aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-12-06 15:12:51 -0500
committerLeo Famulari <leo@famulari.name>2018-12-06 16:16:54 -0500
commite6c28113e6d74c713f8d77bd3d8a543e6871a413 (patch)
treee72b15100429e6f017966bb608b2e785d22c1503
parentd553ee80828e4b4eb7be59f5278e5d1696b935a0 (diff)
downloadguix-e6c28113e6d74c713f8d77bd3d8a543e6871a413.tar
guix-e6c28113e6d74c713f8d77bd3d8a543e6871a413.tar.gz
gnu: QEMU: Fix CVE-2018-16847 and CVE-2018-16867.
* gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-16847.patch158
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-16867.patch49
-rw-r--r--gnu/packages/virtualization.scm2
4 files changed, 211 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index a400e6223e..a35e5ae7e3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1111,6 +1111,8 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \
+ %D%/packages/patches/qemu-CVE-2018-16847.patch \
+ %D%/packages/patches/qemu-CVE-2018-16867.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-use-TZDIR.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch
new file mode 100644
index 0000000000..c76bdf764a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2018-16847.patch
@@ -0,0 +1,158 @@
+Fix CVE-2018-16847:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
+
+From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 20 Nov 2018 19:41:48 +0100
+Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Because the CMB BAR has a min_access_size of 2, if you read the last
+byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
+error. This is CVE-2018-16847.
+
+Another way to fix this might be to register the CMB as a RAM memory
+region, which would also be more efficient. However, that might be a
+change for big-endian machines; I didn't think this through and I don't
+know how real hardware works. Add a basic testcase for the CMB in case
+somebody does this change later on.
+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: qemu-block@nongnu.org
+Reported-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Tested-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ hw/block/nvme.c | 2 +-
+ tests/Makefile.include | 2 +-
+ tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 60 insertions(+), 12 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index 28d284346dd..8c35cab2b43 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
+ .write = nvme_cmb_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .impl = {
+- .min_access_size = 2,
++ .min_access_size = 1,
+ .max_access_size = 8,
+ },
+ };
+diff --git a/tests/Makefile.include b/tests/Makefile.include
+index 613242bc6ef..fb0b449c02a 100644
+--- a/tests/Makefile.include
++++ b/tests/Makefile.include
+@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
+ tests/machine-none-test$(EXESUF): tests/machine-none-test.o
+ tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
+ tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
+-tests/nvme-test$(EXESUF): tests/nvme-test.o
++tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
+ tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
+ tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
+ tests/ac97-test$(EXESUF): tests/ac97-test.o
+diff --git a/tests/nvme-test.c b/tests/nvme-test.c
+index 7674a446e4f..2700ba838aa 100644
+--- a/tests/nvme-test.c
++++ b/tests/nvme-test.c
+@@ -8,25 +8,73 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/units.h"
+ #include "libqtest.h"
++#include "libqos/libqos-pc.h"
++
++static QOSState *qnvme_start(const char *extra_opts)
++{
++ QOSState *qs;
++ const char *arch = qtest_get_arch();
++ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
++ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
++
++ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
++ qs = qtest_pc_boot(cmd, extra_opts ? : "");
++ global_qtest = qs->qts;
++ return qs;
++ }
++
++ g_printerr("nvme tests are only available on x86\n");
++ exit(EXIT_FAILURE);
++}
++
++static void qnvme_stop(QOSState *qs)
++{
++ qtest_shutdown(qs);
++}
+
+-/* Tests only initialization so far. TODO: Replace with functional tests */
+ static void nop(void)
+ {
++ QOSState *qs;
++
++ qs = qnvme_start(NULL);
++ qnvme_stop(qs);
+ }
+
+-int main(int argc, char **argv)
++static void nvmetest_cmb_test(void)
+ {
+- int ret;
++ const int cmb_bar_size = 2 * MiB;
++ QOSState *qs;
++ QPCIDevice *pdev;
++ QPCIBar bar;
+
+- g_test_init(&argc, &argv, NULL);
+- qtest_add_func("/nvme/nop", nop);
++ qs = qnvme_start("-global nvme.cmb_size_mb=2");
++ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
++ g_assert(pdev != NULL);
++
++ qpci_device_enable(pdev);
++ bar = qpci_iomap(pdev, 2, NULL);
++
++ qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
++ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
++ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
++
++ /* Test partially out-of-bounds accesses. */
++ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
++ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
++ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
++ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
++ g_free(pdev);
+
+- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
+- "-device nvme,drive=drv0,serial=foo");
+- ret = g_test_run();
++ qnvme_stop(qs);
++}
+
+- qtest_end();
++int main(int argc, char **argv)
++{
++ g_test_init(&argc, &argv, NULL);
++ qtest_add_func("/nvme/nop", nop);
++ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
+
+- return ret;
++ return g_test_run();
+ }
+--
+2.19.2
+
diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch
new file mode 100644
index 0000000000..1403d8e0f8
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2018-16867.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-16867:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
+https://seclists.org/oss-sec/2018/q4/202
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
+
+From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 Dec 2018 11:10:45 +0100
+Subject: [PATCH] usb-mtp: outlaw slashes in filenames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Slash is unix directory separator, so they are not allowed in filenames.
+Note this also stops the classic escape via "../".
+
+Fixes: CVE-2018-16867
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20181203101045.27976-3-kraxel@redhat.com
+---
+ hw/usb/dev-mtp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 0f6a9702ef1..100b7171f4e 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
+
+ filename = utf16_to_str(dataset->length, dataset->filename);
+
++ if (strchr(filename, '/')) {
++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
++ 0, 0, 0, 0);
++ return;
++ }
++
+ o = usb_mtp_object_lookup_name(p, filename, dataset->length);
+ if (o != NULL) {
+ next_handle = o->handle;
+--
+2.19.2
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 2f8e541d40..0502bb38c4 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -100,6 +100,8 @@
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
+ (patches (search-patches "qemu-CVE-2018-16847.patch"
+ "qemu-CVE-2018-16867.patch"))
(sha256
(base32
"04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))