diff options
| author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-08-10 15:11:02 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-08-19 05:56:58 -1000 |
| commit | ab548842efd4d4e238880a88ac9de5ddb7d27798 (patch) | |
| tree | fb178635fcd657d2e4bb54a94fe874d9d2402e64 | |
| parent | 4869a1f60e31a31d1d5296e93a3f76af4c06f28b (diff) | |
| download | poky-ab548842efd4d4e238880a88ac9de5ddb7d27798.tar.gz | |
qemu: fix CVE-2023-3354 VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service
(From OE-Core rev: 42859fe600e5dddba3c51fa8d1e680721b73e5dc)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | 87 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 8182342f92..3347a99e19 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -98,6 +98,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 98 | file://CVE-2023-3255.patch \ | 98 | file://CVE-2023-3255.patch \ |
| 99 | file://CVE-2023-2861.patch \ | 99 | file://CVE-2023-2861.patch \ |
| 100 | file://CVE-2020-14394.patch \ | 100 | file://CVE-2020-14394.patch \ |
| 101 | file://CVE-2023-3354.patch \ | ||
| 101 | " | 102 | " |
| 102 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 103 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 103 | 104 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..250716fcfc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
| 3 | Date: Tue, 20 Jun 2023 09:45:34 +0100 | ||
| 4 | Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | The TLS handshake make take some time to complete, during which time an | ||
| 10 | I/O watch might be registered with the main loop. If the owner of the | ||
| 11 | I/O channel invokes qio_channel_close() while the handshake is waiting | ||
| 12 | to continue the I/O watch must be removed. Failing to remove it will | ||
| 13 | later trigger the completion callback which the owner is not expecting | ||
| 14 | to receive. In the case of the VNC server, this results in a SEGV as | ||
| 15 | vnc_disconnect_start() tries to shutdown a client connection that is | ||
| 16 | already gone / NULL. | ||
| 17 | |||
| 18 | CVE-2023-3354 | ||
| 19 | Reported-by: jiangyegen <jiangyegen@huawei.com> | ||
| 20 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 21 | |||
| 22 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] | ||
| 23 | CVE: CVE-2023-3354 | ||
| 24 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
| 25 | --- | ||
| 26 | include/io/channel-tls.h | 1 + | ||
| 27 | io/channel-tls.c | 18 ++++++++++++------ | ||
| 28 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h | ||
| 31 | index 5672479e9..26c67f17e 100644 | ||
| 32 | --- a/include/io/channel-tls.h | ||
| 33 | +++ b/include/io/channel-tls.h | ||
| 34 | @@ -48,6 +48,7 @@ struct QIOChannelTLS { | ||
| 35 | QIOChannel *master; | ||
| 36 | QCryptoTLSSession *session; | ||
| 37 | QIOChannelShutdown shutdown; | ||
| 38 | + guint hs_ioc_tag; | ||
| 39 | }; | ||
| 40 | |||
| 41 | /** | ||
| 42 | diff --git a/io/channel-tls.c b/io/channel-tls.c | ||
| 43 | index 2ae1b92fc..34476e6b7 100644 | ||
| 44 | --- a/io/channel-tls.c | ||
| 45 | +++ b/io/channel-tls.c | ||
| 46 | @@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, | ||
| 47 | } | ||
| 48 | |||
| 49 | trace_qio_channel_tls_handshake_pending(ioc, status); | ||
| 50 | - qio_channel_add_watch_full(ioc->master, | ||
| 51 | - condition, | ||
| 52 | - qio_channel_tls_handshake_io, | ||
| 53 | - data, | ||
| 54 | - NULL, | ||
| 55 | - context); | ||
| 56 | + ioc->hs_ioc_tag = | ||
| 57 | + qio_channel_add_watch_full(ioc->master, | ||
| 58 | + condition, | ||
| 59 | + qio_channel_tls_handshake_io, | ||
| 60 | + data, | ||
| 61 | + NULL, | ||
| 62 | + context); | ||
| 63 | } | ||
| 64 | } | ||
| 65 | |||
| 66 | @@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, | ||
| 67 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS( | ||
| 68 | qio_task_get_source(task)); | ||
| 69 | |||
| 70 | + tioc->hs_ioc_tag = 0; | ||
| 71 | g_free(data); | ||
| 72 | qio_channel_tls_handshake_task(tioc, task, context); | ||
| 73 | |||
| 74 | @@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, | ||
| 75 | { | ||
| 76 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); | ||
| 77 | |||
| 78 | + if (tioc->hs_ioc_tag) { | ||
| 79 | + g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); | ||
| 80 | + } | ||
| 81 | + | ||
| 82 | return qio_channel_close(tioc->master, errp); | ||
| 83 | } | ||
| 84 | |||
| 85 | -- | ||
| 86 | 2.25.1 | ||
| 87 | |||