- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging

(XSA-180)
  CVE-2014-3672-qemut-xsa180.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=433
This commit is contained in:
Charles Arnold 2016-05-24 14:34:11 +00:00 committed by Git OBS Bridge
parent 10a6644014
commit 1fed24fd43
5 changed files with 131 additions and 35 deletions

View File

@ -0,0 +1,87 @@
References: bsc#981264 CVE-2014-3672 XSA-180
From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Thu, 19 May 2016 19:38:35 +0100
Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups
Each time round the main loop, we now fstat stderr. If it is too big,
we dup2 /dev/null onto it. This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.
The limit is 1Mby by default but can be adjusted by setting a new
environment variable.
This fixes CVE-2014-3672.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *tim
}
#endif
+static void check_cve_2014_3672_xen(void)
+{
+ static unsigned long limit = ~0UL;
+ const int fd = 2;
+ struct stat stab;
+
+ if (limit == ~0UL) {
+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
+ limit = s ? strtoul(s,0,0) : 1*1024*1024;
+ }
+ if (limit == 0)
+ return;
+
+ int r = fstat(fd, &stab);
+ if (r) {
+ perror("fstat stderr (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ if (!S_ISREG(stab.st_mode))
+ return;
+ if (stab.st_size <= limit)
+ return;
+
+ /* oh dear */
+ fprintf(stderr,"\r\n"
+ "Closing stderr due to CVE-2014-3672 limit. "
+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
+ " or 0 for no limit.\n");
+ fflush(stderr);
+
+ int nfd = open("/dev/null", O_WRONLY);
+ if (nfd < 0) {
+ perror("open /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ r = dup2(nfd, fd);
+ if (r != fd) {
+ perror("dup2 /dev/null (for CVE-2014-3672 check)");
+ exit(-1);
+ }
+ close(nfd);
+}
+
void main_loop_wait(int timeout)
{
IOHandlerRecord *ioh;
@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout)
host_main_loop_wait(&timeout);
+ check_cve_2014_3672_xen();
+
/* poll any events */
/* XXX: separate device handlers from system ones */
nfds = -1;

View File

@ -1,7 +1,7 @@
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
@@ -1,6 +1,8 @@ @@ -1,6 +1,8 @@
#ifndef QEMU_XEN_H #ifndef QEMU_XEN_H
#define QEMU_XEN_H #define QEMU_XEN_H
@ -20,11 +20,11 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
int xenstore_parse_disable_pf_config(void); int xenstore_parse_disable_pf_config(void);
int xenstore_fd(void); int xenstore_fd(void);
void xenstore_process_event(void *opaque); void xenstore_process_event(void *opaque);
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e @@ -5907,9 +5907,9 @@ int main(int argc, char **argv, char **e
if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s))) if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s)))
fprintf(stderr,"Can not read our own domid: %s\n", msg); fprintf(stderr,"Can not read our own domid: %s\n", msg);
else else
@ -36,10 +36,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
#endif /* CONFIG_STUBDOM */ #endif /* CONFIG_STUBDOM */
} }
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
@@ -445,7 +445,7 @@ void xenstore_init(void) @@ -445,7 +445,7 @@ void xenstore_init(void)
} }
} }

View File

@ -10,10 +10,10 @@ everything that was raised about the previous version ...
Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
@@ -580,6 +580,10 @@ OBJS += e1000.o @@ -580,6 +580,10 @@ OBJS += e1000.o
# Serial mouse # Serial mouse
OBJS += msmouse.o OBJS += msmouse.o
@ -25,10 +25,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
ifeq ($(TARGET_BASE_ARCH), i386) ifeq ($(TARGET_BASE_ARCH), i386)
# Hardware support # Hardware support
ifdef CONFIG_AUDIO ifdef CONFIG_AUDIO
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -41,6 +41,7 @@ @@ -41,6 +41,7 @@
#include "virtio-balloon.h" #include "virtio-balloon.h"
#include "virtio-console.h" #include "virtio-console.h"
@ -46,10 +46,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
for(i = 0; i < nb_nics; i++) { for(i = 0; i < nb_nics; i++) {
NICInfo *nd = &nd_table[i]; NICInfo *nd = &nd_table[i];
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
@@ -0,0 +1,136 @@ @@ -0,0 +1,136 @@
+/* +/*
+ * Virtual hardware watchdog. + * Virtual hardware watchdog.
@ -187,10 +187,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+ wdt_ib700_init(); + wdt_ib700_init();
+ wdt_i6300esb_init(); + wdt_i6300esb_init();
+} +}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
@@ -0,0 +1,65 @@ @@ -0,0 +1,65 @@
+/* +/*
+ * Virtual hardware watchdog. + * Virtual hardware watchdog.
@ -257,10 +257,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+extern void register_watchdogs(void); +extern void register_watchdogs(void);
+ +
+#endif /* QEMU_WATCHDOG_H */ +#endif /* QEMU_WATCHDOG_H */
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
@@ -0,0 +1,470 @@ @@ -0,0 +1,470 @@
+/* +/*
+ * Virtual hardware watchdog. + * Virtual hardware watchdog.
@ -732,10 +732,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+{ +{
+ watchdog_add_model(&model); + watchdog_add_model(&model);
+} +}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
@@ -0,0 +1,112 @@ @@ -0,0 +1,112 @@
+/* +/*
+ * Virtual hardware watchdog. + * Virtual hardware watchdog.
@ -849,10 +849,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+ watchdog_add_model(&model); + watchdog_add_model(&model);
+ timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL); + timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL);
+} +}
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
#include "hw/pcmcia.h" #include "hw/pcmcia.h"
#include "hw/pc.h" #include "hw/pc.h"
@ -884,10 +884,10 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
{ "cpu_set", "is", do_cpu_set_nr, { "cpu_set", "is", do_cpu_set_nr,
"cpu [online|offline]", "change cpu state" }, "cpu [online|offline]", "change cpu state" },
{ NULL, NULL, }, { NULL, NULL, },
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
=================================================================== ===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c --- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -30,6 +30,7 @@ @@ -30,6 +30,7 @@
#include "hw/isa.h" #include "hw/isa.h"
#include "hw/baum.h" #include "hw/baum.h"
@ -905,7 +905,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
const char *option_rom[MAX_OPTION_ROMS]; const char *option_rom[MAX_OPTION_ROMS];
int nb_option_roms; int nb_option_roms;
int semihosting_enabled = 0; int semihosting_enabled = 0;
@@ -4176,6 +4179,10 @@ static void help(int exitcode) @@ -4222,6 +4225,10 @@ static void help(int exitcode)
"-startdate select initial date of the clock\n" "-startdate select initial date of the clock\n"
"-icount [N|auto]\n" "-icount [N|auto]\n"
" enable virtual instruction counter with 2^N clock ticks per instruction\n" " enable virtual instruction counter with 2^N clock ticks per instruction\n"
@ -916,7 +916,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
"-echr chr set terminal escape character instead of ctrl-a\n" "-echr chr set terminal escape character instead of ctrl-a\n"
"-virtioconsole c\n" "-virtioconsole c\n"
" set virtio console\n" " set virtio console\n"
@@ -4323,6 +4330,8 @@ enum { @@ -4369,6 +4376,8 @@ enum {
QEMU_OPTION_localtime, QEMU_OPTION_localtime,
QEMU_OPTION_startdate, QEMU_OPTION_startdate,
QEMU_OPTION_icount, QEMU_OPTION_icount,
@ -925,7 +925,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
QEMU_OPTION_echr, QEMU_OPTION_echr,
QEMU_OPTION_virtiocon, QEMU_OPTION_virtiocon,
QEMU_OPTION_show_cursor, QEMU_OPTION_show_cursor,
@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] = @@ -4495,6 +4504,8 @@ static const QEMUOption qemu_options[] =
{ "localtime", 0, QEMU_OPTION_localtime }, { "localtime", 0, QEMU_OPTION_localtime },
{ "startdate", HAS_ARG, QEMU_OPTION_startdate }, { "startdate", HAS_ARG, QEMU_OPTION_startdate },
{ "icount", HAS_ARG, QEMU_OPTION_icount }, { "icount", HAS_ARG, QEMU_OPTION_icount },
@ -934,7 +934,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
{ "echr", HAS_ARG, QEMU_OPTION_echr }, { "echr", HAS_ARG, QEMU_OPTION_echr },
{ "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon }, { "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon },
{ "show-cursor", 0, QEMU_OPTION_show_cursor }, { "show-cursor", 0, QEMU_OPTION_show_cursor },
@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e @@ -4996,6 +5007,8 @@ int main(int argc, char **argv, char **e
tb_size = 0; tb_size = 0;
autostart= 1; autostart= 1;
@ -943,7 +943,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
optind = 1; optind = 1;
for(;;) { for(;;) {
if (optind >= argc) if (optind >= argc)
@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e @@ -5370,6 +5383,17 @@ int main(int argc, char **argv, char **e
serial_devices[serial_device_index] = optarg; serial_devices[serial_device_index] = optarg;
serial_device_index++; serial_device_index++;
break; break;

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon May 23 15:24:35 MDT 2016 - carnold@suse.com
- bsc#981264 - VUL-0: CVE-2014-3672: xen: Unrestricted qemu logging
(XSA-180)
CVE-2014-3672-qemut-xsa180.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 19 10:46:53 MDT 2016 - carnold@suse.com Thu May 19 10:46:53 MDT 2016 - carnold@suse.com

View File

@ -230,6 +230,7 @@ Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.
Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
Patch279: CVE-2014-3672-qemut-xsa180.patch
# qemu-traditional patches that are not upstream # qemu-traditional patches that are not upstream
Patch350: blktap.patch Patch350: blktap.patch
Patch351: cdrom-removable.patch Patch351: cdrom-removable.patch
@ -548,6 +549,7 @@ Authors:
%patch276 -p1 %patch276 -p1
%patch277 -p1 %patch277 -p1
%patch278 -p1 %patch278 -p1
%patch279 -p1
# Qemu traditional # Qemu traditional
%patch350 -p1 %patch350 -p1
%patch351 -p1 %patch351 -p1