qemu: fix CVE-2020-29443 CVE-2020-35517

(From OE-Core rev: 3640c0095d13cf9e9b5160920d3f834c417e9f41) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-02-10 20:50:47 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-26 15:30:39 +0000
commit: 7bec49614cc9d2788394600d5f5cfd6fcd6277cd (patch)
tree: b5d019a9141ac32697e52e68e2122f82229d0b27 /meta
parent: 764b0f9f5ec26602b7d451aa8d4887f95afbea3e (diff)
download: poky-7bec49614cc9d2788394600d5f5cfd6fcd6277cd.tar.gz
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 69b9a5f89e..97f110cde5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-25624.patch \
           file://CVE-2020-25723.patch \
           file://CVE-2020-28916.patch \
+           file://CVE-2020-35517.patch \
+           file://CVE-2020-29443.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..5a3b99bb23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,46 @@
+m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 13:09:26 +0100
+Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
+A case was reported where s->io_buffer_index can be out of range.
+The report skimped on the details but it seems to be triggered
+by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
+ATAPI command with LBA = 0xFFFFFFFF).  For now paper over it
+with assertions.  The first one ensures that there is no overflow
+when incrementing s->io_buffer_index, the second checks for the
+buffer overrun.
+Note that the buffer overrun is only a read, so I am not sure
+if the assertion failure is actually less harmful than the overrun.
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201201120926.56559-1-pbonzini@redhat.com
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6]
+CVE: CVE-2020-29443
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/ide/atapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 14a2b0b..e791578 100644
+--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
+@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
+        assert(size <= s->io_buffer_total_len);
+        assert(s->io_buffer_index <= s->io_buffer_total_len);
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
new file mode 100644
index 0000000000..f818eb3bf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
+From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 6 Oct 2020 10:58:26 +0100
+Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
+In order to prevent /proc/self/fd escapes a temporary directory is
+created where /proc/self/fd is bind-mounted. This doesn't work on
+read-only file systems.
+Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
+This does not affect other processes since we remounted / with MS_REC |
+MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
+do this.
+Path traversal can be tested with the following function:
+  static void test_proc_fd_escape(struct lo_data *lo)
+  {
+      int fd;
+      int level = 0;
+      ino_t last_ino = 0;
+      fd = lo->proc_self_fd;
+      for (;;) {
+          struct stat st;
+          if (fstat(fd, &st) != 0) {
+              perror("fstat");
+              return;
+          }
+          if (last_ino && st.st_ino == last_ino) {
+              fprintf(stderr, "inode number unchanged, stopping\n");
+              return;
+          }
+          last_ino = st.st_ino;
+          fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
+                  (unsigned long)st.st_dev,
+                  (unsigned long)last_ino);
+          fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
+          level++;
+      }
+  }
+Before and after this patch only Level 0 is displayed. Without
+/proc/self/fd bind-mount protection it is possible to traverse parent
+directories.
+Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Tested-by: Jens Freimann <jfreimann@redhat.com>
+Reviewed-by: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
+CVE: CVE-2020-35517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 34 +++++++++++---------------------
+ 1 file changed, 11 insertions(+), 23 deletions(-)
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 477e6ee0b53..ff53df44510 100644
+--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
+@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
+ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+ {
+     pid_t child;
+-    char template[] = "virtiofsd-XXXXXX";
+-    char *tmpdir;
+ 
+     /*
+      * Create a new pid namespace for *child* processes.  We'll have to
+@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+         exit(1);
+     }
+ 
+-    tmpdir = mkdtemp(template);
+-    if (!tmpdir) {
+-        fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
+-        exit(1);
+-    }
+-
+-    if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
+-                 tmpdir);
+    /*
+     * We only need /proc/self/fd. Prevent ".." from accessing parent
+     * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
+     * previously remounted with MS_REC | MS_SLAVE this mount change only
+     * affects our process.
+     */
+    if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
+         exit(1);
+     }
+ 
+-    /* Now we can get our /proc/self/fd directory file descriptor */
+-    lo->proc_self_fd = open(tmpdir, O_PATH);
+    /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
+    lo->proc_self_fd = open("/proc", O_PATH);
+     if (lo->proc_self_fd == -1) {
+-        fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
+        fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
+         exit(1);
+     }
+-
+-    if (umount2(tmpdir, MNT_DETACH) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
+-        exit(1);
+-    }
+-
+-    if (rmdir(tmpdir) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
+-    }
+ }
+ 
+ /*
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-02-10 20:50:47 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-26 15:30:39 +0000
commit	7bec49614cc9d2788394600d5f5cfd6fcd6277cd (patch)
tree	b5d019a9141ac32697e52e68e2122f82229d0b27 /meta
parent	764b0f9f5ec26602b7d451aa8d4887f95afbea3e (diff)
download	poky-7bec49614cc9d2788394600d5f5cfd6fcd6277cd.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 69b9a5f89e..97f110cde5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37	file://CVE-2020-25624.patch \	37	file://CVE-2020-25624.patch \
38	file://CVE-2020-25723.patch \	38	file://CVE-2020-25723.patch \
39	file://CVE-2020-28916.patch \	39	file://CVE-2020-28916.patch \
		40	file://CVE-2020-35517.patch \
		41	file://CVE-2020-29443.patch \
40	"	42	"
41	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	43	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42		44


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..5a3b99bb23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,46 @@
		1
		2	m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
		3	From: Paolo Bonzini <pbonzini@redhat.com>
		4	Date: Tue, 1 Dec 2020 13:09:26 +0100
		5	Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
		6
		7	A case was reported where s->io_buffer_index can be out of range.
		8	The report skimped on the details but it seems to be triggered
		9	by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
		10	ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
		11	with assertions. The first one ensures that there is no overflow
		12	when incrementing s->io_buffer_index, the second checks for the
		13	buffer overrun.
		14
		15	Note that the buffer overrun is only a read, so I am not sure
		16	if the assertion failure is actually less harmful than the overrun.
		17
		18	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		19	Message-id: 20201201120926.56559-1-pbonzini@redhat.com
		20	Reviewed-by: Kevin Wolf <kwolf@redhat.com>
		21	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
		22
		23	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6]
		24	CVE: CVE-2020-29443
		25	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		26
		27	---
		28	hw/ide/atapi.c \| 2 ++
		29	1 file changed, 2 insertions(+)
		30
		31	diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
		32	index 14a2b0b..e791578 100644
		33	--- a/hw/ide/atapi.c
		34	+++ b/hw/ide/atapi.c
		35	@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
		36	s->packet_transfer_size -= size;
		37	s->elementary_transfer_size -= size;
		38	s->io_buffer_index += size;
		39	+ assert(size <= s->io_buffer_total_len);
		40	+ assert(s->io_buffer_index <= s->io_buffer_total_len);
		41
		42	/* Some adapters process PIO data right away. In that case, we need
		43	* to avoid mutual recursion between ide_transfer_start
		44	--
		45	1.8.3.1
		46


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch new file mode 100644 index 0000000000..f818eb3bf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
		1	From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
		2	From: Stefan Hajnoczi <stefanha@redhat.com>
		3	Date: Tue, 6 Oct 2020 10:58:26 +0100
		4	Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
		5
		6	In order to prevent /proc/self/fd escapes a temporary directory is
		7	created where /proc/self/fd is bind-mounted. This doesn't work on
		8	read-only file systems.
		9
		10	Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
		11	This does not affect other processes since we remounted / with MS_REC \|
		12	MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
		13	do this.
		14
		15	Path traversal can be tested with the following function:
		16
		17	static void test_proc_fd_escape(struct lo_data *lo)
		18	{
		19	int fd;
		20	int level = 0;
		21	ino_t last_ino = 0;
		22
		23	fd = lo->proc_self_fd;
		24	for (;;) {
		25	struct stat st;
		26
		27	if (fstat(fd, &st) != 0) {
		28	perror("fstat");
		29	return;
		30	}
		31	if (last_ino && st.st_ino == last_ino) {
		32	fprintf(stderr, "inode number unchanged, stopping\n");
		33	return;
		34	}
		35	last_ino = st.st_ino;
		36
		37	fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
		38	(unsigned long)st.st_dev,
		39	(unsigned long)last_ino);
		40	fd = openat(fd, "..", O_PATH \| O_DIRECTORY \| O_NOFOLLOW);
		41	level++;
		42	}
		43	}
		44
		45	Before and after this patch only Level 0 is displayed. Without
		46	/proc/self/fd bind-mount protection it is possible to traverse parent
		47	directories.
		48
		49	Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
		50	Cc: Miklos Szeredi <mszeredi@redhat.com>
		51	Cc: Jens Freimann <jfreimann@redhat.com>
		52	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
		53	Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
		54	Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
		55	Tested-by: Jens Freimann <jfreimann@redhat.com>
		56	Reviewed-by: Jens Freimann <jfreimann@redhat.com>
		57	Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
		58
		59
		60	Upstream-Status: Backport
		61	[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
		62	CVE: CVE-2020-35517
		63	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		64
		65	---
		66	tools/virtiofsd/passthrough_ll.c \| 34 +++++++++++---------------------
		67	1 file changed, 11 insertions(+), 23 deletions(-)
		68
		69	diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
		70	index 477e6ee0b53..ff53df44510 100644
		71	--- a/tools/virtiofsd/passthrough_ll.c
		72	+++ b/tools/virtiofsd/passthrough_ll.c
		73	@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
		74	static void setup_namespaces(struct lo_data lo, struct fuse_session se)
		75	{
		76	pid_t child;
		77	- char template[] = "virtiofsd-XXXXXX";
		78	- char *tmpdir;
		79
		80	/*
		81	* Create a new pid namespace for child processes. We'll have to
		82	@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data lo, struct fuse_session se)
		83	exit(1);
		84	}
		85
		86	- tmpdir = mkdtemp(template);
		87	- if (!tmpdir) {
		88	- fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
		89	- exit(1);
		90	- }
		91	-
		92	- if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
		93	- fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
		94	- tmpdir);
		95	+ /*
		96	+ * We only need /proc/self/fd. Prevent ".." from accessing parent
		97	+ * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
		98	+ * previously remounted with MS_REC \| MS_SLAVE this mount change only
		99	+ * affects our process.
		100	+ */
		101	+ if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
		102	+ fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
		103	exit(1);
		104	}
		105
		106	- /* Now we can get our /proc/self/fd directory file descriptor */
		107	- lo->proc_self_fd = open(tmpdir, O_PATH);
		108	+ /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
		109	+ lo->proc_self_fd = open("/proc", O_PATH);
		110	if (lo->proc_self_fd == -1) {
		111	- fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
		112	+ fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
		113	exit(1);
		114	}
		115	-
		116	- if (umount2(tmpdir, MNT_DETACH) < 0) {
		117	- fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
		118	- exit(1);
		119	- }
		120	-
		121	- if (rmdir(tmpdir) < 0) {
		122	- fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
		123	- }
		124	}
		125
		126	/*