From 2dedc013fc0bc6a9aff998bae9920fbc1efd28d0 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: May 29 2012 14:25:50 +0000 Subject: CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) --- diff --git a/qemu-CVE-2011-1750.patch b/qemu-CVE-2011-1750.patch new file mode 100644 index 0000000..4f0ea2f --- /dev/null +++ b/qemu-CVE-2011-1750.patch @@ -0,0 +1,44 @@ +commit 52c050236eaa4f0b5e1d160cd66dc18106445c4d +Author: Christoph Hellwig +Date: Wed Apr 6 20:28:34 2011 +0200 + + virtio-blk: fail unaligned requests + + Like all block drivers virtio-blk should not allow small than block size + granularity access. But given that the protocol specifies a + byte unit length field we currently accept such requests, which cause + qemu to abort() in lower layers. Add checks to the main read and + write handlers to catch them early. + + Reported-by: Conor Murphy + Tested-by: Conor Murphy + Signed-off-by: Christoph Hellwig + Reviewed-by: Stefan Hajnoczi + Signed-off-by: Kevin Wolf + +diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c +index b14fb99..91e0394 100644 +--- a/hw/virtio-blk.c ++++ b/hw/virtio-blk.c +@@ -290,6 +290,10 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb) + virtio_blk_rw_complete(req, -EIO); + return; + } ++ if (req->qiov.size % req->dev->conf->logical_block_size) { ++ virtio_blk_rw_complete(req, -EIO); ++ return; ++ } + + if (mrb->num_writes == 32) { + virtio_submit_multiwrite(req->dev->bs, mrb); +@@ -317,6 +321,10 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req) + virtio_blk_rw_complete(req, -EIO); + return; + } ++ if (req->qiov.size % req->dev->conf->logical_block_size) { ++ virtio_blk_rw_complete(req, -EIO); ++ return; ++ } + + acb = bdrv_aio_readv(req->dev->bs, sector, &req->qiov, + req->qiov.size / BDRV_SECTOR_SIZE, diff --git a/qemu-CVE-2011-2527.patch b/qemu-CVE-2011-2527.patch new file mode 100644 index 0000000..0ccf3cc --- /dev/null +++ b/qemu-CVE-2011-2527.patch @@ -0,0 +1,41 @@ +commit cc4662f9642995c78bed587707eeb9ad8500035b +Author: Stefan Hajnoczi +Date: Sat Jul 9 10:22:07 2011 +0100 + + os-posix: set groups properly for -runas + + Andrew Griffiths reports that -runas does not set supplementary group + IDs. This means that gid 0 (root) is not dropped when switching to an + unprivileged user. + + Add an initgroups(3) call to use the -runas user's /etc/groups + membership to update the supplementary group IDs. + + Signed-off-by: Stefan Hajnoczi + Acked-by: Chris Wright + Signed-off-by: Blue Swirl + +diff --git a/os-posix.c b/os-posix.c +index 7dfb278..6f8d488 100644 +--- a/os-posix.c ++++ b/os-posix.c +@@ -31,6 +31,7 @@ + /*needed for MAP_POPULATE before including qemu-options.h */ + #include + #include ++#include + #include + + /* Needed early for CONFIG_BSD etc. */ +@@ -199,6 +200,11 @@ static void change_process_uid(void) + fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid); + exit(1); + } ++ if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { ++ fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n", ++ user_pwd->pw_name, user_pwd->pw_gid); ++ exit(1); ++ } + if (setuid(user_pwd->pw_uid) < 0) { + fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid); + exit(1); diff --git a/qemu-CVE-2012-0029.patch b/qemu-CVE-2012-0029.patch new file mode 100644 index 0000000..d0c66b5 --- /dev/null +++ b/qemu-CVE-2012-0029.patch @@ -0,0 +1,20 @@ +diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c +--- qemu-kvm-0.15.1/hw/e1000.c 2011-10-19 09:54:48.000000000 -0400 ++++ me/hw/e1000.c 2012-05-29 09:28:15.832104874 -0400 +@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1 + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1 + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } diff --git a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch new file mode 100644 index 0000000..cf7f04b --- /dev/null +++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch @@ -0,0 +1,111 @@ +From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012 +Return-Path: +Received: from citysiren.linuxtx.org (localhost [127.0.0.1]) + by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454 + for ; Wed, 11 Jan 2012 03:51:20 -0600 +Delivered-To: jmforbes@linuxtx.org +Received: from gmail-pop.l.google.com [74.125.81.108] + by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20) + for (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST) +Received: by 10.180.102.100 with SMTP id fn4cs34060wib; + Wed, 11 Jan 2012 01:48:56 -0800 (PST) +Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564; + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17]) + by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54 + (version=TLSv1/SSLv3 cipher=OTHER); + Wed, 11 Jan 2012 01:48:54 -0800 (PST) +Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17; +Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Received: from localhost ([::1]:48473 helo=lists.gnu.org) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) + id 1Rkund-0003iT-UQ + for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from eggs.gnu.org ([140.186.70.92]:40037) + by lists.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunV-0003fY-Vl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500 +Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) + (envelope-from ) id 1RkunQ-0004zL-Nl + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500 +Received: from mx1.redhat.com ([209.132.183.28]:23781) + by eggs.gnu.org with esmtp (Exim 4.71) + (envelope-from ) id 1RkunQ-0004vY-3c + for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500 +Received: from int-mx11.intmail.prod.int.phx2.redhat.com + (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) + for ; Wed, 11 Jan 2012 04:48:38 -0500 +Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com + [10.36.112.23]) + by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP + id q0B9magG031084 + for ; Wed, 11 Jan 2012 04:48:37 -0500 +From: Paolo Bonzini +To: qemu-stable@nongnu.org +Date: Wed, 11 Jan 2012 10:48:33 +0100 +Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com> +X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 +X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) +X-Received-From: 209.132.183.28 +Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with + scsi=off +X-BeenThere: qemu-stable@nongnu.org +X-Mailman-Version: 2.1.14 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org +X-UID: 32 +Status: RO +Content-Length: 1003 +Lines: 38 + +QEMU does have a "scsi" option (to be used like -device +virtio-blk-pci,drive=foo,scsi=off). However, it only +masks the feature bit, and does not reject the command +if a malicious guest disregards the feature bits and +issues a request. + +Without this patch, using scsi=off does not protect you +from CVE-2011-4127. + +Signed-off-by: Paolo Bonzini +--- + hw/virtio-blk.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c +index b70d116..6cd3164 100644 +--- a/hw/virtio-blk.c ++++ b/hw/virtio-blk.c +@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) + int status; + int i; + ++ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { ++ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); ++ qemu_free(req); ++ return; ++ } ++ + /* + * We require at least one output segment each for the virtio_blk_outhdr + * and the SCSI command block. +-- +1.7.7.1 + + + + + + diff --git a/qemu.spec b/qemu.spec index 432daa7..cfb4500 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.14.0 -Release: 8%{?dist} +Release: 9%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -60,6 +60,14 @@ Patch34: 0015-chardev-Allow-frontends-to-notify-backends-of-guest-.patch Patch35: 0016-virtio-console-notify-backend-of-guest-open-close.patch Patch36: 0017-spice-chardev-listen-to-frontend-guest-open-close.patch Patch37: 0018-spice-qemu-char-Fix-flow-control-in-client-guest-dir.patch +# CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) +Patch38: %{name}-CVE-2011-1750.patch +# CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) +Patch39: %{name}-CVE-2011-2527.patch +# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +Patch40: %{name}-CVE-2012-0029.patch +# virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) +Patch41: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -257,6 +265,10 @@ such as kvm_stat. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 %build # By default we build everything, but allow x86 to build a minimal version @@ -561,6 +573,12 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Tue May 29 2012 Cole Robinson - 0.14.0-9 +- CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) +- CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) +- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) +- virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) + * Wed Jun 22 2011 Richard W.M. Jones - 2:0.14.0-8 - Add BR libattr-devel. This caused the -fstype option to be disabled. https://www.redhat.com/archives/libvir-list/2011-June/thread.html#01017