gnu: qemu: Fix CVE-2017-7493.
* gnu/packages/patches/qemu-CVE-2017-7493.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu)[source]: Use it.
This commit is contained in:
parent
8d171471cf
commit
e7620b649c
|
@ -941,6 +941,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
||||
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-7493.patch \
|
||||
%D%/packages/patches/qt4-ldflags.patch \
|
||||
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
||||
%D%/packages/patches/rapicorn-isnan.patch \
|
||||
|
|
|
@ -0,0 +1,182 @@
|
|||
Fix CVE-2017-7493:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b
|
||||
|
||||
From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Kurz <groug@kaod.org>
|
||||
Date: Fri, 5 May 2017 14:48:08 +0200
|
||||
Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
|
||||
|
||||
When using the mapped-file security mode, we shouldn't let the client mess
|
||||
with the metadata. The current code already tries to hide the metadata dir
|
||||
from the client by skipping it in local_readdir(). But the client can still
|
||||
access or modify it through several other operations. This can be used to
|
||||
escalate privileges in the guest.
|
||||
|
||||
Affected backend operations are:
|
||||
- local_mknod()
|
||||
- local_mkdir()
|
||||
- local_open2()
|
||||
- local_symlink()
|
||||
- local_link()
|
||||
- local_unlinkat()
|
||||
- local_renameat()
|
||||
- local_rename()
|
||||
- local_name_to_path()
|
||||
|
||||
Other operations are safe because they are only passed a fid path, which
|
||||
is computed internally in local_name_to_path().
|
||||
|
||||
This patch converts all the functions listed above to fail and return
|
||||
EINVAL when being passed the name of the metadata dir. This may look
|
||||
like a poor choice for errno, but there's no such thing as an illegal
|
||||
path name on Linux and I could not think of anything better.
|
||||
|
||||
This fixes CVE-2017-7493.
|
||||
|
||||
Reported-by: Leo Gaspard <leo@gaspard.io>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 56 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
|
||||
index f3ebca4f7a..a2486566af 100644
|
||||
--- a/hw/9pfs/9p-local.c
|
||||
+++ b/hw/9pfs/9p-local.c
|
||||
@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
|
||||
return telldir(fs->dir.stream);
|
||||
}
|
||||
|
||||
+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
|
||||
+{
|
||||
+ return !strcmp(name, VIRTFS_META_DIR);
|
||||
+}
|
||||
+
|
||||
static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
|
||||
{
|
||||
struct dirent *entry;
|
||||
@@ -465,8 +470,8 @@ again:
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED) {
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
} else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
|
||||
- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
|
||||
- /* skp the meta data directory */
|
||||
+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
|
||||
+ /* skip the meta data directory */
|
||||
goto again;
|
||||
}
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Mark all the open to not follow symlinks
|
||||
*/
|
||||
@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
|
||||
int ret = -1;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
odirfd = local_opendir_nofollow(ctx, odirpath);
|
||||
if (odirfd == -1) {
|
||||
goto out;
|
||||
@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
|
||||
static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
|
||||
const char *name, V9fsPath *target)
|
||||
{
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (dir_path) {
|
||||
v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
|
||||
} else if (strcmp(name, "/")) {
|
||||
@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
|
||||
int ret;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ (local_is_mapped_file_metadata(ctx, old_name) ||
|
||||
+ local_is_mapped_file_metadata(ctx, new_name))) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
odirfd = local_opendir_nofollow(ctx, olddir->data);
|
||||
if (odirfd == -1) {
|
||||
return -1;
|
||||
@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
|
||||
int ret;
|
||||
int dirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(ctx, dir->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -74,6 +74,7 @@
|
|||
(method url-fetch)
|
||||
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
|
||||
version ".tar.xz"))
|
||||
(patches (search-patches "qemu-CVE-2017-7493.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
|
||||
|
|
Loading…
Reference in New Issue