diff options
author | Armin Kuster <akuster@mvista.com> | 2019-05-29 11:14:38 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | e53f7d53f40df75c25e6cdbd1a19b16b296d307b (patch) | |
tree | c722dea047c60d6c8ed94be5e381731b6e7d5d30 /meta/recipes-devtools | |
parent | f381b778ae24e19a7c7f505c90e9e22d42acf9a9 (diff) | |
download | poky-e53f7d53f40df75c25e6cdbd1a19b16b296d307b.tar.gz |
qemu: Security fix for CVE-2018-19489
Source: Qemu.org
MR: 97453
Type: Security Fix
Disposition: Backport from git.qemu.org/gemu.git
ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace
Description:
In the spirt of YP Compatible, sending change upstream.
fixes CVE CVE-2018-19489
Affect < = 4.0.0
(From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch | 83 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_3.0.0.bb | 1 |
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch new file mode 100644 index 0000000000..7619e2a8ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Fri, 23 Nov 2018 13:28:03 +0100 | ||
4 | Subject: [PATCH] 9p: fix QEMU crash when renaming files | ||
5 | |||
6 | When using the 9P2000.u version of the protocol, the following shell | ||
7 | command line in the guest can cause QEMU to crash: | ||
8 | |||
9 | while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done | ||
10 | |||
11 | With 9P2000.u, file renaming is handled by the WSTAT command. The | ||
12 | v9fs_wstat() function calls v9fs_complete_rename(), which calls | ||
13 | v9fs_fix_path() for every fid whose path is affected by the change. | ||
14 | The involved calls to v9fs_path_copy() may race with any other access | ||
15 | to the fid path performed by some worker thread, causing a crash like | ||
16 | shown below: | ||
17 | |||
18 | Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. | ||
19 | 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, | ||
20 | flags=65536, mode=0) at hw/9pfs/9p-local.c:59 | ||
21 | 59 while (*path && fd != -1) { | ||
22 | (gdb) bt | ||
23 | #0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, | ||
24 | path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 | ||
25 | #1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, | ||
26 | path=0x0) at hw/9pfs/9p-local.c:92 | ||
27 | #2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, | ||
28 | fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 | ||
29 | #3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, | ||
30 | path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 | ||
31 | #4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) | ||
32 | at hw/9pfs/9p.c:1083 | ||
33 | #5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) | ||
34 | at util/coroutine-ucontext.c:116 | ||
35 | #6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 | ||
36 | #7 0x0000000000000000 in () | ||
37 | (gdb) | ||
38 | |||
39 | The fix is to take the path write lock when calling v9fs_complete_rename(), | ||
40 | like in v9fs_rename(). | ||
41 | |||
42 | Impact: DoS triggered by unprivileged guest users. | ||
43 | |||
44 | Fixes: CVE-2018-19489 | ||
45 | Cc: P J P <ppandit@redhat.com> | ||
46 | Reported-by: zhibin hu <noirfate@gmail.com> | ||
47 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
48 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
49 | |||
50 | Upstream-Status: Backport | ||
51 | Affects: < 4.0.0 | ||
52 | CVE: CVE-2018-19489 | ||
53 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
54 | |||
55 | --- | ||
56 | hw/9pfs/9p.c | 3 +++ | ||
57 | 1 file changed, 3 insertions(+) | ||
58 | |||
59 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | ||
60 | index 267a255..bdf7919 100644 | ||
61 | --- a/hw/9pfs/9p.c | ||
62 | +++ b/hw/9pfs/9p.c | ||
63 | @@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) | ||
64 | struct stat stbuf; | ||
65 | V9fsFidState *fidp; | ||
66 | V9fsPDU *pdu = opaque; | ||
67 | + V9fsState *s = pdu->s; | ||
68 | |||
69 | v9fs_stat_init(&v9stat); | ||
70 | err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat); | ||
71 | @@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) | ||
72 | } | ||
73 | } | ||
74 | if (v9stat.name.size != 0) { | ||
75 | + v9fs_path_write_lock(s); | ||
76 | err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); | ||
77 | + v9fs_path_unlock(s); | ||
78 | if (err < 0) { | ||
79 | goto out; | ||
80 | } | ||
81 | -- | ||
82 | 2.7.4 | ||
83 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 59cfc38e4b..992cf7b1a8 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
30 | file://CVE-2018-18849.patch \ | 30 | file://CVE-2018-18849.patch \ |
31 | file://CVE-2018-19364_p1.patch \ | 31 | file://CVE-2018-19364_p1.patch \ |
32 | file://CVE-2018-19364_p2.patch \ | 32 | file://CVE-2018-19364_p2.patch \ |
33 | file://CVE-2018-19489.patch \ | ||
33 | " | 34 | " |
34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 35 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
35 | 36 | ||