From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3FCA5139694 for ; Thu, 18 May 2017 04:20:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7FE8BE0E37; Thu, 18 May 2017 04:20:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 44481E0E37 for ; Thu, 18 May 2017 04:20:24 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id BE446341673 for ; Thu, 18 May 2017 04:20:22 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2FAB5743E for ; Thu, 18 May 2017 04:20:21 +0000 (UTC) From: "Matthias Maier" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matthias Maier" Message-ID: <1495081212.33cfc7b69e6a25e0b66687e28f7b29ae1a43e2d4.tamiko@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/, app-emulation/qemu/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch app-emulation/qemu/qemu-2.9.0-r1.ebuild app-emulation/qemu/qemu-2.9.0-r2.ebuild app-emulation/qemu/qemu-2.9.0-r53.ebuild app-emulation/qemu/qemu-2.9.0-r54.ebuild X-VCS-Directories: app-emulation/qemu/ app-emulation/qemu/files/ X-VCS-Committer: tamiko X-VCS-Committer-Name: Matthias Maier X-VCS-Revision: 33cfc7b69e6a25e0b66687e28f7b29ae1a43e2d4 X-VCS-Branch: master Date: Thu, 18 May 2017 04:20:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a91aa6f1-0681-44f0-a6ce-21389308a263 X-Archives-Hash: 3793506b96e104e0ae50e9c4daed5eec commit: 33cfc7b69e6a25e0b66687e28f7b29ae1a43e2d4 Author: Matthias Maier gentoo org> AuthorDate: Thu May 18 04:08:31 2017 +0000 Commit: Matthias Maier gentoo org> CommitDate: Thu May 18 04:20:12 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33cfc7b6 app-emulation/qemu: patch for CVE-2017-7493, bug #618808 Package-Manager: Portage-2.3.5, Repoman-2.3.2 .../qemu/files/qemu-2.9.0-CVE-2017-7493.patch | 174 +++++++++++++++++++++ .../{qemu-2.9.0-r1.ebuild => qemu-2.9.0-r2.ebuild} | 9 +- ...qemu-2.9.0-r53.ebuild => qemu-2.9.0-r54.ebuild} | 9 +- 3 files changed, 184 insertions(+), 8 deletions(-) diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch new file mode 100644 index 00000000000..346e7713f74 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch @@ -0,0 +1,174 @@ +From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 5 May 2017 14:48:08 +0200 +Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) + +When using the mapped-file security mode, we shouldn't let the client mess +with the metadata. The current code already tries to hide the metadata dir +from the client by skipping it in local_readdir(). But the client can still +access or modify it through several other operations. This can be used to +escalate privileges in the guest. + +Affected backend operations are: +- local_mknod() +- local_mkdir() +- local_open2() +- local_symlink() +- local_link() +- local_unlinkat() +- local_renameat() +- local_rename() +- local_name_to_path() + +Other operations are safe because they are only passed a fid path, which +is computed internally in local_name_to_path(). + +This patch converts all the functions listed above to fail and return +EINVAL when being passed the name of the metadata dir. This may look +like a poor choice for errno, but there's no such thing as an illegal +path name on Linux and I could not think of anything better. + +This fixes CVE-2017-7493. + +Reported-by: Leo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +--- + hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 56 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index f3ebca4f7a..a2486566af 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) + return telldir(fs->dir.stream); + } + ++static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) ++{ ++ return !strcmp(name, VIRTFS_META_DIR); ++} ++ + static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) + { + struct dirent *entry; +@@ -465,8 +470,8 @@ again: + if (ctx->export_flags & V9FS_SM_MAPPED) { + entry->d_type = DT_UNKNOWN; + } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { +- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { +- /* skp the meta data directory */ ++ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { ++ /* skip the meta data directory */ + goto again; + } + entry->d_type = DT_UNKNOWN; +@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + /* + * Mark all the open to not follow symlinks + */ +@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, + int ret = -1; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, odirpath); + if (odirfd == -1) { + goto out; +@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, + static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + const char *name, V9fsPath *target) + { ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + } else if (strcmp(name, "/")) { +@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, + int ret; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ (local_is_mapped_file_metadata(ctx, old_name) || ++ local_is_mapped_file_metadata(ctx, new_name))) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, olddir->data); + if (odirfd == -1) { + return -1; +@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, + int ret; + int dirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(ctx, dir->data); + if (dirfd == -1) { + return -1; +-- +2.13.0 + diff --git a/app-emulation/qemu/qemu-2.9.0-r1.ebuild b/app-emulation/qemu/qemu-2.9.0-r2.ebuild similarity index 98% rename from app-emulation/qemu/qemu-2.9.0-r1.ebuild rename to app-emulation/qemu/qemu-2.9.0-r2.ebuild index 9fdaa1ebac5..6289ced538e 100644 --- a/app-emulation/qemu/qemu-2.9.0-r1.ebuild +++ b/app-emulation/qemu/qemu-2.9.0-r2.ebuild @@ -191,10 +191,11 @@ RDEPEND="${CDEPEND} PATCHES=( "${FILESDIR}"/${PN}-2.5.0-cflags.patch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - "${FILESDIR}"/${PN}-2.9.0-bug616870.patch - "${FILESDIR}"/${PN}-2.9.0-bug616872.patch - "${FILESDIR}"/${PN}-2.9.0-bug616874.patch - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch + "${FILESDIR}"/${PN}-2.9.0-bug616870.patch # bug 616870 + "${FILESDIR}"/${PN}-2.9.0-bug616872.patch # bug 616872 + "${FILESDIR}"/${PN}-2.9.0-bug616874.patch # bug 616874 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808 ) STRIP_MASK="/usr/share/qemu/palcode-clipper" diff --git a/app-emulation/qemu/qemu-2.9.0-r53.ebuild b/app-emulation/qemu/qemu-2.9.0-r54.ebuild similarity index 98% rename from app-emulation/qemu/qemu-2.9.0-r53.ebuild rename to app-emulation/qemu/qemu-2.9.0-r54.ebuild index 5518e2e813b..0d8029910fc 100644 --- a/app-emulation/qemu/qemu-2.9.0-r53.ebuild +++ b/app-emulation/qemu/qemu-2.9.0-r54.ebuild @@ -194,10 +194,11 @@ RDEPEND="${CDEPEND} PATCHES=( "${FILESDIR}"/${PN}-2.5.0-cflags.patch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - "${FILESDIR}"/${PN}-2.9.0-bug616870.patch - "${FILESDIR}"/${PN}-2.9.0-bug616872.patch - "${FILESDIR}"/${PN}-2.9.0-bug616874.patch - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch + "${FILESDIR}"/${PN}-2.9.0-bug616870.patch # bug 616870 + "${FILESDIR}"/${PN}-2.9.0-bug616872.patch # bug 616872 + "${FILESDIR}"/${PN}-2.9.0-bug616874.patch # bug 616874 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808 ) STRIP_MASK="/usr/share/qemu/palcode-clipper"