diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2021-02-10 20:50:47 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-26 15:30:39 +0000 |
commit | 7bec49614cc9d2788394600d5f5cfd6fcd6277cd (patch) | |
tree | b5d019a9141ac32697e52e68e2122f82229d0b27 /meta/recipes-devtools | |
parent | 764b0f9f5ec26602b7d451aa8d4887f95afbea3e (diff) | |
download | poky-7bec49614cc9d2788394600d5f5cfd6fcd6277cd.tar.gz |
qemu: fix CVE-2020-29443 CVE-2020-35517
(From OE-Core rev: 3640c0095d13cf9e9b5160920d3f834c417e9f41)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch | 46 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch | 126 |
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 69b9a5f89e..97f110cde5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
37 | file://CVE-2020-25624.patch \ | 37 | file://CVE-2020-25624.patch \ |
38 | file://CVE-2020-25723.patch \ | 38 | file://CVE-2020-25723.patch \ |
39 | file://CVE-2020-28916.patch \ | 39 | file://CVE-2020-28916.patch \ |
40 | file://CVE-2020-35517.patch \ | ||
41 | file://CVE-2020-29443.patch \ | ||
40 | " | 42 | " |
41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
42 | 44 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..5a3b99bb23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | |||
2 | m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001 | ||
3 | From: Paolo Bonzini <pbonzini@redhat.com> | ||
4 | Date: Tue, 1 Dec 2020 13:09:26 +0100 | ||
5 | Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range | ||
6 | |||
7 | A case was reported where s->io_buffer_index can be out of range. | ||
8 | The report skimped on the details but it seems to be triggered | ||
9 | by s->lba == -1 on the READ/READ CD paths (e.g. by sending an | ||
10 | ATAPI command with LBA = 0xFFFFFFFF). For now paper over it | ||
11 | with assertions. The first one ensures that there is no overflow | ||
12 | when incrementing s->io_buffer_index, the second checks for the | ||
13 | buffer overrun. | ||
14 | |||
15 | Note that the buffer overrun is only a read, so I am not sure | ||
16 | if the assertion failure is actually less harmful than the overrun. | ||
17 | |||
18 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
19 | Message-id: 20201201120926.56559-1-pbonzini@redhat.com | ||
20 | Reviewed-by: Kevin Wolf <kwolf@redhat.com> | ||
21 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
22 | |||
23 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6] | ||
24 | CVE: CVE-2020-29443 | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | |||
27 | --- | ||
28 | hw/ide/atapi.c | 2 ++ | ||
29 | 1 file changed, 2 insertions(+) | ||
30 | |||
31 | diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c | ||
32 | index 14a2b0b..e791578 100644 | ||
33 | --- a/hw/ide/atapi.c | ||
34 | +++ b/hw/ide/atapi.c | ||
35 | @@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s) | ||
36 | s->packet_transfer_size -= size; | ||
37 | s->elementary_transfer_size -= size; | ||
38 | s->io_buffer_index += size; | ||
39 | + assert(size <= s->io_buffer_total_len); | ||
40 | + assert(s->io_buffer_index <= s->io_buffer_total_len); | ||
41 | |||
42 | /* Some adapters process PIO data right away. In that case, we need | ||
43 | * to avoid mutual recursion between ide_transfer_start | ||
44 | -- | ||
45 | 1.8.3.1 | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch new file mode 100644 index 0000000000..f818eb3bf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Hajnoczi <stefanha@redhat.com> | ||
3 | Date: Tue, 6 Oct 2020 10:58:26 +0100 | ||
4 | Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir | ||
5 | |||
6 | In order to prevent /proc/self/fd escapes a temporary directory is | ||
7 | created where /proc/self/fd is bind-mounted. This doesn't work on | ||
8 | read-only file systems. | ||
9 | |||
10 | Avoid the temporary directory by bind-mounting /proc/self/fd over /proc. | ||
11 | This does not affect other processes since we remounted / with MS_REC | | ||
12 | MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to | ||
13 | do this. | ||
14 | |||
15 | Path traversal can be tested with the following function: | ||
16 | |||
17 | static void test_proc_fd_escape(struct lo_data *lo) | ||
18 | { | ||
19 | int fd; | ||
20 | int level = 0; | ||
21 | ino_t last_ino = 0; | ||
22 | |||
23 | fd = lo->proc_self_fd; | ||
24 | for (;;) { | ||
25 | struct stat st; | ||
26 | |||
27 | if (fstat(fd, &st) != 0) { | ||
28 | perror("fstat"); | ||
29 | return; | ||
30 | } | ||
31 | if (last_ino && st.st_ino == last_ino) { | ||
32 | fprintf(stderr, "inode number unchanged, stopping\n"); | ||
33 | return; | ||
34 | } | ||
35 | last_ino = st.st_ino; | ||
36 | |||
37 | fprintf(stderr, "Level %d dev %lu ino %lu\n", level, | ||
38 | (unsigned long)st.st_dev, | ||
39 | (unsigned long)last_ino); | ||
40 | fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW); | ||
41 | level++; | ||
42 | } | ||
43 | } | ||
44 | |||
45 | Before and after this patch only Level 0 is displayed. Without | ||
46 | /proc/self/fd bind-mount protection it is possible to traverse parent | ||
47 | directories. | ||
48 | |||
49 | Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd") | ||
50 | Cc: Miklos Szeredi <mszeredi@redhat.com> | ||
51 | Cc: Jens Freimann <jfreimann@redhat.com> | ||
52 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
53 | Message-Id: <20201006095826.59813-1-stefanha@redhat.com> | ||
54 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
55 | Tested-by: Jens Freimann <jfreimann@redhat.com> | ||
56 | Reviewed-by: Jens Freimann <jfreimann@redhat.com> | ||
57 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
58 | |||
59 | |||
60 | Upstream-Status: Backport | ||
61 | [https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c] | ||
62 | CVE: CVE-2020-35517 | ||
63 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
64 | |||
65 | --- | ||
66 | tools/virtiofsd/passthrough_ll.c | 34 +++++++++++--------------------- | ||
67 | 1 file changed, 11 insertions(+), 23 deletions(-) | ||
68 | |||
69 | diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c | ||
70 | index 477e6ee0b53..ff53df44510 100644 | ||
71 | --- a/tools/virtiofsd/passthrough_ll.c | ||
72 | +++ b/tools/virtiofsd/passthrough_ll.c | ||
73 | @@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void) | ||
74 | static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) | ||
75 | { | ||
76 | pid_t child; | ||
77 | - char template[] = "virtiofsd-XXXXXX"; | ||
78 | - char *tmpdir; | ||
79 | |||
80 | /* | ||
81 | * Create a new pid namespace for *child* processes. We'll have to | ||
82 | @@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) | ||
83 | exit(1); | ||
84 | } | ||
85 | |||
86 | - tmpdir = mkdtemp(template); | ||
87 | - if (!tmpdir) { | ||
88 | - fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template); | ||
89 | - exit(1); | ||
90 | - } | ||
91 | - | ||
92 | - if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) { | ||
93 | - fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n", | ||
94 | - tmpdir); | ||
95 | + /* | ||
96 | + * We only need /proc/self/fd. Prevent ".." from accessing parent | ||
97 | + * directories of /proc/self/fd by bind-mounting it over /proc. Since / was | ||
98 | + * previously remounted with MS_REC | MS_SLAVE this mount change only | ||
99 | + * affects our process. | ||
100 | + */ | ||
101 | + if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) { | ||
102 | + fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n"); | ||
103 | exit(1); | ||
104 | } | ||
105 | |||
106 | - /* Now we can get our /proc/self/fd directory file descriptor */ | ||
107 | - lo->proc_self_fd = open(tmpdir, O_PATH); | ||
108 | + /* Get the /proc (actually /proc/self/fd, see above) file descriptor */ | ||
109 | + lo->proc_self_fd = open("/proc", O_PATH); | ||
110 | if (lo->proc_self_fd == -1) { | ||
111 | - fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir); | ||
112 | + fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n"); | ||
113 | exit(1); | ||
114 | } | ||
115 | - | ||
116 | - if (umount2(tmpdir, MNT_DETACH) < 0) { | ||
117 | - fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir); | ||
118 | - exit(1); | ||
119 | - } | ||
120 | - | ||
121 | - if (rmdir(tmpdir) < 0) { | ||
122 | - fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir); | ||
123 | - } | ||
124 | } | ||
125 | |||
126 | /* | ||