CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)
CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
This commit is contained in:
parent
a2bc394c0a
commit
2dedc013fc
|
@ -0,0 +1,44 @@
|
|||
commit 52c050236eaa4f0b5e1d160cd66dc18106445c4d
|
||||
Author: Christoph Hellwig <hch@lst.de>
|
||||
Date: Wed Apr 6 20:28:34 2011 +0200
|
||||
|
||||
virtio-blk: fail unaligned requests
|
||||
|
||||
Like all block drivers virtio-blk should not allow small than block size
|
||||
granularity access. But given that the protocol specifies a
|
||||
byte unit length field we currently accept such requests, which cause
|
||||
qemu to abort() in lower layers. Add checks to the main read and
|
||||
write handlers to catch them early.
|
||||
|
||||
Reported-by: Conor Murphy <conor_murphy_virt@hotmail.com>
|
||||
Tested-by: Conor Murphy <conor_murphy_virt@hotmail.com>
|
||||
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
|
||||
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
|
||||
index b14fb99..91e0394 100644
|
||||
--- a/hw/virtio-blk.c
|
||||
+++ b/hw/virtio-blk.c
|
||||
@@ -290,6 +290,10 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
|
||||
virtio_blk_rw_complete(req, -EIO);
|
||||
return;
|
||||
}
|
||||
+ if (req->qiov.size % req->dev->conf->logical_block_size) {
|
||||
+ virtio_blk_rw_complete(req, -EIO);
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
if (mrb->num_writes == 32) {
|
||||
virtio_submit_multiwrite(req->dev->bs, mrb);
|
||||
@@ -317,6 +321,10 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req)
|
||||
virtio_blk_rw_complete(req, -EIO);
|
||||
return;
|
||||
}
|
||||
+ if (req->qiov.size % req->dev->conf->logical_block_size) {
|
||||
+ virtio_blk_rw_complete(req, -EIO);
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
acb = bdrv_aio_readv(req->dev->bs, sector, &req->qiov,
|
||||
req->qiov.size / BDRV_SECTOR_SIZE,
|
|
@ -0,0 +1,41 @@
|
|||
commit cc4662f9642995c78bed587707eeb9ad8500035b
|
||||
Author: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
||||
Date: Sat Jul 9 10:22:07 2011 +0100
|
||||
|
||||
os-posix: set groups properly for -runas
|
||||
|
||||
Andrew Griffiths reports that -runas does not set supplementary group
|
||||
IDs. This means that gid 0 (root) is not dropped when switching to an
|
||||
unprivileged user.
|
||||
|
||||
Add an initgroups(3) call to use the -runas user's /etc/groups
|
||||
membership to update the supplementary group IDs.
|
||||
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
||||
Acked-by: Chris Wright <chrisw@sous-sol.org>
|
||||
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
|
||||
|
||||
diff --git a/os-posix.c b/os-posix.c
|
||||
index 7dfb278..6f8d488 100644
|
||||
--- a/os-posix.c
|
||||
+++ b/os-posix.c
|
||||
@@ -31,6 +31,7 @@
|
||||
/*needed for MAP_POPULATE before including qemu-options.h */
|
||||
#include <sys/mman.h>
|
||||
#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
#include <libgen.h>
|
||||
|
||||
/* Needed early for CONFIG_BSD etc. */
|
||||
@@ -199,6 +200,11 @@ static void change_process_uid(void)
|
||||
fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid);
|
||||
exit(1);
|
||||
}
|
||||
+ if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) {
|
||||
+ fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n",
|
||||
+ user_pwd->pw_name, user_pwd->pw_gid);
|
||||
+ exit(1);
|
||||
+ }
|
||||
if (setuid(user_pwd->pw_uid) < 0) {
|
||||
fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid);
|
||||
exit(1);
|
|
@ -0,0 +1,20 @@
|
|||
diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c
|
||||
--- qemu-kvm-0.15.1/hw/e1000.c 2011-10-19 09:54:48.000000000 -0400
|
||||
+++ me/hw/e1000.c 2012-05-29 09:28:15.832104874 -0400
|
||||
@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1
|
||||
bytes = split_size;
|
||||
if (tp->size + bytes > msh)
|
||||
bytes = msh - tp->size;
|
||||
+
|
||||
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
|
||||
cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
|
||||
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
|
||||
memmove(tp->header, tp->data, hdr);
|
||||
@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1
|
||||
// context descriptor TSE is not set, while data descriptor TSE is set
|
||||
DBGOUT(TXERR, "TCP segmentaion Error\n");
|
||||
} else {
|
||||
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
|
||||
cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
|
||||
tp->size += split_size;
|
||||
}
|
|
@ -0,0 +1,111 @@
|
|||
From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012
|
||||
Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>
|
||||
Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
|
||||
by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
|
||||
for <jmfmail@localhost>; Wed, 11 Jan 2012 03:51:20 -0600
|
||||
Delivered-To: jmforbes@linuxtx.org
|
||||
Received: from gmail-pop.l.google.com [74.125.81.108]
|
||||
by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
|
||||
for <jmfmail@localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
|
||||
Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
|
||||
Wed, 11 Jan 2012 01:48:56 -0800 (PST)
|
||||
Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
|
||||
Wed, 11 Jan 2012 01:48:54 -0800 (PST)
|
||||
Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
|
||||
by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
|
||||
(version=TLSv1/SSLv3 cipher=OTHER);
|
||||
Wed, 11 Jan 2012 01:48:54 -0800 (PST)
|
||||
Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
|
||||
Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
|
||||
Received: from localhost ([::1]:48473 helo=lists.gnu.org)
|
||||
by lists.gnu.org with esmtp (Exim 4.71)
|
||||
(envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>)
|
||||
id 1Rkund-0003iT-UQ
|
||||
for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
|
||||
Received: from eggs.gnu.org ([140.186.70.92]:40037)
|
||||
by lists.gnu.org with esmtp (Exim 4.71)
|
||||
(envelope-from <pbonzini@redhat.com>) id 1RkunV-0003fY-Vl
|
||||
for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
|
||||
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
|
||||
(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004zL-Nl
|
||||
for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
|
||||
Received: from mx1.redhat.com ([209.132.183.28]:23781)
|
||||
by eggs.gnu.org with esmtp (Exim 4.71)
|
||||
(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004vY-3c
|
||||
for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
|
||||
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
|
||||
(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
|
||||
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
|
||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
|
||||
for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
|
||||
Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
|
||||
[10.36.112.23])
|
||||
by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
|
||||
id q0B9magG031084
|
||||
for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: qemu-stable@nongnu.org
|
||||
Date: Wed, 11 Jan 2012 10:48:33 +0100
|
||||
Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com>
|
||||
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
|
||||
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
|
||||
X-Received-From: 209.132.183.28
|
||||
Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
|
||||
scsi=off
|
||||
X-BeenThere: qemu-stable@nongnu.org
|
||||
X-Mailman-Version: 2.1.14
|
||||
Precedence: list
|
||||
List-Id: <qemu-stable.nongnu.org>
|
||||
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
|
||||
<mailto:qemu-stable-request@nongnu.org?subject=unsubscribe>
|
||||
List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
|
||||
List-Post: <mailto:qemu-stable@nongnu.org>
|
||||
List-Help: <mailto:qemu-stable-request@nongnu.org?subject=help>
|
||||
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
|
||||
<mailto:qemu-stable-request@nongnu.org?subject=subscribe>
|
||||
Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
|
||||
Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
|
||||
X-UID: 32
|
||||
Status: RO
|
||||
Content-Length: 1003
|
||||
Lines: 38
|
||||
|
||||
QEMU does have a "scsi" option (to be used like -device
|
||||
virtio-blk-pci,drive=foo,scsi=off). However, it only
|
||||
masks the feature bit, and does not reject the command
|
||||
if a malicious guest disregards the feature bits and
|
||||
issues a request.
|
||||
|
||||
Without this patch, using scsi=off does not protect you
|
||||
from CVE-2011-4127.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/virtio-blk.c | 6 ++++++
|
||||
1 files changed, 6 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
|
||||
index b70d116..6cd3164 100644
|
||||
--- a/hw/virtio-blk.c
|
||||
+++ b/hw/virtio-blk.c
|
||||
@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
|
||||
int status;
|
||||
int i;
|
||||
|
||||
+ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
|
||||
+ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
|
||||
+ qemu_free(req);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We require at least one output segment each for the virtio_blk_outhdr
|
||||
* and the SCSI command block.
|
||||
--
|
||||
1.7.7.1
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
20
qemu.spec
20
qemu.spec
|
@ -1,7 +1,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 0.14.0
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
|
@ -60,6 +60,14 @@ Patch34: 0015-chardev-Allow-frontends-to-notify-backends-of-guest-.patch
|
|||
Patch35: 0016-virtio-console-notify-backend-of-guest-open-close.patch
|
||||
Patch36: 0017-spice-chardev-listen-to-frontend-guest-open-close.patch
|
||||
Patch37: 0018-spice-qemu-char-Fix-flow-control-in-client-guest-dir.patch
|
||||
# CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)
|
||||
Patch38: %{name}-CVE-2011-1750.patch
|
||||
# CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784)
|
||||
Patch39: %{name}-CVE-2011-2527.patch
|
||||
# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
|
||||
Patch40: %{name}-CVE-2012-0029.patch
|
||||
# virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
|
||||
Patch41: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
|
||||
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
@ -257,6 +265,10 @@ such as kvm_stat.
|
|||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
|
||||
%build
|
||||
# By default we build everything, but allow x86 to build a minimal version
|
||||
|
@ -561,6 +573,12 @@ fi
|
|||
%{_mandir}/man1/qemu-img.1*
|
||||
|
||||
%changelog
|
||||
* Tue May 29 2012 Cole Robinson <crobinso@redhat.com> - 0.14.0-9
|
||||
- CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)
|
||||
- CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784)
|
||||
- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
|
||||
- virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
|
||||
|
||||
* Wed Jun 22 2011 Richard W.M. Jones <rjones@redhat.com> - 2:0.14.0-8
|
||||
- Add BR libattr-devel. This caused the -fstype option to be disabled.
|
||||
https://www.redhat.com/archives/libvir-list/2011-June/thread.html#01017
|
||||
|
|
Loading…
Reference in New Issue