- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging

(XSA-180)
  CVE-2014-3672-qemut-xsa180.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=433
This commit is contained in:
Charles Arnold 2016-05-24 14:34:11 +00:00 committed by Git OBS Bridge
parent 10a6644014
commit 1fed24fd43
5 changed files with 131 additions and 35 deletions

View File

@ -0,0 +1,87 @@
References: bsc#981264 CVE-2014-3672 XSA-180
From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Thu, 19 May 2016 19:38:35 +0100
Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups
Each time round the main loop, we now fstat stderr. If it is too big,
we dup2 /dev/null onto it. This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.
The limit is 1Mby by default but can be adjusted by setting a new
environment variable.
This fixes CVE-2014-3672.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *tim
}
#endif
+static void check_cve_2014_3672_xen(void)
+{
+ static unsigned long limit = ~0UL;
+ const int fd = 2;
+ struct stat stab;
+
+ if (limit == ~0UL) {
+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+ limit = s ? strtoul(s,0,0) : 1*1024*1024;
+ }
+ if (limit == 0)
+ return;
+
+ int r = fstat(fd, &stab);
+ if (r) {
+ perror("fstat stderr (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ if (!S_ISREG(stab.st_mode))
+ return;
+ if (stab.st_size <= limit)
+ return;
+
+ /* oh dear */
+ fprintf(stderr,"\r\n"
+ "Closing stderr due to CVE-2014-3672 limit. "
+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+ " or 0 for no limit.\n");
+ fflush(stderr);
+
+ int nfd = open("/dev/null", O_WRONLY);
+ if (nfd < 0) {
+ perror("open /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ r = dup2(nfd, fd);
+ if (r != fd) {
+ perror("dup2 /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ close(nfd);
+}
+
void main_loop_wait(int timeout)
{
IOHandlerRecord *ioh;
@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout)
host_main_loop_wait(&timeout);
+ check_cve_2014_3672_xen();
+
/* poll any events */
/* XXX: separate device handlers from system ones */
nfds = -1;

View File

@ -1,7 +1,7 @@
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
@@ -1,6 +1,8 @@
#ifndef QEMU_XEN_H
#define QEMU_XEN_H
@ -20,11 +20,11 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
int xenstore_parse_disable_pf_config(void);
int xenstore_fd(void);
void xenstore_process_event(void *opaque);
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -5907,9 +5907,9 @@ int main(int argc, char **argv, char **e
if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s)))
fprintf(stderr,"Can not read our own domid: %s\n", msg);
else
@ -36,10 +36,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
#endif /* CONFIG_STUBDOM */
}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
@@ -445,7 +445,7 @@ void xenstore_init(void)
}
}

View File

@ -10,10 +10,10 @@ everything that was raised about the previous version ...
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
@@ -580,6 +580,10 @@ OBJS += e1000.o
# Serial mouse
OBJS += msmouse.o
@ -25,10 +25,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
ifeq ($(TARGET_BASE_ARCH), i386)
# Hardware support
ifdef CONFIG_AUDIO
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -41,6 +41,7 @@
#include "virtio-balloon.h"
#include "virtio-console.h"
@ -46,10 +46,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
for(i = 0; i < nb_nics; i++) {
NICInfo *nd = &nd_table[i];
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
===================================================================
--- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
@@ -0,0 +1,136 @@
+/*
+ * Virtual hardware watchdog.
@ -187,10 +187,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+ wdt_ib700_init();
+ wdt_i6300esb_init();
+}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
===================================================================
--- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
@@ -0,0 +1,65 @@
+/*
+ * Virtual hardware watchdog.
@ -257,10 +257,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+extern void register_watchdogs(void);
+
+#endif /* QEMU_WATCHDOG_H */
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
===================================================================
--- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
@@ -0,0 +1,470 @@
+/*
+ * Virtual hardware watchdog.
@ -732,10 +732,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+{
+ watchdog_add_model(&model);
+}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
===================================================================
--- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
@@ -0,0 +1,112 @@
+/*
+ * Virtual hardware watchdog.
@ -849,10 +849,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+ watchdog_add_model(&model);
+ timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL);
+}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
@@ -26,6 +26,7 @@
#include "hw/pcmcia.h"
#include "hw/pc.h"
@ -884,10 +884,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
{ "cpu_set", "is", do_cpu_set_nr,
"cpu [online|offline]", "change cpu state" },
{ NULL, NULL, },
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -30,6 +30,7 @@
#include "hw/isa.h"
#include "hw/baum.h"
@ -905,7 +905,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
const char *option_rom[MAX_OPTION_ROMS];
int nb_option_roms;
int semihosting_enabled = 0;
@@ -4176,6 +4179,10 @@ static void help(int exitcode)
@@ -4222,6 +4225,10 @@ static void help(int exitcode)
"-startdate select initial date of the clock\n"
"-icount [N|auto]\n"
" enable virtual instruction counter with 2^N clock ticks per instruction\n"
@ -916,7 +916,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
"-echr chr set terminal escape character instead of ctrl-a\n"
"-virtioconsole c\n"
" set virtio console\n"
@@ -4323,6 +4330,8 @@ enum {
@@ -4369,6 +4376,8 @@ enum {
QEMU_OPTION_localtime,
QEMU_OPTION_startdate,
QEMU_OPTION_icount,
@ -925,7 +925,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
QEMU_OPTION_echr,
QEMU_OPTION_virtiocon,
QEMU_OPTION_show_cursor,
@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] =
@@ -4495,6 +4504,8 @@ static const QEMUOption qemu_options[] =
{ "localtime", 0, QEMU_OPTION_localtime },
{ "startdate", HAS_ARG, QEMU_OPTION_startdate },
{ "icount", HAS_ARG, QEMU_OPTION_icount },
@ -934,7 +934,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
{ "echr", HAS_ARG, QEMU_OPTION_echr },
{ "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon },
{ "show-cursor", 0, QEMU_OPTION_show_cursor },
@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e
@@ -4996,6 +5007,8 @@ int main(int argc, char **argv, char **e
tb_size = 0;
autostart= 1;
@ -943,7 +943,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
optind = 1;
for(;;) {
if (optind >= argc)
@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e
@@ -5370,6 +5383,17 @@ int main(int argc, char **argv, char **e
serial_devices[serial_device_index] = optarg;
serial_device_index++;
break;

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon May 23 15:24:35 MDT 2016 - carnold@suse.com
- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging
(XSA-180)
CVE-2014-3672-qemut-xsa180.patch
-------------------------------------------------------------------
Thu May 19 10:46:53 MDT 2016 - carnold@suse.com

View File

@ -230,6 +230,7 @@ Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.
Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
Patch279: CVE-2014-3672-qemut-xsa180.patch
# qemu-traditional patches that are not upstream
Patch350: blktap.patch
Patch351: cdrom-removable.patch
@ -548,6 +549,7 @@ Authors:
%patch276 -p1
%patch277 -p1
%patch278 -p1
%patch279 -p1
# Qemu traditional
%patch350 -p1
%patch351 -p1