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001
		2	From: Greg Kurz <groug@kaod.org>
		3	Date: Fri, 23 Nov 2018 13:28:03 +0100
		4	Subject: [PATCH] 9p: fix QEMU crash when renaming files
		5
		6	When using the 9P2000.u version of the protocol, the following shell
		7	command line in the guest can cause QEMU to crash:
		8
		9	while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
		10
		11	With 9P2000.u, file renaming is handled by the WSTAT command. The
		12	v9fs_wstat() function calls v9fs_complete_rename(), which calls
		13	v9fs_fix_path() for every fid whose path is affected by the change.
		14	The involved calls to v9fs_path_copy() may race with any other access
		15	to the fid path performed by some worker thread, causing a crash like
		16	shown below:
		17
		18	Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
		19	0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
		20	flags=65536, mode=0) at hw/9pfs/9p-local.c:59
		21	59 while (*path && fd != -1) {
		22	(gdb) bt
		23	#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
		24	path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
		25	#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
		26	path=0x0) at hw/9pfs/9p-local.c:92
		27	#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
		28	fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
		29	#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
		30	path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
		31	#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
		32	at hw/9pfs/9p.c:1083
		33	#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
		34	at util/coroutine-ucontext.c:116
		35	#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
		36	#7 0x0000000000000000 in ()
		37	(gdb)
		38
		39	The fix is to take the path write lock when calling v9fs_complete_rename(),
		40	like in v9fs_rename().
		41
		42	Impact: DoS triggered by unprivileged guest users.
		43
		44	Fixes: CVE-2018-19489
		45	Cc: P J P <ppandit@redhat.com>
		46	Reported-by: zhibin hu <noirfate@gmail.com>
		47	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		48	Signed-off-by: Greg Kurz <groug@kaod.org>
		49
		50	Upstream-Status: Backport
		51	Affects: < 4.0.0
		52	CVE: CVE-2018-19489
		53	Signed-off-by: Armin Kuster <akuster@mvista.com>
		54
		55	---
		56	hw/9pfs/9p.c \| 3 +++
		57	1 file changed, 3 insertions(+)
		58
		59	diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
		60	index 267a255..bdf7919 100644
		61	--- a/hw/9pfs/9p.c
		62	+++ b/hw/9pfs/9p.c
		63	@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque)
		64	struct stat stbuf;
		65	V9fsFidState *fidp;
		66	V9fsPDU *pdu = opaque;
		67	+ V9fsState *s = pdu->s;
		68
		69	v9fs_stat_init(&v9stat);
		70	err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
		71	@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque)
		72	}
		73	}
		74	if (v9stat.name.size != 0) {
		75	+ v9fs_path_write_lock(s);
		76	err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
		77	+ v9fs_path_unlock(s);
		78	if (err < 0) {
		79	goto out;
		80	}
		81	--
		82	2.7.4
		83


diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 59cfc38e4b..992cf7b1a8 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
30	file://CVE-2018-18849.patch \	30	file://CVE-2018-18849.patch \
31	file://CVE-2018-19364_p1.patch \	31	file://CVE-2018-19364_p1.patch \
32	file://CVE-2018-19364_p2.patch \	32	file://CVE-2018-19364_p2.patch \
		33	file://CVE-2018-19489.patch \
33	"	34	"
34	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	35	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
35		36