2 files changed, 107 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1d04ad3c67..44d4c9ca2f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3507_2.patch \
           file://CVE-2021-3929.patch \
           file://CVE-2021-4158.patch \
+           file://CVE-2022-0358.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch
new file mode 100644
index 0000000000..8eb1475638
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch
@@ -0,0 +1,106 @@
+From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 25 Jan 2022 13:51:14 -0500
+Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+At the start, drop membership of all supplementary groups. This is
+not required.
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+For example, if root in guest creates a dir as follows.
+$ mkdir -m 03777 test_dir
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+And now as unprivileged user open file as follows.
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+This will create SGID set executable in test_dir/.
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+Fixes: CVE-2022-0358
+Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+  dgilbert: Fixed missing {}'s style nit
+Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca]
+CVE: CVE-2022-0358
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 64b5b4fbb..b3d0674f6 100644
+--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
+@@ -54,6 +54,7 @@
+ #include <sys/wait.h>
+ #include <sys/xattr.h>
+ #include <syslog.h>
+#include <grp.h>
+ 
+ #include "qemu/cutils.h"
+ #include "passthrough_helpers.h"
+@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+ 
+static void drop_supplementary_groups(void)
+{
+    int ret;
+
+    ret = getgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+
+    if (!ret) {
+        return;
+    }
+
+    /* Drop all supplementary groups. We should not need it */
+    ret = setgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+}
+
+ /*
+  * Change to uid/gid of caller so that file is created with
+  * ownership of caller.
+@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
+ 
+     qemu_init_exec_dir(argv[0]);
+ 
+    drop_supplementary_groups();
+
+     pthread_mutex_init(&lo.mutex, NULL);
+     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+     lo.root.fd = -1;
+-- 
+2.33.0

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1d04ad3c67..44d4c9ca2f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
40	file://CVE-2021-3507_2.patch \	40	file://CVE-2021-3507_2.patch \
41	file://CVE-2021-3929.patch \	41	file://CVE-2021-3929.patch \
42	file://CVE-2021-4158.patch \	42	file://CVE-2021-4158.patch \
		43	file://CVE-2022-0358.patch \
43	"	44	"
44	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	45	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
45		46


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch new file mode 100644 index 0000000000..8eb1475638 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch
@@ -0,0 +1,106 @@
		1	From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001
		2	From: Vivek Goyal <vgoyal@redhat.com>
		3	Date: Tue, 25 Jan 2022 13:51:14 -0500
		4	Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
		5	(CVE-2022-0358)
		6
		7	At the start, drop membership of all supplementary groups. This is
		8	not required.
		9
		10	If we have membership of "root" supplementary group and when we switch
		11	uid/gid using setresuid/setsgid, we still retain membership of existing
		12	supplemntary groups. And that can allow some operations which are not
		13	normally allowed.
		14
		15	For example, if root in guest creates a dir as follows.
		16
		17	$ mkdir -m 03777 test_dir
		18
		19	This sets SGID on dir as well as allows unprivileged users to write into
		20	this dir.
		21
		22	And now as unprivileged user open file as follows.
		23
		24	$ su test
		25	$ fd = open("test_dir/priviledge_id", O_RDWR\|O_CREAT\|O_EXCL, 02755);
		26
		27	This will create SGID set executable in test_dir/.
		28
		29	And that's a problem because now an unpriviliged user can execute it,
		30	get egid=0 and get access to resources owned by "root" group. This is
		31	privilege escalation.
		32
		33	Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
		34	Fixes: CVE-2022-0358
		35	Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
		36	Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
		37	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
		38	Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
		39	Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
		40	Message-Id: <YfBGoriS38eBQrAb@redhat.com>
		41	Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
		42	dgilbert: Fixed missing {}'s style nit
		43
		44	Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca]
		45	CVE: CVE-2022-0358
		46
		47	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		48	---
		49	tools/virtiofsd/passthrough_ll.c \| 27 +++++++++++++++++++++++++++
		50	1 file changed, 27 insertions(+)
		51
		52	diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
		53	index 64b5b4fbb..b3d0674f6 100644
		54	--- a/tools/virtiofsd/passthrough_ll.c
		55	+++ b/tools/virtiofsd/passthrough_ll.c
		56	@@ -54,6 +54,7 @@
		57	#include <sys/wait.h>
		58	#include <sys/xattr.h>
		59	#include <syslog.h>
		60	+#include <grp.h>
		61
		62	#include "qemu/cutils.h"
		63	#include "passthrough_helpers.h"
		64	@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
		65	#define OURSYS_setresuid SYS_setresuid
		66	#endif
		67
		68	+static void drop_supplementary_groups(void)
		69	+{
		70	+ int ret;
		71	+
		72	+ ret = getgroups(0, NULL);
		73	+ if (ret == -1) {
		74	+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
		75	+ errno, strerror(errno));
		76	+ exit(1);
		77	+ }
		78	+
		79	+ if (!ret) {
		80	+ return;
		81	+ }
		82	+
		83	+ /* Drop all supplementary groups. We should not need it */
		84	+ ret = setgroups(0, NULL);
		85	+ if (ret == -1) {
		86	+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
		87	+ errno, strerror(errno));
		88	+ exit(1);
		89	+ }
		90	+}
		91	+
		92	/*
		93	* Change to uid/gid of caller so that file is created with
		94	* ownership of caller.
		95	@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
		96
		97	qemu_init_exec_dir(argv[0]);
		98
		99	+ drop_supplementary_groups();
		100	+
		101	pthread_mutex_init(&lo.mutex, NULL);
		102	lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
		103	lo.root.fd = -1;
		104	--
		105	2.33.0
		106