summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2021-04-23 00:45:00 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-04-24 17:53:05 +0100
commit640c6d1191d5b545902ee77cb57ea4467bfcc78b (patch)
tree9c82c3f94de534660ce556974f5fdbfa002a5e0a /meta/recipes-devtools/qemu
parente7746189de9092c137aa241f6b896a1eee20075b (diff)
downloadpoky-640c6d1191d5b545902ee77cb57ea4467bfcc78b.tar.gz
qemu: fix CVE-2021-20181
(From OE-Core rev: c2f79065ef0684f2c0bdb92f1b03e690ab730b8c) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch81
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index f0416b0379..65e0489a97 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34 file://CVE-2020-35517_1.patch \ 34 file://CVE-2020-35517_1.patch \
35 file://CVE-2020-35517_2.patch \ 35 file://CVE-2020-35517_2.patch \
36 file://CVE-2020-35517_3.patch \ 36 file://CVE-2020-35517_3.patch \
37 file://CVE-2021-20181.patch \
37 " 38 "
38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39 40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000000..1b8c77f838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
1From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
2From: Greg Kurz <groug@kaod.org>
3Date: Thu, 14 Jan 2021 17:04:12 +0100
4Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
5
6Depending on the client activity, the server can be asked to open a huge
7number of file descriptors and eventually hit RLIMIT_NOFILE. This is
8currently mitigated using a reclaim logic : the server closes the file
9descriptors of idle fids, based on the assumption that it will be able
10to re-open them later. This assumption doesn't hold of course if the
11client requests the file to be unlinked. In this case, we loop on the
12entire fid list and mark all related fids as unreclaimable (the reclaim
13logic will just ignore them) and, of course, we open or re-open their
14file descriptors if needed since we're about to unlink the file.
15
16This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
17opening of a file can cause the coroutine to yield, another client
18request could possibly add a new fid that we may want to mark as
19non-reclaimable as well. The loop is thus restarted if the re-open
20request was actually transmitted to the backend. This is achieved
21by keeping a reference on the first fid (head) before traversing
22the list.
23
24This is wrong in several ways:
25- a potential clunk request from the client could tear the first
26 fid down and cause the reference to be stale. This leads to a
27 use-after-free error that can be detected with ASAN, using a
28 custom 9p client
29- fids are added at the head of the list : restarting from the
30 previous head will always miss fids added by a some other
31 potential request
32
33All these problems could be avoided if fids were being added at the
34end of the list. This can be achieved with a QSIMPLEQ, but this is
35probably too much change for a bug fix. For now let's keep it
36simple and just restart the loop from the current head.
37
38Fixes: CVE-2021-20181
39Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
40Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
41Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
42Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
43Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
44Signed-off-by: Greg Kurz <groug@kaod.org>
45
46Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
47CVE: CVE-2021-20181
48
49Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
50---
51 hw/9pfs/9p.c | 6 +++---
52 1 file changed, 3 insertions(+), 3 deletions(-)
53
54diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
55index 94df440fc..6026b51a1 100644
56--- a/hw/9pfs/9p.c
57+++ b/hw/9pfs/9p.c
58@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
59 {
60 int err;
61 V9fsState *s = pdu->s;
62- V9fsFidState *fidp, head_fid;
63+ V9fsFidState *fidp;
64
65- head_fid.next = s->fid_list;
66+again:
67 for (fidp = s->fid_list; fidp; fidp = fidp->next) {
68 if (fidp->path.size != path->size) {
69 continue;
70@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
71 * switched to the worker thread
72 */
73 if (err == 0) {
74- fidp = &head_fid;
75+ goto again;
76 }
77 }
78 }
79--
802.29.2
81