From 1fed24fd4371626d726f05efc84574b2fb104a72ef4f1f57a82ffb6a16e44ca0 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Tue, 24 May 2016 14:34:11 +0000 Subject: [PATCH] - bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging (XSA-180) CVE-2014-3672-qemut-xsa180.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=433 --- CVE-2014-3672-qemut-xsa180.patch | 87 ++++++++++++++++++++++++++ ioemu-disable-emulated-ide-if-pv.patch | 20 +++--- ioemu-watchdog-support.patch | 50 +++++++-------- xen.changes | 7 +++ xen.spec | 2 + 5 files changed, 131 insertions(+), 35 deletions(-) create mode 100644 CVE-2014-3672-qemut-xsa180.patch diff --git a/CVE-2014-3672-qemut-xsa180.patch b/CVE-2014-3672-qemut-xsa180.patch new file mode 100644 index 0000000..803cd86 --- /dev/null +++ b/CVE-2014-3672-qemut-xsa180.patch @@ -0,0 +1,87 @@ +References: bsc#981264 CVE-2014-3672 XSA-180 + +From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001 +From: Ian Jackson +Date: Thu, 19 May 2016 19:38:35 +0100 +Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups + +Each time round the main loop, we now fstat stderr. If it is too big, +we dup2 /dev/null onto it. This is not a very pretty patch but it is +very simple, easy to see that it's correct, and has a low risk of +collateral damage. + +The limit is 1Mby by default but can be adjusted by setting a new +environment variable. + +This fixes CVE-2014-3672. + +Signed-off-by: Ian Jackson +Tested-by: Ian Jackson +--- + vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +=================================================================== +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *tim + } + #endif + ++static void check_cve_2014_3672_xen(void) ++{ ++ static unsigned long limit = ~0UL; ++ const int fd = 2; ++ struct stat stab; ++ ++ if (limit == ~0UL) { ++ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); ++ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ ++ limit = s ? strtoul(s,0,0) : 1*1024*1024; ++ } ++ if (limit == 0) ++ return; ++ ++ int r = fstat(fd, &stab); ++ if (r) { ++ perror("fstat stderr (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ if (!S_ISREG(stab.st_mode)) ++ return; ++ if (stab.st_size <= limit) ++ return; ++ ++ /* oh dear */ ++ fprintf(stderr,"\r\n" ++ "Closing stderr due to CVE-2014-3672 limit. " ++ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," ++ " or 0 for no limit.\n"); ++ fflush(stderr); ++ ++ int nfd = open("/dev/null", O_WRONLY); ++ if (nfd < 0) { ++ perror("open /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ r = dup2(nfd, fd); ++ if (r != fd) { ++ perror("dup2 /dev/null (for CVE-2014-3672 check)"); ++ exit(-1); ++ } ++ close(nfd); ++} ++ + void main_loop_wait(int timeout) + { + IOHandlerRecord *ioh; +@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout) + + host_main_loop_wait(&timeout); + ++ check_cve_2014_3672_xen(); ++ + /* poll any events */ + /* XXX: separate device handlers from system ones */ + nfds = -1; diff --git a/ioemu-disable-emulated-ide-if-pv.patch b/ioemu-disable-emulated-ide-if-pv.patch index 8398c2b..789c5bd 100644 --- a/ioemu-disable-emulated-ide-if-pv.patch +++ b/ioemu-disable-emulated-ide-if-pv.patch @@ -1,7 +1,7 @@ -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h @@ -1,6 +1,8 @@ #ifndef QEMU_XEN_H #define QEMU_XEN_H @@ -20,11 +20,11 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h int xenstore_parse_disable_pf_config(void); int xenstore_fd(void); void xenstore_process_event(void *opaque); -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c -@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +@@ -5907,9 +5907,9 @@ int main(int argc, char **argv, char **e if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s))) fprintf(stderr,"Can not read our own domid: %s\n", msg); else @@ -36,10 +36,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c #endif /* CONFIG_STUBDOM */ } -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c @@ -445,7 +445,7 @@ void xenstore_init(void) } } diff --git a/ioemu-watchdog-support.patch b/ioemu-watchdog-support.patch index d790b89..4e9a530 100644 --- a/ioemu-watchdog-support.patch +++ b/ioemu-watchdog-support.patch @@ -10,10 +10,10 @@ everything that was raised about the previous version ... Signed-off-by: Richard W.M. Jones Signed-off-by: Anthony Liguori -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target @@ -580,6 +580,10 @@ OBJS += e1000.o # Serial mouse OBJS += msmouse.o @@ -25,10 +25,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target ifeq ($(TARGET_BASE_ARCH), i386) # Hardware support ifdef CONFIG_AUDIO -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c @@ -41,6 +41,7 @@ #include "virtio-balloon.h" #include "virtio-console.h" @@ -46,10 +46,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c for(i = 0; i < nb_nics; i++) { NICInfo *nd = &nd_table[i]; -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c =================================================================== --- /dev/null -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c @@ -0,0 +1,136 @@ +/* + * Virtual hardware watchdog. @@ -187,10 +187,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c + wdt_ib700_init(); + wdt_i6300esb_init(); +} -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h =================================================================== --- /dev/null -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h @@ -0,0 +1,65 @@ +/* + * Virtual hardware watchdog. @@ -257,10 +257,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h +extern void register_watchdogs(void); + +#endif /* QEMU_WATCHDOG_H */ -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c =================================================================== --- /dev/null -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c @@ -0,0 +1,470 @@ +/* + * Virtual hardware watchdog. @@ -732,10 +732,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c +{ + watchdog_add_model(&model); +} -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c =================================================================== --- /dev/null -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c @@ -0,0 +1,112 @@ +/* + * Virtual hardware watchdog. @@ -849,10 +849,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c + watchdog_add_model(&model); + timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL); +} -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c @@ -26,6 +26,7 @@ #include "hw/pcmcia.h" #include "hw/pc.h" @@ -884,10 +884,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c { "cpu_set", "is", do_cpu_set_nr, "cpu [online|offline]", "change cpu state" }, { NULL, NULL, }, -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c @@ -30,6 +30,7 @@ #include "hw/isa.h" #include "hw/baum.h" @@ -905,7 +905,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c const char *option_rom[MAX_OPTION_ROMS]; int nb_option_roms; int semihosting_enabled = 0; -@@ -4176,6 +4179,10 @@ static void help(int exitcode) +@@ -4222,6 +4225,10 @@ static void help(int exitcode) "-startdate select initial date of the clock\n" "-icount [N|auto]\n" " enable virtual instruction counter with 2^N clock ticks per instruction\n" @@ -916,7 +916,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c "-echr chr set terminal escape character instead of ctrl-a\n" "-virtioconsole c\n" " set virtio console\n" -@@ -4323,6 +4330,8 @@ enum { +@@ -4369,6 +4376,8 @@ enum { QEMU_OPTION_localtime, QEMU_OPTION_startdate, QEMU_OPTION_icount, @@ -925,7 +925,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c QEMU_OPTION_echr, QEMU_OPTION_virtiocon, QEMU_OPTION_show_cursor, -@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] = +@@ -4495,6 +4504,8 @@ static const QEMUOption qemu_options[] = { "localtime", 0, QEMU_OPTION_localtime }, { "startdate", HAS_ARG, QEMU_OPTION_startdate }, { "icount", HAS_ARG, QEMU_OPTION_icount }, @@ -934,7 +934,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c { "echr", HAS_ARG, QEMU_OPTION_echr }, { "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon }, { "show-cursor", 0, QEMU_OPTION_show_cursor }, -@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e +@@ -4996,6 +5007,8 @@ int main(int argc, char **argv, char **e tb_size = 0; autostart= 1; @@ -943,7 +943,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c optind = 1; for(;;) { if (optind >= argc) -@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e +@@ -5370,6 +5383,17 @@ int main(int argc, char **argv, char **e serial_devices[serial_device_index] = optarg; serial_device_index++; break; diff --git a/xen.changes b/xen.changes index 0ddf058..7be4c3b 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 23 15:24:35 MDT 2016 - carnold@suse.com + +- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging + (XSA-180) + CVE-2014-3672-qemut-xsa180.patch + ------------------------------------------------------------------- Thu May 19 10:46:53 MDT 2016 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 92e51c1..3cca96d 100644 --- a/xen.spec +++ b/xen.spec @@ -230,6 +230,7 @@ Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module. Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch +Patch279: CVE-2014-3672-qemut-xsa180.patch # qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch @@ -548,6 +549,7 @@ Authors: %patch276 -p1 %patch277 -p1 %patch278 -p1 +%patch279 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1