diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch new file mode 100644 index 0000000000..9f2c5d3ec1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Thu, 13 Dec 2018 13:25:11 +0100 | ||
4 | Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. | ||
5 | |||
6 | Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | ||
7 | While being at it also add O_CLOEXEC. | ||
8 | |||
9 | usb-mtp only handles regular files and directories and ignores | ||
10 | everything else, so users should not see a difference. | ||
11 | |||
12 | Because qemu ignores symlinks, carrying out a successful symlink attack | ||
13 | requires swapping an existing file or directory below rootdir for a | ||
14 | symlink and winning the race against the inotify notification to qemu. | ||
15 | |||
16 | Fixes: CVE-2018-16872 | ||
17 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
18 | Cc: Bandan Das <bsd@redhat.com> | ||
19 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
20 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
21 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
22 | Message-id: 20181213122511.13853-1-kraxel@redhat.com | ||
23 | (cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2018-16872 | ||
28 | Affects: < 3.1.0 | ||
29 | |||
30 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
31 | |||
32 | --- | ||
33 | hw/usb/dev-mtp.c | 13 +++++++++---- | ||
34 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
35 | |||
36 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
37 | index 899c8a3..f4223fb 100644 | ||
38 | --- a/hw/usb/dev-mtp.c | ||
39 | +++ b/hw/usb/dev-mtp.c | ||
40 | @@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) | ||
41 | { | ||
42 | struct dirent *entry; | ||
43 | DIR *dir; | ||
44 | + int fd; | ||
45 | |||
46 | if (o->have_children) { | ||
47 | return; | ||
48 | } | ||
49 | o->have_children = true; | ||
50 | |||
51 | - dir = opendir(o->path); | ||
52 | + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); | ||
53 | + if (fd < 0) { | ||
54 | + return; | ||
55 | + } | ||
56 | + dir = fdopendir(fd); | ||
57 | if (!dir) { | ||
58 | return; | ||
59 | } | ||
60 | @@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, | ||
61 | |||
62 | trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); | ||
63 | |||
64 | - d->fd = open(o->path, O_RDONLY); | ||
65 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
66 | if (d->fd == -1) { | ||
67 | usb_mtp_data_free(d); | ||
68 | return NULL; | ||
69 | @@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, | ||
70 | c->argv[1], c->argv[2]); | ||
71 | |||
72 | d = usb_mtp_data_alloc(c); | ||
73 | - d->fd = open(o->path, O_RDONLY); | ||
74 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
75 | if (d->fd == -1) { | ||
76 | usb_mtp_data_free(d); | ||
77 | return NULL; | ||
78 | @@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) | ||
79 | 0, 0, 0, 0); | ||
80 | goto done; | ||
81 | } | ||
82 | - d->fd = open(path, O_CREAT | O_WRONLY, mask); | ||
83 | + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); | ||
84 | if (d->fd == -1) { | ||
85 | usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, | ||
86 | 0, 0, 0, 0); | ||
87 | -- | ||
88 | 2.7.4 | ||
89 | |||