CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)

CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
2012-05-29 10:25:50 -04:00 · 2012-05-29 10:25:50 -04:00 · 2dedc013fc
parent a2bc394c0a
commit 2dedc013fc
5 changed files with 235 additions and 1 deletions
--- a/qemu-CVE-2011-1750.patch
+++ b/qemu-CVE-2011-1750.patch
@ -0,0 +1,44 @@
+commit 52c050236eaa4f0b5e1d160cd66dc18106445c4d
+Author: Christoph Hellwig <hch@lst.de>
+Date:   Wed Apr 6 20:28:34 2011 +0200
+
+    virtio-blk: fail unaligned requests
+    
+    Like all block drivers virtio-blk should not allow small than block size
+    granularity access.  But given that the protocol specifies a
+    byte unit length field we currently accept such requests, which cause
+    qemu to abort() in lower layers.  Add checks to the main read and
+    write handlers to catch them early.
+    
+    Reported-by: Conor Murphy <conor_murphy_virt@hotmail.com>
+    Tested-by: Conor Murphy <conor_murphy_virt@hotmail.com>
+    Signed-off-by: Christoph Hellwig <hch@lst.de>
+    Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index b14fb99..91e0394 100644
+--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
+@@ -290,6 +290,10 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
+         virtio_blk_rw_complete(req, -EIO);
+         return;
+     }
+    if (req->qiov.size % req->dev->conf->logical_block_size) {
+        virtio_blk_rw_complete(req, -EIO);
+        return;
+    }
+ 
+     if (mrb->num_writes == 32) {
+         virtio_submit_multiwrite(req->dev->bs, mrb);
+@@ -317,6 +321,10 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req)
+         virtio_blk_rw_complete(req, -EIO);
+         return;
+     }
+    if (req->qiov.size % req->dev->conf->logical_block_size) {
+        virtio_blk_rw_complete(req, -EIO);
+        return;
+    }
+ 
+     acb = bdrv_aio_readv(req->dev->bs, sector, &req->qiov,
+                          req->qiov.size / BDRV_SECTOR_SIZE,
--- a/qemu-CVE-2011-2527.patch
+++ b/qemu-CVE-2011-2527.patch
@ -0,0 +1,41 @@
+commit cc4662f9642995c78bed587707eeb9ad8500035b
+Author: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+Date:   Sat Jul 9 10:22:07 2011 +0100
+
+    os-posix: set groups properly for -runas
+    
+    Andrew Griffiths reports that -runas does not set supplementary group
+    IDs.  This means that gid 0 (root) is not dropped when switching to an
+    unprivileged user.
+    
+    Add an initgroups(3) call to use the -runas user's /etc/groups
+    membership to update the supplementary group IDs.
+    
+    Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
+    Acked-by: Chris Wright <chrisw@sous-sol.org>
+    Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
+
+diff --git a/os-posix.c b/os-posix.c
+index 7dfb278..6f8d488 100644
+--- a/os-posix.c
+++ b/os-posix.c
+@@ -31,6 +31,7 @@
+ /*needed for MAP_POPULATE before including qemu-options.h */
+ #include <sys/mman.h>
+ #include <pwd.h>
+#include <grp.h>
+ #include <libgen.h>
+ 
+ /* Needed early for CONFIG_BSD etc. */
+@@ -199,6 +200,11 @@ static void change_process_uid(void)
+             fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid);
+             exit(1);
+         }
+        if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) {
+            fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n",
+                    user_pwd->pw_name, user_pwd->pw_gid);
+            exit(1);
+        }
+         if (setuid(user_pwd->pw_uid) < 0) {
+             fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid);
+             exit(1);
--- a/qemu-CVE-2012-0029.patch
+++ b/qemu-CVE-2012-0029.patch
@ -0,0 +1,20 @@
+diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c
+--- qemu-kvm-0.15.1/hw/e1000.c	2011-10-19 09:54:48.000000000 -0400
+++ me/hw/e1000.c	2012-05-29 09:28:15.832104874 -0400
+@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
--- a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
+++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
@ -0,0 +1,111 @@
+From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org  Wed Jan 11 03:51:20 2012
+Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>
+Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
+	by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
+	for <jmfmail@localhost>; Wed, 11 Jan 2012 03:51:20 -0600
+Delivered-To: jmforbes@linuxtx.org
+Received: from gmail-pop.l.google.com [74.125.81.108]
+	by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
+	for <jmfmail@localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
+Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
+        Wed, 11 Jan 2012 01:48:56 -0800 (PST)
+Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
+        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
+        by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
+        (version=TLSv1/SSLv3 cipher=OTHER);
+        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
+Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
+Received: from localhost ([::1]:48473 helo=lists.gnu.org)
+	by lists.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>)
+	id 1Rkund-0003iT-UQ
+	for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from eggs.gnu.org ([140.186.70.92]:40037)
+	by lists.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <pbonzini@redhat.com>) id 1RkunV-0003fY-Vl
+	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
+	(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004zL-Nl
+	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
+Received: from mx1.redhat.com ([209.132.183.28]:23781)
+	by eggs.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004vY-3c
+	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
+Received: from int-mx11.intmail.prod.int.phx2.redhat.com
+	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
+	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
+	for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
+Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
+	[10.36.112.23])
+	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
+	id q0B9magG031084
+	for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
+From: Paolo Bonzini <pbonzini@redhat.com>
+To: qemu-stable@nongnu.org
+Date: Wed, 11 Jan 2012 10:48:33 +0100
+Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com>
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
+X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
+X-Received-From: 209.132.183.28
+Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
+	scsi=off
+X-BeenThere: qemu-stable@nongnu.org
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: <qemu-stable.nongnu.org>
+List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
+	<mailto:qemu-stable-request@nongnu.org?subject=unsubscribe>
+List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
+List-Post: <mailto:qemu-stable@nongnu.org>
+List-Help: <mailto:qemu-stable-request@nongnu.org?subject=help>
+List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
+	<mailto:qemu-stable-request@nongnu.org?subject=subscribe>
+Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
+Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
+X-UID: 32                                                 
+Status: RO
+Content-Length: 1003
+Lines: 38
+
+QEMU does have a "scsi" option (to be used like -device
+virtio-blk-pci,drive=foo,scsi=off).  However, it only
+masks the feature bit, and does not reject the command
+if a malicious guest disregards the feature bits and
+issues a request.
+
+Without this patch, using scsi=off does not protect you
+from CVE-2011-4127.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/virtio-blk.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index b70d116..6cd3164 100644
+--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
+@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
+     int status;
+     int i;
+ 
+    if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
+        virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
+        qemu_free(req);
+        return;
+    }
+
+     /*
+      * We require at least one output segment each for the virtio_blk_outhdr
+      * and the SCSI command block.
+-- 
+1.7.7.1
+
+
+
+
+
+
--- a/qemu.spec
+++ b/qemu.spec
@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.14.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Epoch because we pushed a qemu-1.0 package
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@ -60,6 +60,14 @@ Patch34: 0015-chardev-Allow-frontends-to-notify-backends-of-guest-.patch
 Patch35: 0016-virtio-console-notify-backend-of-guest-open-close.patch
 Patch36: 0017-spice-chardev-listen-to-frontend-guest-open-close.patch
 Patch37: 0018-spice-qemu-char-Fix-flow-control-in-client-guest-dir.patch
+# CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)
+Patch38: %{name}-CVE-2011-1750.patch
+# CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784)
+Patch39: %{name}-CVE-2011-2527.patch
+# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+Patch40: %{name}-CVE-2012-0029.patch
+# virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
+Patch41: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch


 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -257,6 +265,10 @@ such as kvm_stat.
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
+%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1

 %build
 # By default we build everything, but allow x86 to build a minimal version
@ -561,6 +573,12 @@ fi
 %{_mandir}/man1/qemu-img.1*

 %changelog
+* Tue May 29 2012 Cole Robinson <crobinso@redhat.com> - 0.14.0-9
+- CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911)
+- CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784)
+- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+- virtio-blk: refuse SG_IO requests with scsi=off (bz 770135)
+
 * Wed Jun 22 2011 Richard W.M. Jones <rjones@redhat.com> - 2:0.14.0-8
 - Add BR libattr-devel.  This caused the -fstype option to be disabled.
  https://www.redhat.com/archives/libvir-list/2011-June/thread.html#01017