qemu: Several CVE fixes

Source: qemu.org MR: 97258, 97342, 97438, 97443 Type: Security Fix Disposition: Backport from git.qemu.org/qemu.git ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5 Description: These issues affect qemu < 3.1.0 Fixes: CVE-2018-16867 CVE-2018-16872 CVE-2018-18849 CVE-2018-19364 (From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-29 11:14:38 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch)
tree: 60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
parent: cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff)
download: poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz
1 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
new file mode 100644
index 0000000000..b8d094c0b4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
@@ -0,0 +1,115 @@
+From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Tue, 20 Nov 2018 13:00:35 +0100
+Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364)
+Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
+possibly overwrite a fid path with v9fs_path_copy() while it is being
+accessed by some other thread, ie, use-after-free that can be detected
+by ASAN with a custom 9p client.
+It turns out that the same can happen at several locations where
+v9fs_path_copy() is used to set the fid path. The fix is again to
+take the write lock.
+Fixes CVE-2018-19364.
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Upstream-status: Backport
+Affects: < 3.1.0
+CVE:  CVE-2018-19364 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/9pfs/9p.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index eef289e..267a255 100644
+--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
+@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque)
+             err = -EINVAL;
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+     } else {
+         newfidp = alloc_fid(s, newfid);
+         if (newfidp == NULL) {
+@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque)
+     V9fsString extension;
+     int iounit;
+     V9fsPDU *pdu = opaque;
+    V9fsState *s = pdu->s;
+ 
+     v9fs_path_init(&path);
+     v9fs_string_init(&name);
+@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+         if (err < 0) {
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+         err = v9fs_co_opendir(pdu, fidp);
+         if (err < 0) {
+             goto out;
+@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+         if (err < 0) {
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+     } else if (perm & P9_STAT_MODE_LINK) {
+         int32_t ofid = atoi(extension.data);
+         V9fsFidState *ofidp = get_fid(pdu, ofid);
+@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+             fidp->fid_type = P9_FID_NONE;
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+         err = v9fs_co_lstat(pdu, &fidp->path, &stbuf);
+         if (err < 0) {
+             fidp->fid_type = P9_FID_NONE;
+@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+         if (err < 0) {
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+     } else if (perm & P9_STAT_MODE_NAMED_PIPE) {
+         err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
+                             0, S_IFIFO | (perm & 0777), &stbuf);
+@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+         if (err < 0) {
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+     } else if (perm & P9_STAT_MODE_SOCKET) {
+         err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
+                             0, S_IFSOCK | (perm & 0777), &stbuf);
+@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+         if (err < 0) {
+             goto out;
+         }
+        v9fs_path_write_lock(s);
+         v9fs_path_copy(&fidp->path, &path);
+        v9fs_path_unlock(s);
+     } else {
+         err = v9fs_co_open2(pdu, fidp, &name, -1,
+                             omode_to_uflags(mode)|O_CREAT, perm, &stbuf);
+-- 
+2.7.4
author	Armin Kuster <akuster@mvista.com>	2019-05-29 11:14:38 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch)
tree	60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
parent	cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff)
download	poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch new file mode 100644 index 0000000000..b8d094c0b4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
@@ -0,0 +1,115 @@
	1	From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001
	2	From: Greg Kurz <groug@kaod.org>
	3	Date: Tue, 20 Nov 2018 13:00:35 +0100
	4	Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364)
	5
	6	Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
	7	possibly overwrite a fid path with v9fs_path_copy() while it is being
	8	accessed by some other thread, ie, use-after-free that can be detected
	9	by ASAN with a custom 9p client.
	10
	11	It turns out that the same can happen at several locations where
	12	v9fs_path_copy() is used to set the fid path. The fix is again to
	13	take the write lock.
	14
	15	Fixes CVE-2018-19364.
	16
	17	Cc: P J P <ppandit@redhat.com>
	18	Reported-by: zhibin hu <noirfate@gmail.com>
	19	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
	20	Signed-off-by: Greg Kurz <groug@kaod.org>
	21
	22	Upstream-status: Backport
	23	Affects: < 3.1.0
	24	CVE: CVE-2018-19364 patch #2
	25	Signed-off-by: Armin Kuster <akuster@mvista.com>
	26
	27	---
	28	hw/9pfs/9p.c \| 15 +++++++++++++++
	29	1 file changed, 15 insertions(+)
	30
	31	diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
	32	index eef289e..267a255 100644
	33	--- a/hw/9pfs/9p.c
	34	+++ b/hw/9pfs/9p.c
	35	@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque)
	36	err = -EINVAL;
	37	goto out;
	38	}
	39	+ v9fs_path_write_lock(s);
	40	v9fs_path_copy(&fidp->path, &path);
	41	+ v9fs_path_unlock(s);
	42	} else {
	43	newfidp = alloc_fid(s, newfid);
	44	if (newfidp == NULL) {
	45	@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque)
	46	V9fsString extension;
	47	int iounit;
	48	V9fsPDU *pdu = opaque;
	49	+ V9fsState *s = pdu->s;
	50
	51	v9fs_path_init(&path);
	52	v9fs_string_init(&name);
	53	@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	54	if (err < 0) {
	55	goto out;
	56	}
	57	+ v9fs_path_write_lock(s);
	58	v9fs_path_copy(&fidp->path, &path);
	59	+ v9fs_path_unlock(s);
	60	err = v9fs_co_opendir(pdu, fidp);
	61	if (err < 0) {
	62	goto out;
	63	@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	64	if (err < 0) {
	65	goto out;
	66	}
	67	+ v9fs_path_write_lock(s);
	68	v9fs_path_copy(&fidp->path, &path);
	69	+ v9fs_path_unlock(s);
	70	} else if (perm & P9_STAT_MODE_LINK) {
	71	int32_t ofid = atoi(extension.data);
	72	V9fsFidState *ofidp = get_fid(pdu, ofid);
	73	@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	74	fidp->fid_type = P9_FID_NONE;
	75	goto out;
	76	}
	77	+ v9fs_path_write_lock(s);
	78	v9fs_path_copy(&fidp->path, &path);
	79	+ v9fs_path_unlock(s);
	80	err = v9fs_co_lstat(pdu, &fidp->path, &stbuf);
	81	if (err < 0) {
	82	fidp->fid_type = P9_FID_NONE;
	83	@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	84	if (err < 0) {
	85	goto out;
	86	}
	87	+ v9fs_path_write_lock(s);
	88	v9fs_path_copy(&fidp->path, &path);
	89	+ v9fs_path_unlock(s);
	90	} else if (perm & P9_STAT_MODE_NAMED_PIPE) {
	91	err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
	92	0, S_IFIFO \| (perm & 0777), &stbuf);
	93	@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	94	if (err < 0) {
	95	goto out;
	96	}
	97	+ v9fs_path_write_lock(s);
	98	v9fs_path_copy(&fidp->path, &path);
	99	+ v9fs_path_unlock(s);
	100	} else if (perm & P9_STAT_MODE_SOCKET) {
	101	err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
	102	0, S_IFSOCK \| (perm & 0777), &stbuf);
	103	@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque)
	104	if (err < 0) {
	105	goto out;
	106	}
	107	+ v9fs_path_write_lock(s);
	108	v9fs_path_copy(&fidp->path, &path);
	109	+ v9fs_path_unlock(s);
	110	} else {
	111	err = v9fs_co_open2(pdu, fidp, &name, -1,
	112	omode_to_uflags(mode)\|O_CREAT, perm, &stbuf);
	113	--
	114	2.7.4
	115