summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2021-02-10 20:50:47 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-02-26 15:30:39 +0000
commit7bec49614cc9d2788394600d5f5cfd6fcd6277cd (patch)
treeb5d019a9141ac32697e52e68e2122f82229d0b27 /meta
parent764b0f9f5ec26602b7d451aa8d4887f95afbea3e (diff)
downloadpoky-7bec49614cc9d2788394600d5f5cfd6fcd6277cd.tar.gz
qemu: fix CVE-2020-29443 CVE-2020-35517
(From OE-Core rev: 3640c0095d13cf9e9b5160920d3f834c417e9f41) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch126
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 69b9a5f89e..97f110cde5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37 file://CVE-2020-25624.patch \ 37 file://CVE-2020-25624.patch \
38 file://CVE-2020-25723.patch \ 38 file://CVE-2020-25723.patch \
39 file://CVE-2020-28916.patch \ 39 file://CVE-2020-28916.patch \
40 file://CVE-2020-35517.patch \
41 file://CVE-2020-29443.patch \
40 " 42 "
41UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 43UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42 44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..5a3b99bb23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,46 @@
1
2m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
3From: Paolo Bonzini <pbonzini@redhat.com>
4Date: Tue, 1 Dec 2020 13:09:26 +0100
5Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
6
7A case was reported where s->io_buffer_index can be out of range.
8The report skimped on the details but it seems to be triggered
9by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
10ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
11with assertions. The first one ensures that there is no overflow
12when incrementing s->io_buffer_index, the second checks for the
13buffer overrun.
14
15Note that the buffer overrun is only a read, so I am not sure
16if the assertion failure is actually less harmful than the overrun.
17
18Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
19Message-id: 20201201120926.56559-1-pbonzini@redhat.com
20Reviewed-by: Kevin Wolf <kwolf@redhat.com>
21Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
22
23Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6]
24CVE: CVE-2020-29443
25Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
26
27---
28 hw/ide/atapi.c | 2 ++
29 1 file changed, 2 insertions(+)
30
31diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
32index 14a2b0b..e791578 100644
33--- a/hw/ide/atapi.c
34+++ b/hw/ide/atapi.c
35@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
36 s->packet_transfer_size -= size;
37 s->elementary_transfer_size -= size;
38 s->io_buffer_index += size;
39+ assert(size <= s->io_buffer_total_len);
40+ assert(s->io_buffer_index <= s->io_buffer_total_len);
41
42 /* Some adapters process PIO data right away. In that case, we need
43 * to avoid mutual recursion between ide_transfer_start
44--
451.8.3.1
46
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
new file mode 100644
index 0000000000..f818eb3bf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
1From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Tue, 6 Oct 2020 10:58:26 +0100
4Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
5
6In order to prevent /proc/self/fd escapes a temporary directory is
7created where /proc/self/fd is bind-mounted. This doesn't work on
8read-only file systems.
9
10Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
11This does not affect other processes since we remounted / with MS_REC |
12MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
13do this.
14
15Path traversal can be tested with the following function:
16
17 static void test_proc_fd_escape(struct lo_data *lo)
18 {
19 int fd;
20 int level = 0;
21 ino_t last_ino = 0;
22
23 fd = lo->proc_self_fd;
24 for (;;) {
25 struct stat st;
26
27 if (fstat(fd, &st) != 0) {
28 perror("fstat");
29 return;
30 }
31 if (last_ino && st.st_ino == last_ino) {
32 fprintf(stderr, "inode number unchanged, stopping\n");
33 return;
34 }
35 last_ino = st.st_ino;
36
37 fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
38 (unsigned long)st.st_dev,
39 (unsigned long)last_ino);
40 fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
41 level++;
42 }
43 }
44
45Before and after this patch only Level 0 is displayed. Without
46/proc/self/fd bind-mount protection it is possible to traverse parent
47directories.
48
49Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
50Cc: Miklos Szeredi <mszeredi@redhat.com>
51Cc: Jens Freimann <jfreimann@redhat.com>
52Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
53Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
54Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
55Tested-by: Jens Freimann <jfreimann@redhat.com>
56Reviewed-by: Jens Freimann <jfreimann@redhat.com>
57Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
58
59
60Upstream-Status: Backport
61[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
62CVE: CVE-2020-35517
63Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
64
65---
66 tools/virtiofsd/passthrough_ll.c | 34 +++++++++++---------------------
67 1 file changed, 11 insertions(+), 23 deletions(-)
68
69diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
70index 477e6ee0b53..ff53df44510 100644
71--- a/tools/virtiofsd/passthrough_ll.c
72+++ b/tools/virtiofsd/passthrough_ll.c
73@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
74 static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
75 {
76 pid_t child;
77- char template[] = "virtiofsd-XXXXXX";
78- char *tmpdir;
79
80 /*
81 * Create a new pid namespace for *child* processes. We'll have to
82@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
83 exit(1);
84 }
85
86- tmpdir = mkdtemp(template);
87- if (!tmpdir) {
88- fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
89- exit(1);
90- }
91-
92- if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
93- fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
94- tmpdir);
95+ /*
96+ * We only need /proc/self/fd. Prevent ".." from accessing parent
97+ * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
98+ * previously remounted with MS_REC | MS_SLAVE this mount change only
99+ * affects our process.
100+ */
101+ if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
102+ fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
103 exit(1);
104 }
105
106- /* Now we can get our /proc/self/fd directory file descriptor */
107- lo->proc_self_fd = open(tmpdir, O_PATH);
108+ /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
109+ lo->proc_self_fd = open("/proc", O_PATH);
110 if (lo->proc_self_fd == -1) {
111- fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
112+ fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
113 exit(1);
114 }
115-
116- if (umount2(tmpdir, MNT_DETACH) < 0) {
117- fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
118- exit(1);
119- }
120-
121- if (rmdir(tmpdir) < 0) {
122- fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
123- }
124 }
125
126 /*