From e3dfe53a334cd952cc2194fd3baad6d082659b7e Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 29 May 2019 11:14:38 -0700 Subject: qemu: Several CVE fixes Source: qemu.org MR: 97258, 97342, 97438, 97443 Type: Security Fix Disposition: Backport from git.qemu.org/qemu.git ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5 Description: These issues affect qemu < 3.1.0 Fixes: CVE-2018-16867 CVE-2018-16872 CVE-2018-18849 CVE-2018-19364 Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- .../qemu/qemu/CVE-2018-16867.patch | 49 +++++++++ .../qemu/qemu/CVE-2018-16872.patch | 89 ++++++++++++++++ .../qemu/qemu/CVE-2018-18849.patch | 86 +++++++++++++++ .../qemu/qemu/CVE-2018-19364_p1.patch | 51 +++++++++ .../qemu/qemu/CVE-2018-19364_p2.patch | 115 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_3.0.0.bb | 5 + 6 files changed, 395 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch (limited to 'meta') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch new file mode 100644 index 0000000000..644459e5af --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch @@ -0,0 +1,49 @@ +From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 Dec 2018 11:10:45 +0100 +Subject: [PATCH] usb-mtp: outlaw slashes in filenames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Slash is unix directory separator, so they are not allowed in filenames. +Note this also stops the classic escape via "../". + +Fixes: CVE-2018-16867 +Reported-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20181203101045.27976-3-kraxel@redhat.com +(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) +Signed-off-by: Michael Roth + +Upstream-Status: Backport +CVE: CVE-2018-16867 +Affects: < 3.1.0 + +Signed-off-by: Armin Kuster + +--- + hw/usb/dev-mtp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 1ded7ac..899c8a3 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) + + utf16_to_str(dataset->length, dataset->filename, filename); + ++ if (strchr(filename, '/')) { ++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, ++ 0, 0, 0, 0); ++ return; ++ } ++ + o = usb_mtp_object_lookup_name(p, filename, dataset->length); + if (o != NULL) { + next_handle = o->handle; +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch new file mode 100644 index 0000000000..9f2c5d3ec1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch @@ -0,0 +1,89 @@ +From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 13 Dec 2018 13:25:11 +0100 +Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. + +Open files and directories with O_NOFOLLOW to avoid symlinks attacks. +While being at it also add O_CLOEXEC. + +usb-mtp only handles regular files and directories and ignores +everything else, so users should not see a difference. + +Because qemu ignores symlinks, carrying out a successful symlink attack +requires swapping an existing file or directory below rootdir for a +symlink and winning the race against the inotify notification to qemu. + +Fixes: CVE-2018-16872 +Cc: Prasad J Pandit +Cc: Bandan Das +Reported-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Michael Hanselmann +Message-id: 20181213122511.13853-1-kraxel@redhat.com +(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) +Signed-off-by: Michael Roth + +Upstream-Status: Backport +CVE: CVE-2018-16872 +Affects: < 3.1.0 + +Signed-off-by: Armin Kuster + +--- + hw/usb/dev-mtp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 899c8a3..f4223fb 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) + { + struct dirent *entry; + DIR *dir; ++ int fd; + + if (o->have_children) { + return; + } + o->have_children = true; + +- dir = opendir(o->path); ++ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); ++ if (fd < 0) { ++ return; ++ } ++ dir = fdopendir(fd); + if (!dir) { + return; + } +@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, + + trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); + +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, + c->argv[1], c->argv[2]); + + d = usb_mtp_data_alloc(c); +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) + 0, 0, 0, 0); + goto done; + } +- d->fd = open(path, O_CREAT | O_WRONLY, mask); ++ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); + if (d->fd == -1) { + usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, + 0, 0, 0, 0); +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch new file mode 100644 index 0000000000..b632512e8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch @@ -0,0 +1,86 @@ +From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Sat, 27 Oct 2018 01:13:14 +0530 +Subject: [PATCH] lsi53c895a: check message length value is valid + +While writing a message in 'lsi_do_msgin', message length value +in 'msg_len' could be invalid due to an invalid migration stream. +Add an assertion to avoid an out of bounds access, and reject +the incoming migration data if it contains an invalid message +length. + +Discovered by Deja vu Security. Reported by Oracle. + +Signed-off-by: Prasad J Pandit +Message-Id: <20181026194314.18663-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) +*CVE-2018-18849 +*avoid context dep. on c921370b22c +Signed-off-by: Michael Roth + +Upstream-Status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-18849 +Signed-off-by: Armin Kuster + +--- + hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 160657f..3758635 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) + + static void lsi_do_msgin(LSIState *s) + { +- int len; ++ uint8_t len; + DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); + s->sfbr = s->msg[0]; + len = s->msg_len; ++ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); + if (len > s->dbc) + len = s->dbc; + pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); +@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) + break; + case 0x58: /* SBDL */ + /* Some drivers peek at the data bus during the MSG IN phase. */ +- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) ++ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { ++ assert(s->msg_len > 0); + return s->msg[0]; ++ } + ret = 0; + break; + case 0x59: /* SBDL high */ +@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) + return 0; + } + ++static int lsi_post_load(void *opaque, int version_id) ++{ ++ LSIState *s = opaque; ++ ++ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static const VMStateDescription vmstate_lsi_scsi = { + .name = "lsiscsi", + .version_id = 0, + .minimum_version_id = 0, + .pre_save = lsi_pre_save, ++ .post_load = lsi_post_load, + .fields = (VMStateField[]) { + VMSTATE_PCI_DEVICE(parent_obj, LSIState), + +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch new file mode 100644 index 0000000000..1d77af4e83 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch @@ -0,0 +1,51 @@ +From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 7 Nov 2018 01:00:04 +0100 +Subject: [PATCH] 9p: write lock path in v9fs_co_open2() + +The assumption that the fid cannot be used by any other operation is +wrong. At least, nothing prevents a misbehaving client to create a +file with a given fid, and to pass this fid to some other operation +at the same time (ie, without waiting for the response to the creation +request). The call to v9fs_path_copy() performed by the worker thread +after the file was created can race with any access to the fid path +performed by some other thread. This causes use-after-free issues that +can be detected by ASAN with a custom 9p client. + +Unlike other operations that only read the fid path, v9fs_co_open2() +does modify it. It should hence take the write lock. + +Cc: P J P +Reported-by: zhibin hu +Signed-off-by: Greg Kurz + +Upstream-status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-19364 patch #1 +Signed-off-by: Armin Kuster + +--- + hw/9pfs/cofile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c +index 88791bc..9c22837 100644 +--- a/hw/9pfs/cofile.c ++++ b/hw/9pfs/cofile.c +@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp, + cred.fc_gid = gid; + /* + * Hold the directory fid lock so that directory path name +- * don't change. Read lock is fine because this fid cannot +- * be used by any other operation. ++ * don't change. Take the write lock to be sure this fid ++ * cannot be used by another operation. + */ +- v9fs_path_read_lock(s); ++ v9fs_path_write_lock(s); + v9fs_co_run_in_worker( + { + err = s->ops->open2(&s->ctx, &fidp->path, +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch new file mode 100644 index 0000000000..b8d094c0b4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch @@ -0,0 +1,115 @@ +From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 20 Nov 2018 13:00:35 +0100 +Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) + +Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could +possibly overwrite a fid path with v9fs_path_copy() while it is being +accessed by some other thread, ie, use-after-free that can be detected +by ASAN with a custom 9p client. + +It turns out that the same can happen at several locations where +v9fs_path_copy() is used to set the fid path. The fix is again to +take the write lock. + +Fixes CVE-2018-19364. + +Cc: P J P +Reported-by: zhibin hu +Reviewed-by: Prasad J Pandit +Signed-off-by: Greg Kurz + +Upstream-status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-19364 patch #2 +Signed-off-by: Armin Kuster + +--- + hw/9pfs/9p.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index eef289e..267a255 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) + err = -EINVAL; + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + newfidp = alloc_fid(s, newfid); + if (newfidp == NULL) { +@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) + V9fsString extension; + int iounit; + V9fsPDU *pdu = opaque; ++ V9fsState *s = pdu->s; + + v9fs_path_init(&path); + v9fs_string_init(&name); +@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_opendir(pdu, fidp); + if (err < 0) { + goto out; +@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_LINK) { + int32_t ofid = atoi(extension.data); + V9fsFidState *ofidp = get_fid(pdu, ofid); +@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) + fidp->fid_type = P9_FID_NONE; + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); + if (err < 0) { + fidp->fid_type = P9_FID_NONE; +@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_NAMED_PIPE) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFIFO | (perm & 0777), &stbuf); +@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_SOCKET) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFSOCK | (perm & 0777), &stbuf); +@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + err = v9fs_co_open2(pdu, fidp, &name, -1, + omode_to_uflags(mode)|O_CREAT, perm, &stbuf); +-- +2.7.4 + diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 776548b05a..59cfc38e4b 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb @@ -25,6 +25,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2018-17958.patch \ file://CVE-2018-17962.patch \ file://CVE-2018-17963.patch \ + file://CVE-2018-16867.patch \ + file://CVE-2018-16872.patch \ + file://CVE-2018-18849.patch \ + file://CVE-2018-19364_p1.patch \ + file://CVE-2018-19364_p2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" -- cgit 1.2.3-korg