qemu: Several CVE fixes

Source: qemu.org MR: 97258, 97342, 97438, 97443 Type: Security Fix Disposition: Backport from git.qemu.org/qemu.git ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5 Description: These issues affect qemu < 3.1.0 Fixes: CVE-2018-16867 CVE-2018-16872 CVE-2018-18849 CVE-2018-19364 (From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-29 11:14:38 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch)
tree: 60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
parent: cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff)
download: poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz
1 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
new file mode 100644
index 0000000000..9f2c5d3ec1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
@@ -0,0 +1,89 @@
+From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 13 Dec 2018 13:25:11 +0100
+Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
+Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
+While being at it also add O_CLOEXEC.
+usb-mtp only handles regular files and directories and ignores
+everything else, so users should not see a difference.
+Because qemu ignores symlinks, carrying out a successful symlink attack
+requires swapping an existing file or directory below rootdir for a
+symlink and winning the race against the inotify notification to qemu.
+Fixes: CVE-2018-16872
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: Bandan Das <bsd@redhat.com>
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Message-id: 20181213122511.13853-1-kraxel@redhat.com
+(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Upstream-Status: Backport
+CVE: CVE-2018-16872
+Affects: < 3.1.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/usb/dev-mtp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 899c8a3..f4223fb 100644
+--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
+@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
+ {
+     struct dirent *entry;
+     DIR *dir;
+    int fd;
+ 
+     if (o->have_children) {
+         return;
+     }
+     o->have_children = true;
+ 
+-    dir = opendir(o->path);
+    fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+    if (fd < 0) {
+        return;
+    }
+    dir = fdopendir(fd);
+     if (!dir) {
+         return;
+     }
+@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
+ 
+     trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
+ 
+-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+     if (d->fd == -1) {
+         usb_mtp_data_free(d);
+         return NULL;
+@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
+                                         c->argv[1], c->argv[2]);
+ 
+     d = usb_mtp_data_alloc(c);
+-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+     if (d->fd == -1) {
+         usb_mtp_data_free(d);
+         return NULL;
+@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s)
+                                  0, 0, 0, 0);
+             goto done;
+         }
+-        d->fd = open(path, O_CREAT | O_WRONLY, mask);
+        d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
+         if (d->fd == -1) {
+             usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+                                  0, 0, 0, 0);
+-- 
+2.7.4
author	Armin Kuster <akuster@mvista.com>	2019-05-29 11:14:38 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch)
tree	60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
parent	cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff)
download	poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch new file mode 100644 index 0000000000..9f2c5d3ec1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
@@ -0,0 +1,89 @@
	1	From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Thu, 13 Dec 2018 13:25:11 +0100
	4	Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
	5
	6	Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
	7	While being at it also add O_CLOEXEC.
	8
	9	usb-mtp only handles regular files and directories and ignores
	10	everything else, so users should not see a difference.
	11
	12	Because qemu ignores symlinks, carrying out a successful symlink attack
	13	requires swapping an existing file or directory below rootdir for a
	14	symlink and winning the race against the inotify notification to qemu.
	15
	16	Fixes: CVE-2018-16872
	17	Cc: Prasad J Pandit <ppandit@redhat.com>
	18	Cc: Bandan Das <bsd@redhat.com>
	19	Reported-by: Michael Hanselmann <public@hansmi.ch>
	20	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	21	Reviewed-by: Michael Hanselmann <public@hansmi.ch>
	22	Message-id: 20181213122511.13853-1-kraxel@redhat.com
	23	(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
	24	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
	25
	26	Upstream-Status: Backport
	27	CVE: CVE-2018-16872
	28	Affects: < 3.1.0
	29
	30	Signed-off-by: Armin Kuster <akuster@mvista.com>
	31
	32	---
	33	hw/usb/dev-mtp.c \| 13 +++++++++----
	34	1 file changed, 9 insertions(+), 4 deletions(-)
	35
	36	diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
	37	index 899c8a3..f4223fb 100644
	38	--- a/hw/usb/dev-mtp.c
	39	+++ b/hw/usb/dev-mtp.c
	40	@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState s, MTPObject o)
	41	{
	42	struct dirent *entry;
	43	DIR *dir;
	44	+ int fd;
	45
	46	if (o->have_children) {
	47	return;
	48	}
	49	o->have_children = true;
	50
	51	- dir = opendir(o->path);
	52	+ fd = open(o->path, O_DIRECTORY \| O_CLOEXEC \| O_NOFOLLOW);
	53	+ if (fd < 0) {
	54	+ return;
	55	+ }
	56	+ dir = fdopendir(fd);
	57	if (!dir) {
	58	return;
	59	}
	60	@@ -1003,7 +1008,7 @@ static MTPData usb_mtp_get_object(MTPState s, MTPControl *c,
	61
	62	trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
	63
	64	- d->fd = open(o->path, O_RDONLY);
	65	+ d->fd = open(o->path, O_RDONLY \| O_CLOEXEC \| O_NOFOLLOW);
	66	if (d->fd == -1) {
	67	usb_mtp_data_free(d);
	68	return NULL;
	69	@@ -1027,7 +1032,7 @@ static MTPData usb_mtp_get_partial_object(MTPState s, MTPControl *c,
	70	c->argv[1], c->argv[2]);
	71
	72	d = usb_mtp_data_alloc(c);
	73	- d->fd = open(o->path, O_RDONLY);
	74	+ d->fd = open(o->path, O_RDONLY \| O_CLOEXEC \| O_NOFOLLOW);
	75	if (d->fd == -1) {
	76	usb_mtp_data_free(d);
	77	return NULL;
	78	@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s)
	79	0, 0, 0, 0);
	80	goto done;
	81	}
	82	- d->fd = open(path, O_CREAT \| O_WRONLY, mask);
	83	+ d->fd = open(path, O_CREAT \| O_WRONLY \| O_CLOEXEC \| O_NOFOLLOW, mask);
	84	if (d->fd == -1) {
	85	usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
	86	0, 0, 0, 0);
	87	--
	88	2.7.4
	89