1 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
new file mode 100644
index 0000000000..f818eb3bf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
+From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 6 Oct 2020 10:58:26 +0100
+Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
+In order to prevent /proc/self/fd escapes a temporary directory is
+created where /proc/self/fd is bind-mounted. This doesn't work on
+read-only file systems.
+Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
+This does not affect other processes since we remounted / with MS_REC |
+MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
+do this.
+Path traversal can be tested with the following function:
+  static void test_proc_fd_escape(struct lo_data *lo)
+  {
+      int fd;
+      int level = 0;
+      ino_t last_ino = 0;
+      fd = lo->proc_self_fd;
+      for (;;) {
+          struct stat st;
+          if (fstat(fd, &st) != 0) {
+              perror("fstat");
+              return;
+          }
+          if (last_ino && st.st_ino == last_ino) {
+              fprintf(stderr, "inode number unchanged, stopping\n");
+              return;
+          }
+          last_ino = st.st_ino;
+          fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
+                  (unsigned long)st.st_dev,
+                  (unsigned long)last_ino);
+          fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
+          level++;
+      }
+  }
+Before and after this patch only Level 0 is displayed. Without
+/proc/self/fd bind-mount protection it is possible to traverse parent
+directories.
+Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Tested-by: Jens Freimann <jfreimann@redhat.com>
+Reviewed-by: Jens Freimann <jfreimann@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
+CVE: CVE-2020-35517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 34 +++++++++++---------------------
+ 1 file changed, 11 insertions(+), 23 deletions(-)
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 477e6ee0b53..ff53df44510 100644
+--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
+@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
+ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+ {
+     pid_t child;
+-    char template[] = "virtiofsd-XXXXXX";
+-    char *tmpdir;
+ 
+     /*
+      * Create a new pid namespace for *child* processes.  We'll have to
+@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se)
+         exit(1);
+     }
+ 
+-    tmpdir = mkdtemp(template);
+-    if (!tmpdir) {
+-        fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
+-        exit(1);
+-    }
+-
+-    if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
+-                 tmpdir);
+    /*
+     * We only need /proc/self/fd. Prevent ".." from accessing parent
+     * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
+     * previously remounted with MS_REC | MS_SLAVE this mount change only
+     * affects our process.
+     */
+    if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
+         exit(1);
+     }
+ 
+-    /* Now we can get our /proc/self/fd directory file descriptor */
+-    lo->proc_self_fd = open(tmpdir, O_PATH);
+    /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
+    lo->proc_self_fd = open("/proc", O_PATH);
+     if (lo->proc_self_fd == -1) {
+-        fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
+        fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
+         exit(1);
+     }
+-
+-    if (umount2(tmpdir, MNT_DETACH) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
+-        exit(1);
+-    }
+-
+-    if (rmdir(tmpdir) < 0) {
+-        fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
+-    }
+ }
+ 
+ /*

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch new file mode 100644 index 0000000000..f818eb3bf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch
@@ -0,0 +1,126 @@
	1	From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001
	2	From: Stefan Hajnoczi <stefanha@redhat.com>
	3	Date: Tue, 6 Oct 2020 10:58:26 +0100
	4	Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir
	5
	6	In order to prevent /proc/self/fd escapes a temporary directory is
	7	created where /proc/self/fd is bind-mounted. This doesn't work on
	8	read-only file systems.
	9
	10	Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
	11	This does not affect other processes since we remounted / with MS_REC \|
	12	MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
	13	do this.
	14
	15	Path traversal can be tested with the following function:
	16
	17	static void test_proc_fd_escape(struct lo_data *lo)
	18	{
	19	int fd;
	20	int level = 0;
	21	ino_t last_ino = 0;
	22
	23	fd = lo->proc_self_fd;
	24	for (;;) {
	25	struct stat st;
	26
	27	if (fstat(fd, &st) != 0) {
	28	perror("fstat");
	29	return;
	30	}
	31	if (last_ino && st.st_ino == last_ino) {
	32	fprintf(stderr, "inode number unchanged, stopping\n");
	33	return;
	34	}
	35	last_ino = st.st_ino;
	36
	37	fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
	38	(unsigned long)st.st_dev,
	39	(unsigned long)last_ino);
	40	fd = openat(fd, "..", O_PATH \| O_DIRECTORY \| O_NOFOLLOW);
	41	level++;
	42	}
	43	}
	44
	45	Before and after this patch only Level 0 is displayed. Without
	46	/proc/self/fd bind-mount protection it is possible to traverse parent
	47	directories.
	48
	49	Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
	50	Cc: Miklos Szeredi <mszeredi@redhat.com>
	51	Cc: Jens Freimann <jfreimann@redhat.com>
	52	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
	53	Message-Id: <20201006095826.59813-1-stefanha@redhat.com>
	54	Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
	55	Tested-by: Jens Freimann <jfreimann@redhat.com>
	56	Reviewed-by: Jens Freimann <jfreimann@redhat.com>
	57	Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
	58
	59
	60	Upstream-Status: Backport
	61	[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c]
	62	CVE: CVE-2020-35517
	63	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	64
	65	---
	66	tools/virtiofsd/passthrough_ll.c \| 34 +++++++++++---------------------
	67	1 file changed, 11 insertions(+), 23 deletions(-)
	68
	69	diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
	70	index 477e6ee0b53..ff53df44510 100644
	71	--- a/tools/virtiofsd/passthrough_ll.c
	72	+++ b/tools/virtiofsd/passthrough_ll.c
	73	@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void)
	74	static void setup_namespaces(struct lo_data lo, struct fuse_session se)
	75	{
	76	pid_t child;
	77	- char template[] = "virtiofsd-XXXXXX";
	78	- char *tmpdir;
	79
	80	/*
	81	* Create a new pid namespace for child processes. We'll have to
	82	@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data lo, struct fuse_session se)
	83	exit(1);
	84	}
	85
	86	- tmpdir = mkdtemp(template);
	87	- if (!tmpdir) {
	88	- fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template);
	89	- exit(1);
	90	- }
	91	-
	92	- if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) {
	93	- fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n",
	94	- tmpdir);
	95	+ /*
	96	+ * We only need /proc/self/fd. Prevent ".." from accessing parent
	97	+ * directories of /proc/self/fd by bind-mounting it over /proc. Since / was
	98	+ * previously remounted with MS_REC \| MS_SLAVE this mount change only
	99	+ * affects our process.
	100	+ */
	101	+ if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) {
	102	+ fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n");
	103	exit(1);
	104	}
	105
	106	- /* Now we can get our /proc/self/fd directory file descriptor */
	107	- lo->proc_self_fd = open(tmpdir, O_PATH);
	108	+ /* Get the /proc (actually /proc/self/fd, see above) file descriptor */
	109	+ lo->proc_self_fd = open("/proc", O_PATH);
	110	if (lo->proc_self_fd == -1) {
	111	- fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir);
	112	+ fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n");
	113	exit(1);
	114	}
	115	-
	116	- if (umount2(tmpdir, MNT_DETACH) < 0) {
	117	- fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir);
	118	- exit(1);
	119	- }
	120	-
	121	- if (rmdir(tmpdir) < 0) {
	122	- fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir);
	123	- }
	124	}
	125
	126	/*