[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#28077] [PATCH] gnu: qemu: Fix CVE-2017-{10664, 10806, 10911, 11434}
|
From: |
Alex Vong |
|
Subject: |
[bug#28077] [PATCH] gnu: qemu: Fix CVE-2017-{10664, 10806, 10911, 11434}. |
|
Date: |
Sun, 13 Aug 2017 21:38:18 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Severity: important
Tags: security
Hello,
This fixes a bunch of CVEs which were left unfixed. Most of the patches
are copied from the upstream git repo. Except one is copied from Xen
Security Advisory.
From f513dd18602c0321bedce3f4ebf4b0b6a77288ac Mon Sep 17 00:00:00 2001
From: Alex Vong <address@hidden>
Date: Sun, 13 Aug 2017 19:42:59 +0800
Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.
* gnu/packages/patches/qemu-CVE-2017-10664.patch,
gnu/packages/patches/qemu-CVE-2017-10806.patch,
gnu/packages/patches/qemu-CVE-2017-10911.patch,
gnu/packages/patches/qemu-CVE-2017-11434.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.
---
gnu/local.mk | 4 +
gnu/packages/patches/qemu-CVE-2017-10664.patch | 58 ++++++++++++
gnu/packages/patches/qemu-CVE-2017-10806.patch | 61 ++++++++++++
gnu/packages/patches/qemu-CVE-2017-10911.patch | 123 +++++++++++++++++++++++++
gnu/packages/patches/qemu-CVE-2017-11434.patch | 46 +++++++++
gnu/packages/virtualization.scm | 7 +-
6 files changed, 298 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/qemu-CVE-2017-10664.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-10806.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-10911.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-11434.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c12fd8559..f513a7490 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -988,7 +988,11 @@ dist_patch_DATA =
\
%D%/packages/patches/qemu-CVE-2017-8379.patch \
%D%/packages/patches/qemu-CVE-2017-8380.patch \
%D%/packages/patches/qemu-CVE-2017-9524.patch \
+ %D%/packages/patches/qemu-CVE-2017-10664.patch \
+ %D%/packages/patches/qemu-CVE-2017-10806.patch \
+ %D%/packages/patches/qemu-CVE-2017-10911.patch \
%D%/packages/patches/qemu-CVE-2017-11334.patch \
+ %D%/packages/patches/qemu-CVE-2017-11434.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
%D%/packages/patches/quagga-reproducible-build.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch
b/gnu/packages/patches/qemu-CVE-2017-10664.patch
new file mode 100644
index 000000000..5a7406eaf
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch
@@ -0,0 +1,58 @@
+Fix CVE-2017-10664:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1466190
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
+https://security-tracker.debian.org/tracker/CVE-2017-10664
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
+
+From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001
+From: Max Reitz <address@hidden>
+Date: Sun, 11 Jun 2017 14:37:14 +0200
+Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
+
+qemu proper has done so for 13 years
+(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
+done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
+Ignoring this signal is especially important in qemu-nbd because
+otherwise a client can easily take down the qemu-nbd server by dropping
+the connection when the server wants to send something, for example:
+
+$ qemu-nbd -x foo -f raw -t null-co:// &
+[1] 12726
+$ qemu-io -c quit nbd://localhost/bar
+can't open device nbd://localhost/bar: No export with name 'bar' available
+[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co://
+
+In this case, the client sends an NBD_OPT_ABORT and closes the
+connection (because it is not required to wait for a reply), but the
+server replies with an NBD_REP_ACK (because it is required to reply).
+
+Signed-off-by: Max Reitz <address@hidden>
+Message-Id: <address@hidden>
+Signed-off-by: Paolo Bonzini <address@hidden>
+---
+ qemu-nbd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 9464a0461c..4dd3fd4732 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -581,6 +581,10 @@ int main(int argc, char **argv)
+ sa_sigterm.sa_handler = termsig_handler;
+ sigaction(SIGTERM, &sa_sigterm, NULL);
+
++#ifdef CONFIG_POSIX
++ signal(SIGPIPE, SIG_IGN);
++#endif
++
+ module_call_init(MODULE_INIT_TRACE);
+ qcrypto_init(&error_fatal);
+
+--
+2.14.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch
b/gnu/packages/patches/qemu-CVE-2017-10806.patch
new file mode 100644
index 000000000..202ced8cf
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-10806:
+
+https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1468496
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
+https://security-tracker.debian.org/tracker/CVE-2017-10806
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
+
+From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <address@hidden>
+Date: Tue, 9 May 2017 13:01:28 +0200
+Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't reinvent a broken wheel, just use the hexdump function we have.
+
+Impact: low, broken code doesn't run unless you have debug logging
+enabled.
+
+Reported-by: 李强 <address@hidden>
+Signed-off-by: Gerd Hoffmann <address@hidden>
+Message-id: address@hidden
+---
+ hw/usb/redirect.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index b001a27f05..ad5ef783a6 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const
char *msg)
+ static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
+ const uint8_t *data, int len)
+ {
+- int i, j, n;
+-
+ if (dev->debug < usbredirparser_debug_data) {
+ return;
+ }
+-
+- for (i = 0; i < len; i += j) {
+- char buf[128];
+-
+- n = sprintf(buf, "%s", desc);
+- for (j = 0; j < 8 && i + j < len; j++) {
+- n += sprintf(buf + n, " %02X", data[i + j]);
+- }
+- error_report("%s", buf);
+- }
++ qemu_hexdump((char *)data, stderr, desc, len);
+ }
+
+ /*
+--
+2.14.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch
b/gnu/packages/patches/qemu-CVE-2017-10911.patch
new file mode 100644
index 000000000..fed3fb8ff
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch
@@ -0,0 +1,123 @@
+Fix CVE-2017-10911:
+
+https://xenbits.xen.org/xsa/advisory-216.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
+https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Patch copied from Xen Security Advisory:
+
+https://xenbits.xen.org/xsa/xsa216-qemuu.patch
+
+From: Jan Beulich <address@hidden>
+Subject: xen/disk: don't leak stack data via response ring
+
+Rather than constructing a local structure instance on the stack, fill
+the fields directly on the shared ring, just like other (Linux)
+backends do. Build on the fact that all response structure flavors are
+actually identical (the old code did make this assumption too).
+
+This is XSA-216.
+
+Reported-by: Anthony Perard <address@hidden>
+Signed-off-by: Jan Beulich <address@hidden>
+Reviewed-by: Konrad Rzeszutek Wilk <address@hidden>
+Acked-by: Anthony PERARD <address@hidden>
+---
+v2: Add QEMU_PACKED to fix handling 32-bit guests by 64-bit qemu.
+
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -14,9 +14,6 @@
+ struct blkif_common_request {
+ char dummy;
+ };
+-struct blkif_common_response {
+- char dummy;
+-};
+
+ /* i386 protocol version */
+ #pragma pack(push, 4)
+@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only)
*/
+ uint64_t nr_sectors; /* # of contiguous sectors to discard
*/
+ };
+-struct blkif_x86_32_response {
+- uint64_t id; /* copied from request */
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+ typedef struct blkif_x86_32_request blkif_x86_32_request_t;
+-typedef struct blkif_x86_32_response blkif_x86_32_response_t;
+ #pragma pack(pop)
+
+ /* x86_64 protocol version */
+@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only)
*/
+ uint64_t nr_sectors; /* # of contiguous sectors to discard
*/
+ };
+-struct blkif_x86_64_response {
+- uint64_t __attribute__((__aligned__(8))) id;
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+ typedef struct blkif_x86_64_request blkif_x86_64_request_t;
+-typedef struct blkif_x86_64_response blkif_x86_64_response_t;
+
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+- struct blkif_common_response);
++ struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+- struct blkif_x86_32_response);
++ struct blkif_response QEMU_PACKED);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+- struct blkif_x86_64_response);
++ struct blkif_response);
+
+ union blkif_back_rings {
+ blkif_back_ring_t native;
+--- a/hw/block/xen_disk.c
++++ b/hw/block/xen_disk.c
+@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
+ struct XenBlkDev *blkdev = ioreq->blkdev;
+ int send_notify = 0;
+ int have_requests = 0;
+- blkif_response_t resp;
+- void *dst;
+-
+- resp.id = ioreq->req.id;
+- resp.operation = ioreq->req.operation;
+- resp.status = ioreq->status;
++ blkif_response_t *resp;
+
+ /* Place on the response ring for the relevant domain. */
+ switch (blkdev->protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+- dst = RING_GET_RESPONSE(&blkdev->rings.native,
blkdev->rings.native.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.native,
++ blkdev->rings.native.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_32:
+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+- blkdev->rings.x86_32_part.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
++ blkdev->rings.x86_32_part.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_64:
+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+- blkdev->rings.x86_64_part.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
++ blkdev->rings.x86_64_part.rsp_prod_pvt);
+ break;
+ default:
+- dst = NULL;
+ return 0;
+ }
+- memcpy(dst, &resp, sizeof(resp));
++
++ resp->id = ioreq->req.id;
++ resp->operation = ioreq->req.operation;
++ resp->status = ioreq->status;
++
+ blkdev->rings.common.rsp_prod_pvt++;
+
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch
b/gnu/packages/patches/qemu-CVE-2017-11434.patch
new file mode 100644
index 000000000..8c384b6c8
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-11434:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1472611
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
+https://security-tracker.debian.org/tracker/CVE-2017-11434
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
+
+From 413d463f43fbc4dd3a601e80a5724aa384a265a0 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Mon, 17 Jul 2017 17:33:26 +0530
+Subject: [PATCH] slirp: check len against dhcp options array end
+
+While parsing dhcp options string in 'dhcp_decode', if an options'
+length 'len' appeared towards the end of 'bp_vend' array, ensuing
+read could lead to an OOB memory access issue. Add check to avoid it.
+
+This is CVE-2017-11434.
+
+Reported-by: Reno Robert <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Signed-off-by: Samuel Thibault <address@hidden>
+---
+ slirp/bootp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c182..5dd1a415b5 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int
*pmsg_type,
+ if (p >= p_end)
+ break;
+ len = *p++;
++ if (p + len > p_end) {
++ break;
++ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+
+ switch(tag) {
+--
+2.14.1
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 49998120d..ab364cd1f 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015, 2016, 2017 Mark H Weaver <address@hidden>
;;; Copyright © 2016, 2017 Efraim Flashner <address@hidden>
;;; Copyright © 2016 Ricardo Wurmus <address@hidden>
+;;; Copyright © 2017 Alex Vong <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -82,7 +83,11 @@
"qemu-CVE-2017-8379.patch"
"qemu-CVE-2017-8380.patch"
"qemu-CVE-2017-9524.patch"
- "qemu-CVE-2017-11334.patch"))
+ "qemu-CVE-2017-10664.patch"
+ "qemu-CVE-2017-10806.patch"
+ "qemu-CVE-2017-10911.patch"
+ "qemu-CVE-2017-11334.patch"
+ "qemu-CVE-2017-11434.patch"))
(sha256
(base32
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
--
2.14.0
Cheers,
Alex
signature.asc
Description: PGP signature
- [bug#28077] [PATCH] gnu: qemu: Fix CVE-2017-{10664, 10806, 10911, 11434}.,
Alex Vong <=