From e6c28113e6d74c713f8d77bd3d8a543e6871a413 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 6 Dec 2018 15:12:51 -0500 Subject: gnu: QEMU: Fix CVE-2018-16847 and CVE-2018-16867. * gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them. --- gnu/packages/patches/qemu-CVE-2018-16847.patch | 158 +++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2018-16867.patch | 49 ++++++++ gnu/packages/virtualization.scm | 2 + 3 files changed, 209 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch create mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch (limited to 'gnu/packages') diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch new file mode 100644 index 0000000000..c76bdf764a --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-16847.patch @@ -0,0 +1,158 @@ +Fix CVE-2018-16847: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce + +From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 20 Nov 2018 19:41:48 +0100 +Subject: [PATCH] nvme: fix out-of-bounds access to the CMB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Because the CMB BAR has a min_access_size of 2, if you read the last +byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one +error. This is CVE-2018-16847. + +Another way to fix this might be to register the CMB as a RAM memory +region, which would also be more efficient. However, that might be a +change for big-endian machines; I didn't think this through and I don't +know how real hardware works. Add a basic testcase for the CMB in case +somebody does this change later on. + +Cc: Keith Busch +Cc: qemu-block@nongnu.org +Reported-by: Li Qiang +Reviewed-by: Li Qiang +Tested-by: Li Qiang +Signed-off-by: Paolo Bonzini +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Philippe Mathieu-Daudé +Signed-off-by: Kevin Wolf +--- + hw/block/nvme.c | 2 +- + tests/Makefile.include | 2 +- + tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++------- + 3 files changed, 60 insertions(+), 12 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index 28d284346dd..8c35cab2b43 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = { + .write = nvme_cmb_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .impl = { +- .min_access_size = 2, ++ .min_access_size = 1, + .max_access_size = 8, + }, + }; +diff --git a/tests/Makefile.include b/tests/Makefile.include +index 613242bc6ef..fb0b449c02a 100644 +--- a/tests/Makefile.include ++++ b/tests/Makefile.include +@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o + tests/machine-none-test$(EXESUF): tests/machine-none-test.o + tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y) + tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y) +-tests/nvme-test$(EXESUF): tests/nvme-test.o ++tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y) + tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o + tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o + tests/ac97-test$(EXESUF): tests/ac97-test.o +diff --git a/tests/nvme-test.c b/tests/nvme-test.c +index 7674a446e4f..2700ba838aa 100644 +--- a/tests/nvme-test.c ++++ b/tests/nvme-test.c +@@ -8,25 +8,73 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/units.h" + #include "libqtest.h" ++#include "libqos/libqos-pc.h" ++ ++static QOSState *qnvme_start(const char *extra_opts) ++{ ++ QOSState *qs; ++ const char *arch = qtest_get_arch(); ++ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw " ++ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s"; ++ ++ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { ++ qs = qtest_pc_boot(cmd, extra_opts ? : ""); ++ global_qtest = qs->qts; ++ return qs; ++ } ++ ++ g_printerr("nvme tests are only available on x86\n"); ++ exit(EXIT_FAILURE); ++} ++ ++static void qnvme_stop(QOSState *qs) ++{ ++ qtest_shutdown(qs); ++} + +-/* Tests only initialization so far. TODO: Replace with functional tests */ + static void nop(void) + { ++ QOSState *qs; ++ ++ qs = qnvme_start(NULL); ++ qnvme_stop(qs); + } + +-int main(int argc, char **argv) ++static void nvmetest_cmb_test(void) + { +- int ret; ++ const int cmb_bar_size = 2 * MiB; ++ QOSState *qs; ++ QPCIDevice *pdev; ++ QPCIBar bar; + +- g_test_init(&argc, &argv, NULL); +- qtest_add_func("/nvme/nop", nop); ++ qs = qnvme_start("-global nvme.cmb_size_mb=2"); ++ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); ++ g_assert(pdev != NULL); ++ ++ qpci_device_enable(pdev); ++ bar = qpci_iomap(pdev, 2, NULL); ++ ++ qpci_io_writel(pdev, bar, 0, 0xccbbaa99); ++ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99); ++ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99); ++ ++ /* Test partially out-of-bounds accesses. */ ++ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); ++ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11); ++ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211); ++ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211); ++ g_free(pdev); + +- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw " +- "-device nvme,drive=drv0,serial=foo"); +- ret = g_test_run(); ++ qnvme_stop(qs); ++} + +- qtest_end(); ++int main(int argc, char **argv) ++{ ++ g_test_init(&argc, &argv, NULL); ++ qtest_add_func("/nvme/nop", nop); ++ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test); + +- return ret; ++ return g_test_run(); + } +-- +2.19.2 + diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch new file mode 100644 index 0000000000..1403d8e0f8 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-16867.patch @@ -0,0 +1,49 @@ +Fix CVE-2018-16867: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867 +https://seclists.org/oss-sec/2018/q4/202 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 + +From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 Dec 2018 11:10:45 +0100 +Subject: [PATCH] usb-mtp: outlaw slashes in filenames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Slash is unix directory separator, so they are not allowed in filenames. +Note this also stops the classic escape via "../". + +Fixes: CVE-2018-16867 +Reported-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20181203101045.27976-3-kraxel@redhat.com +--- + hw/usb/dev-mtp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 0f6a9702ef1..100b7171f4e 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) + + filename = utf16_to_str(dataset->length, dataset->filename); + ++ if (strchr(filename, '/')) { ++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, ++ 0, 0, 0, 0); ++ return; ++ } ++ + o = usb_mtp_object_lookup_name(p, filename, dataset->length); + if (o != NULL) { + next_handle = o->handle; +-- +2.19.2 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 2f8e541d40..0502bb38c4 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -100,6 +100,8 @@ (define-public qemu (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2018-16847.patch" + "qemu-CVE-2018-16867.patch")) (sha256 (base32 "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) -- cgit v1.2.3