[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
--- Comment From boris.m...@de.ibm.com 2024-06-07 06:53 EDT--- The fix to this bug has been released to -security. Thanks to everyone for your speedy work to get this fixed. With this, I am closing this bug: changing the status to ==> CLOSED ** Tags removed: targetmilestone-inin2404 ** Tags added: targetmilestone-inin2204 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
** Tags removed: targetmilestone-inin--- ** Tags added: targetmilestone-inin2404 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
** Changed in: ubuntu-z-systems Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
This bug was fixed in the package qemu - 1:6.2+dfsg-2ubuntu6.21 --- qemu (1:6.2+dfsg-2ubuntu6.21) jammy-security; urgency=medium * SECURITY REGRESSION: 9pfs restrictions on sockets (LP: #2065579) - debian/patches/ubuntu/lp-2065579-9pfs-allow-sockets.patch: allow sockets and FIFOs to be opened in hw/9pfs/9p-util.h. The fix for CVE-2023-2861 was too restrictive for some use-cases. -- Marc Deslauriers Wed, 05 Jun 2024 12:25:53 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
This bug was fixed in the package qemu - 1:4.2-3ubuntu6.29 --- qemu (1:4.2-3ubuntu6.29) focal-security; urgency=medium * SECURITY REGRESSION: 9pfs restrictions on sockets (LP: #2065579) - debian/patches/ubuntu/lp-2065579-9pfs-allow-sockets.patch: allow sockets and FIFOs to be opened in hw/9pfs/9p-util.h. The fix for CVE-2023-2861 was too restrictive for some use-cases. -- Marc Deslauriers Wed, 05 Jun 2024 12:25:53 -0400 ** Changed in: qemu (Ubuntu) Status: New => Fix Released ** Changed in: qemu (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
In response to comment #7, I have no issue releasing a security update regression fix for focal and jammy that relaxes the CVE fix for sockets since that is a change in behaviour. Let me know once the proposed patch has been successfully tested to resolve the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
Please let me jump in (for TZ reasons). The patch "debian/patches/ubuntu/lp-2065579-9pfs-allow-sockets.patch" (as always referenced in debin/changelog) that Sergio created and that is incl. in the PPA build is this: From: Sergio Durigan Junior Date: Thu, 30 May 2024 16:45:56 -0400 Subject: hw/9pfs/9p-util.h: Also allow sockets to be opened Forwarded: not-needed Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2065579 --- hw/9pfs/9p-util.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h index ff32179..a3df012 100644 --- a/hw/9pfs/9p-util.h +++ b/hw/9pfs/9p-util.h @@ -47,7 +47,8 @@ static inline int close_if_special_file(int fd) close_preserve_errno(fd); return -1; } -if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { +if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode) +&& !S_ISSOCK(stbuf.st_mode)) { error_report_once( "9p: broken or compromised client detected; attempt to open " "special file (i.e. neither regular file, nor directory)" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
FWIW, I built QEMU with a proposed fix here: https://launchpad.net/~sergiodj/+archive/ubuntu/qemu-9pfs-fix It passes the testcase provided in the bug description. I'd still like to hear Marc's opinion here as the Security team person, but at least we have a possible fix. Cheers, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
This is the upstream commit which introduced the change in behaviour: https://gitlab.com/qemu- project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda There is no subsequent fix to the new restrictions, and the only more recent commit is one to deprecate the whole proxy backend: https://gitlab.com/qemu- project/qemu/-/commit/71d72ececa086114df80fe4cc04d701b59002eb2 I will investigate whether we can relax the restrictions to allow sockets. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
Hi, I took some time today to take a closer look into this issue. I wanted to determine whether this was coming from something that we did, or some upstream change. Here are my findings: 1) This is not architecture-specific. I can reproduce the problem (thanks for the script, btw!) on s390x and amd64. This was somewhat expected because we're talking about an issue affecting a filesystem here, but it's good to be able to confirm. 2) This issue was *not* happening 6.2+dfsg-2ubuntu6.15, and started happening afterwards. This confirms that this is indeed a regression introduced by the upload of 6.2+dfsg-2ubuntu6.16 (which was a security upload). 3) Ultimately, this is a security regression and will need to be handled by our Security team. I will get in touch with them. Unfortunately, although this is a regression that comes from upstream, I don't see much interest from their part in fixing problems with 9pfs. I will leave a comment in the upstream bug report to see if it generates any movement. Thanks. ** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
Thank you for the report. Given that this is an upstream regression and there is a related upstream bug about it, I believe it's best to wait for their input/feedback before moving forward. ** Also affects: qemu Importance: Undecided Status: New ** No longer affects: qemu ** Changed in: qemu (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
** Package changed: linux (Ubuntu) => qemu (Ubuntu) ** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Changed in: ubuntu-z-systems Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Changed in: qemu (Ubuntu) Assignee: Skipper Bug Screeners (skipper-screen-team) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065579] Re: [UBUNTU 22.04] OS guest boot issues on 9p filesystem
--- Comment From d.herrendoer...@de.ibm.com 2024-05-13 06:57 EDT--- This Bug is the result of the fix to: CVE-2023-2861: Prohibit opening any special file directly on host I also opened a Bug in the qemu bugtracker https://gitlab.com/qemu-project/qemu/-/issues/2337 The containers fail because syslog cannot open its unix domain socket on the filesystem. We tracked the change that provokes this error to a CVE change in qemu that forbids opening of special files to prevent exposing data from the host. Special files should be handled by the guest os. Unix domain socket files are also special files, and they are handled by the guest OS in their entirety, and the 9p server in qemu assigns them individual inodes so they are safe to open. But they must be opened so their fd can be passed to the appropriate connect() or bind() function so the OS can use them. Socket files don't have a traditional read or write functionality, they are mere representatives for a local address. There is no convention for where domain socket files should go, so there is no easy fix by just creating a tmpfs somewhere. We also see other workloads and services failing for not being able to open their local socket files. The analysis of CVE-2023-2861 in detail reveals - opening of device files through the 9p server directly grants access to read/write functions of those device files. Also device files can be created in-place anywhere. - opening of FIFOs is somewhat unsafe as long as there are possible collisions that could expose host data using read/write. - opening of sockets is safe because the 9p server protects the revealed inode and provides no way to connect the file to a socket. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2861 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs