qemu: fix CVE-2021-20181

(From OE-Core rev: c2f79065ef0684f2c0bdb92f1b03e690ab730b8c) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2021-04-23 00:45:00 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-04-24 17:53:05 +0100
commit: 640c6d1191d5b545902ee77cb57ea4467bfcc78b (patch)
tree: 9c82c3f94de534660ce556974f5fdbfa002a5e0a /meta/recipes-devtools/qemu
parent: e7746189de9092c137aa241f6b896a1eee20075b (diff)
download: poky-640c6d1191d5b545902ee77cb57ea4467bfcc78b.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index f0416b0379..65e0489a97 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-35517_1.patch \
           file://CVE-2020-35517_2.patch \
           file://CVE-2020-35517_3.patch \
+           file://CVE-2021-20181.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000000..1b8c77f838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
+From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Jan 2021 17:04:12 +0100
+Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
+Depending on the client activity, the server can be asked to open a huge
+number of file descriptors and eventually hit RLIMIT_NOFILE. This is
+currently mitigated using a reclaim logic : the server closes the file
+descriptors of idle fids, based on the assumption that it will be able
+to re-open them later. This assumption doesn't hold of course if the
+client requests the file to be unlinked. In this case, we loop on the
+entire fid list and mark all related fids as unreclaimable (the reclaim
+logic will just ignore them) and, of course, we open or re-open their
+file descriptors if needed since we're about to unlink the file.
+This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
+opening of a file can cause the coroutine to yield, another client
+request could possibly add a new fid that we may want to mark as
+non-reclaimable as well. The loop is thus restarted if the re-open
+request was actually transmitted to the backend. This is achieved
+by keeping a reference on the first fid (head) before traversing
+the list.
+This is wrong in several ways:
+- a potential clunk request from the client could tear the first
+  fid down and cause the reference to be stale. This leads to a
+  use-after-free error that can be detected with ASAN, using a
+  custom 9p client
+- fids are added at the head of the list : restarting from the
+  previous head will always miss fids added by a some other
+  potential request
+All these problems could be avoided if fids were being added at the
+end of the list. This can be achieved with a QSIMPLEQ, but this is
+probably too much change for a bug fix. For now let's keep it
+simple and just restart the loop from the current head.
+Fixes: CVE-2021-20181
+Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
+Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
+CVE: CVE-2021-20181
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/9pfs/9p.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 94df440fc..6026b51a1 100644
+--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
+@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ {
+     int err;
+     V9fsState *s = pdu->s;
+-    V9fsFidState *fidp, head_fid;
+    V9fsFidState *fidp;
+ 
+-    head_fid.next = s->fid_list;
+again:
+     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+         if (fidp->path.size != path->size) {
+             continue;
+@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+              * switched to the worker thread
+              */
+             if (err == 0) {
+-                fidp = &head_fid;
+                goto again;
+             }
+         }
+     }
+-- 
+2.29.2
author	Sakib Sajal <sakib.sajal@windriver.com>	2021-04-23 00:45:00 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-04-24 17:53:05 +0100
commit	640c6d1191d5b545902ee77cb57ea4467bfcc78b (patch)
tree	9c82c3f94de534660ce556974f5fdbfa002a5e0a /meta/recipes-devtools/qemu
parent	e7746189de9092c137aa241f6b896a1eee20075b (diff)
download	poky-640c6d1191d5b545902ee77cb57ea4467bfcc78b.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index f0416b0379..65e0489a97 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34	file://CVE-2020-35517_1.patch \	34	file://CVE-2020-35517_1.patch \
35	file://CVE-2020-35517_2.patch \	35	file://CVE-2020-35517_2.patch \
36	file://CVE-2020-35517_3.patch \	36	file://CVE-2020-35517_3.patch \
		37	file://CVE-2021-20181.patch \
37	"	38	"
38	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39		40


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch new file mode 100644 index 0000000000..1b8c77f838 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
		1	From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
		2	From: Greg Kurz <groug@kaod.org>
		3	Date: Thu, 14 Jan 2021 17:04:12 +0100
		4	Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
		5
		6	Depending on the client activity, the server can be asked to open a huge
		7	number of file descriptors and eventually hit RLIMIT_NOFILE. This is
		8	currently mitigated using a reclaim logic : the server closes the file
		9	descriptors of idle fids, based on the assumption that it will be able
		10	to re-open them later. This assumption doesn't hold of course if the
		11	client requests the file to be unlinked. In this case, we loop on the
		12	entire fid list and mark all related fids as unreclaimable (the reclaim
		13	logic will just ignore them) and, of course, we open or re-open their
		14	file descriptors if needed since we're about to unlink the file.
		15
		16	This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
		17	opening of a file can cause the coroutine to yield, another client
		18	request could possibly add a new fid that we may want to mark as
		19	non-reclaimable as well. The loop is thus restarted if the re-open
		20	request was actually transmitted to the backend. This is achieved
		21	by keeping a reference on the first fid (head) before traversing
		22	the list.
		23
		24	This is wrong in several ways:
		25	- a potential clunk request from the client could tear the first
		26	fid down and cause the reference to be stale. This leads to a
		27	use-after-free error that can be detected with ASAN, using a
		28	custom 9p client
		29	- fids are added at the head of the list : restarting from the
		30	previous head will always miss fids added by a some other
		31	potential request
		32
		33	All these problems could be avoided if fids were being added at the
		34	end of the list. This can be achieved with a QSIMPLEQ, but this is
		35	probably too much change for a bug fix. For now let's keep it
		36	simple and just restart the loop from the current head.
		37
		38	Fixes: CVE-2021-20181
		39	Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
		40	Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
		41	Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
		42	Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
		43	Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
		44	Signed-off-by: Greg Kurz <groug@kaod.org>
		45
		46	Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
		47	CVE: CVE-2021-20181
		48
		49	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		50	---
		51	hw/9pfs/9p.c \| 6 +++---
		52	1 file changed, 3 insertions(+), 3 deletions(-)
		53
		54	diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
		55	index 94df440fc..6026b51a1 100644
		56	--- a/hw/9pfs/9p.c
		57	+++ b/hw/9pfs/9p.c
		58	@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU pdu, V9fsPath path)
		59	{
		60	int err;
		61	V9fsState *s = pdu->s;
		62	- V9fsFidState *fidp, head_fid;
		63	+ V9fsFidState *fidp;
		64
		65	- head_fid.next = s->fid_list;
		66	+again:
		67	for (fidp = s->fid_list; fidp; fidp = fidp->next) {
		68	if (fidp->path.size != path->size) {
		69	continue;
		70	@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU pdu, V9fsPath path)
		71	* switched to the worker thread
		72	*/
		73	if (err == 0) {
		74	- fidp = &head_fid;
		75	+ goto again;
		76	}
		77	}
		78	}
		79	--
		80	2.29.2
		81