qemu: backport patch for ui/clipboard issue

Backported from upstream to fix CVE-2023-6683 (From OE-Core rev: d33a0ef657663faa05448454fad8a004879fe624) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Simone Weiß <simone.p.weiss@posteo.com> 2024-03-02 16:40:52 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-03-03 16:25:20 +0000
commit: 9f60a166460c7c864e969ec4290693c62d6f4484 (patch)
tree: 07aee2629c2f0adb5f68222abc3e49de038eba4e
parent: 282ade0f4be5aa05d1853ef5840971c2451a9346 (diff)
download: poky-9f60a166460c7c864e969ec4290693c62d6f4484.tar.gz
2 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index b42cc120f1..4501f84c2b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0003-linux-user-Add-strace-for-shmat.patch \
           file://0004-linux-user-Rewrite-target_shmat.patch \
           file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
+           file://CVE-2023-6683.patch \
           file://qemu-guest-agent.init \
           file://qemu-guest-agent.udev \
           "
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
new file mode 100644
index 0000000000..732cb6af18
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
@@ -0,0 +1,91 @@
+From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 24 Jan 2024 11:57:48 +0100
+Subject: [PATCH] ui/clipboard: mark type as not available when there is no
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
+message with len=0. In qemu_clipboard_set_data(), the clipboard info
+will be updated setting data to NULL (because g_memdup(data, size)
+returns NULL when size is 0). If the client does not set the
+VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
+the 'request' callback for the clipboard peer is not initialized.
+Later, because data is NULL, qemu_clipboard_request() can be reached
+via vdagent_chr_write() and vdagent_clipboard_recv_request() and
+there, the clipboard owner's 'request' callback will be attempted to
+be called, but that is a NULL pointer.
+In particular, this can happen when using the KRDC (22.12.3) VNC
+client.
+Another scenario leading to the same issue is with two clients (say
+noVNC and KRDC):
+The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
+initializes its cbpeer.
+The KRDC client does not, but triggers a vnc_client_cut_text() (note
+it's not the _ext variant)). There, a new clipboard info with it as
+the 'owner' is created and via qemu_clipboard_set_data() is called,
+which in turn calls qemu_clipboard_update() with that info.
+In qemu_clipboard_update(), the notifier for the noVNC client will be
+called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
+noVNC client. The 'owner' in that clipboard info is the clipboard peer
+for the KRDC client, which did not initialize the 'request' function.
+That sounds correct to me, it is the owner of that clipboard info.
+Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
+the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
+passes), that clipboard info is passed to qemu_clipboard_request() and
+the original segfault still happens.
+Fix the issue by handling updates with size 0 differently. In
+particular, mark in the clipboard info that the type is not available.
+While at it, switch to g_memdup2(), because g_memdup() is deprecated.
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2023-6683
+Reported-by: Markus Frank <m.frank@proxmox.com>
+Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Tested-by: Markus Frank <m.frank@proxmox.com>
+Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
+CVE: CVE-2023-6683
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a]
+Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf80f..b3f6fa3c9e1f 100644
+--- a/ui/clipboard.c
+++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+     }
+ 
+     g_free(info->types[type].data);
+-    info->types[type].data = g_memdup(data, size);
+-    info->types[type].size = size;
+-    info->types[type].available = true;
+    if (size) {
+        info->types[type].data = g_memdup2(data, size);
+        info->types[type].size = size;
+        info->types[type].available = true;
+    } else {
+        info->types[type].data = NULL;
+        info->types[type].size = 0;
+        info->types[type].available = false;
+    }
+ 
+     if (update) {
+         qemu_clipboard_update(info);
author	Simone Weiß <simone.p.weiss@posteo.com>	2024-03-02 16:40:52 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-03-03 16:25:20 +0000
commit	9f60a166460c7c864e969ec4290693c62d6f4484 (patch)
tree	07aee2629c2f0adb5f68222abc3e49de038eba4e
parent	282ade0f4be5aa05d1853ef5840971c2451a9346 (diff)
download	poky-9f60a166460c7c864e969ec4290693c62d6f4484.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b42cc120f1..4501f84c2b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
39	file://0003-linux-user-Add-strace-for-shmat.patch \	39	file://0003-linux-user-Add-strace-for-shmat.patch \
40	file://0004-linux-user-Rewrite-target_shmat.patch \	40	file://0004-linux-user-Rewrite-target_shmat.patch \
41	file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \	41	file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
		42	file://CVE-2023-6683.patch \
42	file://qemu-guest-agent.init \	43	file://qemu-guest-agent.init \
43	file://qemu-guest-agent.udev \	44	file://qemu-guest-agent.udev \
44	"	45	"


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch new file mode 100644 index 0000000000..732cb6af18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
@@ -0,0 +1,91 @@
		1	From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
		2	From: Fiona Ebner <f.ebner@proxmox.com>
		3	Date: Wed, 24 Jan 2024 11:57:48 +0100
		4	Subject: [PATCH] ui/clipboard: mark type as not available when there is no
		5	data
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
		11	message with len=0. In qemu_clipboard_set_data(), the clipboard info
		12	will be updated setting data to NULL (because g_memdup(data, size)
		13	returns NULL when size is 0). If the client does not set the
		14	VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
		15	the 'request' callback for the clipboard peer is not initialized.
		16	Later, because data is NULL, qemu_clipboard_request() can be reached
		17	via vdagent_chr_write() and vdagent_clipboard_recv_request() and
		18	there, the clipboard owner's 'request' callback will be attempted to
		19	be called, but that is a NULL pointer.
		20
		21	In particular, this can happen when using the KRDC (22.12.3) VNC
		22	client.
		23
		24	Another scenario leading to the same issue is with two clients (say
		25	noVNC and KRDC):
		26
		27	The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
		28	initializes its cbpeer.
		29
		30	The KRDC client does not, but triggers a vnc_client_cut_text() (note
		31	it's not the _ext variant)). There, a new clipboard info with it as
		32	the 'owner' is created and via qemu_clipboard_set_data() is called,
		33	which in turn calls qemu_clipboard_update() with that info.
		34
		35	In qemu_clipboard_update(), the notifier for the noVNC client will be
		36	called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
		37	noVNC client. The 'owner' in that clipboard info is the clipboard peer
		38	for the KRDC client, which did not initialize the 'request' function.
		39	That sounds correct to me, it is the owner of that clipboard info.
		40
		41	Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
		42	the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
		43	passes), that clipboard info is passed to qemu_clipboard_request() and
		44	the original segfault still happens.
		45
		46	Fix the issue by handling updates with size 0 differently. In
		47	particular, mark in the clipboard info that the type is not available.
		48
		49	While at it, switch to g_memdup2(), because g_memdup() is deprecated.
		50
		51	Cc: qemu-stable@nongnu.org
		52	Fixes: CVE-2023-6683
		53	Reported-by: Markus Frank <m.frank@proxmox.com>
		54	Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		55	Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
		56	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		57	Tested-by: Markus Frank <m.frank@proxmox.com>
		58	Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
		59
		60	CVE: CVE-2023-6683
		61
		62	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a]
		63	Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
		64
		65	---
		66	ui/clipboard.c \| 12 +++++++++---
		67	1 file changed, 9 insertions(+), 3 deletions(-)
		68
		69	diff --git a/ui/clipboard.c b/ui/clipboard.c
		70	index 3d14bffaf80f..b3f6fa3c9e1f 100644
		71	--- a/ui/clipboard.c
		72	+++ b/ui/clipboard.c
		73	@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
		74	}
		75
		76	g_free(info->types[type].data);
		77	- info->types[type].data = g_memdup(data, size);
		78	- info->types[type].size = size;
		79	- info->types[type].available = true;
		80	+ if (size) {
		81	+ info->types[type].data = g_memdup2(data, size);
		82	+ info->types[type].size = size;
		83	+ info->types[type].available = true;
		84	+ } else {
		85	+ info->types[type].data = NULL;
		86	+ info->types[type].size = 0;
		87	+ info->types[type].available = false;
		88	+ }
		89
		90	if (update) {
		91	qemu_clipboard_update(info);