diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2023-09-13 08:02:28 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-09-20 05:23:02 -1000 |
| commit | 190a134f8ed22b4d033231e0dd5b7390b6030b10 (patch) | |
| tree | cff8036fd7217b445b547d011932f74e542a3f71 | |
| parent | 6ebb52f0270981488022c81a4264bd7030b1ec6d (diff) | |
| download | poky-190a134f8ed22b4d033231e0dd5b7390b6030b10.tar.gz | |
qemu: fix CVE-2023-3354
A flaw was found in the QEMU built-in VNC server. When a client connects
to the VNC server, QEMU checks whether the current number of connections
crosses a certain threshold and if so, cleans up the previous connection.
If the previous connection happens to be in the handshake phase and fails,
QEMU cleans up the connection again, resulting in a NULL pointer dereference
issue. This could allow a remote unauthenticated client to cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3354
(From OE-Core rev: 8f0b34f7ad5ef842d60c9b93ce2c6142d3249890)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | 88 |
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index fbfc9f7499..c8e1d28654 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 40 | file://CVE-2023-3301.patch \ | 40 | file://CVE-2023-3301.patch \ |
| 41 | file://CVE-2023-3255.patch \ | 41 | file://CVE-2023-3255.patch \ |
| 42 | file://CVE-2023-2861.patch \ | 42 | file://CVE-2023-2861.patch \ |
| 43 | file://CVE-2023-3354.patch \ | ||
| 43 | " | 44 | " |
| 44 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 45 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 45 | 46 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..b3958ecbf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | |||
| @@ -0,0 +1,88 @@ | |||
| 1 | From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daniel P. Berrangé <berrange@redhat.com> | ||
| 3 | Date: Tue, 12 Sep 2023 06:38:03 +0000 | ||
| 4 | Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | The TLS handshake make take some time to complete, during which time an | ||
| 10 | I/O watch might be registered with the main loop. If the owner of the | ||
| 11 | I/O channel invokes qio_channel_close() while the handshake is waiting | ||
| 12 | to continue the I/O watch must be removed. Failing to remove it will | ||
| 13 | later trigger the completion callback which the owner is not expecting | ||
| 14 | to receive. In the case of the VNC server, this results in a SEGV as | ||
| 15 | vnc_disconnect_start() tries to shutdown a client connection that is | ||
| 16 | already gone / NULL. | ||
| 17 | |||
| 18 | CVE-2023-3354 | ||
| 19 | Reported-by: jiangyegen <jiangyegen@huawei.com> | ||
| 20 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 21 | |||
| 22 | CVE: CVE-2023-3354 | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] | ||
| 25 | |||
| 26 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 27 | --- | ||
| 28 | include/io/channel-tls.h | 1 + | ||
| 29 | io/channel-tls.c | 18 ++++++++++++------ | ||
| 30 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h | ||
| 33 | index 5672479e9..ccd510ade 100644 | ||
| 34 | --- a/include/io/channel-tls.h | ||
| 35 | +++ b/include/io/channel-tls.h | ||
| 36 | @@ -48,6 +48,7 @@ struct QIOChannelTLS { | ||
| 37 | QIOChannel *master; | ||
| 38 | QCryptoTLSSession *session; | ||
| 39 | QIOChannelShutdown shutdown; | ||
| 40 | + guint hs_ioc_tag; | ||
| 41 | }; | ||
| 42 | |||
| 43 | /** | ||
| 44 | diff --git a/io/channel-tls.c b/io/channel-tls.c | ||
| 45 | index 4ce890a53..17d73f02e 100644 | ||
| 46 | --- a/io/channel-tls.c | ||
| 47 | +++ b/io/channel-tls.c | ||
| 48 | @@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, | ||
| 49 | } | ||
| 50 | |||
| 51 | trace_qio_channel_tls_handshake_pending(ioc, status); | ||
| 52 | - qio_channel_add_watch_full(ioc->master, | ||
| 53 | - condition, | ||
| 54 | - qio_channel_tls_handshake_io, | ||
| 55 | - data, | ||
| 56 | - NULL, | ||
| 57 | - context); | ||
| 58 | + ioc->hs_ioc_tag = | ||
| 59 | + qio_channel_add_watch_full(ioc->master, | ||
| 60 | + condition, | ||
| 61 | + qio_channel_tls_handshake_io, | ||
| 62 | + data, | ||
| 63 | + NULL, | ||
| 64 | + context); | ||
| 65 | } | ||
| 66 | } | ||
| 67 | |||
| 68 | @@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, | ||
| 69 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS( | ||
| 70 | qio_task_get_source(task)); | ||
| 71 | |||
| 72 | + tioc->hs_ioc_tag = 0; | ||
| 73 | g_free(data); | ||
| 74 | qio_channel_tls_handshake_task(tioc, task, context); | ||
| 75 | |||
| 76 | @@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, | ||
| 77 | { | ||
| 78 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); | ||
| 79 | |||
| 80 | + if (tioc->hs_ioc_tag) { | ||
| 81 | + g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); | ||
| 82 | + } | ||
| 83 | + | ||
| 84 | return qio_channel_close(tioc->master, errp); | ||
| 85 | } | ||
| 86 | |||
| 87 | -- | ||
| 88 | 2.35.5 | ||