commit: 33cfc7b69e6a25e0b66687e28f7b29ae1a43e2d4
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Thu May 18 04:08:31 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Thu May 18 04:20:12 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33cfc7b6
app-emulation/qemu: patch for CVE-2017-7493, bug #618808
Package-Manager: Portage-2.3.5, Repoman-2.3.2
.../qemu/files/qemu-2.9.0-CVE-2017-7493.patch | 174 +++++++++++++++++++++
.../{qemu-2.9.0-r1.ebuild => qemu-2.9.0-r2.ebuild} | 9 +-
...qemu-2.9.0-r53.ebuild => qemu-2.9.0-r54.ebuild} | 9 +-
3 files changed, 184 insertions(+), 8 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
new file mode 100644
index 00000000000..346e7713f74
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch
@@ -0,0 +1,174 @@
+From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
+From: Greg Kurz <gr...@kaod.org>
+Date: Fri, 5 May 2017 14:48:08 +0200
+Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
+
+When using the mapped-file security mode, we shouldn't let the client mess
+with the metadata. The current code already tries to hide the metadata dir
+from the client by skipping it in local_readdir(). But the client can still
+access or modify it through several other operations. This can be used to
+escalate privileges in the guest.
+
+Affected backend operations are:
+- local_mknod()
+- local_mkdir()
+- local_open2()
+- local_symlink()
+- local_link()
+- local_unlinkat()
+- local_renameat()
+- local_rename()
+- local_name_to_path()
+
+Other operations are safe because they are only passed a fid path, which
+is computed internally in local_name_to_path().
+
+This patch converts all the functions listed above to fail and return
+EINVAL when being passed the name of the metadata dir. This may look
+like a poor choice for errno, but there's no such thing as an illegal
+path name on Linux and I could not think of anything better.
+
+This fixes CVE-2017-7493.
+
+Reported-by: Leo Gaspard <l...@gaspard.io>
+Signed-off-by: Greg Kurz <gr...@kaod.org>
+Reviewed-by: Eric Blake <ebl...@redhat.com>
+---
+ hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 56 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
+index f3ebca4f7a..a2486566af 100644
+--- a/hw/9pfs/9p-local.c
++++ b/hw/9pfs/9p-local.c
+@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx,
V9fsFidOpenState *fs)
+ return telldir(fs->dir.stream);
+ }
+
++static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
++{
++ return !strcmp(name, VIRTFS_META_DIR);
++}
++
+ static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
+ {
+ struct dirent *entry;
+@@ -465,8 +470,8 @@ again:
+ if (ctx->export_flags & V9FS_SM_MAPPED) {
+ entry->d_type = DT_UNKNOWN;
+ } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
+- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
+- /* skp the meta data directory */
++ if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
++ /* skip the meta data directory */
+ goto again;
+ }
+ entry->d_type = DT_UNKNOWN;
+@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath
*dir_path,
+ int err = -1;
+ int dirfd;
+
++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(fs_ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
+ if (dirfd == -1) {
+ return -1;
+@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath
*dir_path,
+ int err = -1;
+ int dirfd;
+
++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(fs_ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
+ if (dirfd == -1) {
+ return -1;
+@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath
*dir_path, const char *name,
+ int err = -1;
+ int dirfd;
+
++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(fs_ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ /*
+ * Mark all the open to not follow symlinks
+ */
+@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char
*oldpath,
+ int err = -1;
+ int dirfd;
+
++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(fs_ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
+ if (dirfd == -1) {
+ return -1;
+@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
+ int ret = -1;
+ int odirfd, ndirfd;
+
++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ odirfd = local_opendir_nofollow(ctx, odirpath);
+ if (odirfd == -1) {
+ goto out;
+@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath
*fs_path,
+ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
+ const char *name, V9fsPath *target)
+ {
++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ if (dir_path) {
+ v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
+ } else if (strcmp(name, "/")) {
+@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath
*olddir,
+ int ret;
+ int odirfd, ndirfd;
+
++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ (local_is_mapped_file_metadata(ctx, old_name) ||
++ local_is_mapped_file_metadata(ctx, new_name))) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ odirfd = local_opendir_nofollow(ctx, olddir->data);
+ if (odirfd == -1) {
+ return -1;
+@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
+ int ret;
+ int dirfd;
+
++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
++ local_is_mapped_file_metadata(ctx, name)) {
++ errno = EINVAL;
++ return -1;
++ }
++
+ dirfd = local_opendir_nofollow(ctx, dir->data);
+ if (dirfd == -1) {
+ return -1;
+--
+2.13.0
+
diff --git a/app-emulation/qemu/qemu-2.9.0-r1.ebuild
b/app-emulation/qemu/qemu-2.9.0-r2.ebuild
similarity index 98%
rename from app-emulation/qemu/qemu-2.9.0-r1.ebuild
rename to app-emulation/qemu/qemu-2.9.0-r2.ebuild
index 9fdaa1ebac5..6289ced538e 100644
--- a/app-emulation/qemu/qemu-2.9.0-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.9.0-r2.ebuild
@@ -191,10 +191,11 @@ RDEPEND="${CDEPEND}
PATCHES=(
"${FILESDIR}"/${PN}-2.5.0-cflags.patch
"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616870.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616872.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616874.patch
- "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch
+ "${FILESDIR}"/${PN}-2.9.0-bug616870.patch # bug 616870
+ "${FILESDIR}"/${PN}-2.9.0-bug616872.patch # bug 616872
+ "${FILESDIR}"/${PN}-2.9.0-bug616874.patch # bug 616874
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808
)
STRIP_MASK="/usr/share/qemu/palcode-clipper"
diff --git a/app-emulation/qemu/qemu-2.9.0-r53.ebuild
b/app-emulation/qemu/qemu-2.9.0-r54.ebuild
similarity index 98%
rename from app-emulation/qemu/qemu-2.9.0-r53.ebuild
rename to app-emulation/qemu/qemu-2.9.0-r54.ebuild
index 5518e2e813b..0d8029910fc 100644
--- a/app-emulation/qemu/qemu-2.9.0-r53.ebuild
+++ b/app-emulation/qemu/qemu-2.9.0-r54.ebuild
@@ -194,10 +194,11 @@ RDEPEND="${CDEPEND}
PATCHES=(
"${FILESDIR}"/${PN}-2.5.0-cflags.patch
"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616870.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616872.patch
- "${FILESDIR}"/${PN}-2.9.0-bug616874.patch
- "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch
+ "${FILESDIR}"/${PN}-2.9.0-bug616870.patch # bug 616870
+ "${FILESDIR}"/${PN}-2.9.0-bug616872.patch # bug 616872
+ "${FILESDIR}"/${PN}-2.9.0-bug616874.patch # bug 616874
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808
)
STRIP_MASK="/usr/share/qemu/palcode-clipper"
