SHA256
1
0
forked from pool/qemu

Accepting request 689893 from home:bfrogers:branches:Virtualization

Upstream changed the fix for a security bug. Adjust accordingly. Sorry for the churn!

OBS-URL: https://build.opensuse.org/request/show/689893
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=462
This commit is contained in:
Bruce Rogers 2019-03-29 14:33:24 +00:00 committed by Git OBS Bridge
parent 433d851e9d
commit 21a7efe61d
7 changed files with 200 additions and 0 deletions

View File

@ -0,0 +1,167 @@
From: David Gibson <david@gibson.dropbear.id.au>
Date: Wed, 27 Mar 2019 13:54:11 +1100
Subject: spapr: Simplify handling of host-serial and host-model values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
27461d69a0f "ppc: add host-serial and host-model machine attributes
(CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
properties for spapr to explicitly control the values advertised to the
guest in device tree properties with the same names.
The previous behaviour on KVM was to unconditionally populate the device
tree with the real host serial number and model, which leaks possibly
sensitive information about the host to the guest.
To maintain compatibility for old machine types, we allowed those props
to be set to "passthrough" to take the value from the host as before. Or
they could be set to "none" to explicitly omit the device tree items.
Special casing specific values on what's otherwise a user supplied string
is very ugly. So, this patch simplifies things by implementing the
backwards compatibility in a different way: we have a machine class flag
set for the older machines, and we only load the host values into the
device tree if A) they're not set by the user and B) we have that flag set.
This does mean that the "passthrough" functionality is no longer available
with the current machine type. That's ok though: if a user or management
layer really wants the information passed through they can read it
themselves (OpenStack Nova already does something similar for x86).
It also means the user can't explicitly ask for the values to be omitted
on the old machine types. I think that's an acceptable trade-off: if you
care enough about not leaking the host information you can either move to
the new machine type, or use a dummy value for the properties.
For the new machine type, this also removes an odd inconsistency
between running on a POWER and non-POWER (or non-Linux) hosts: if the
host information couldn't be read from where we expect (in the host's
device tree as exposed by Linux), we'd fallback to omitting the guest
device tree items.
While we're there, improve some poorly worded comments, and the help text
for the properties.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Tested-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 0a794529bd1109aeea0c407784b40a2605e808b9)
[BR: BSC#1126455 CVE-2019-03812]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/ppc/spapr.c | 56 +++++++++++++++---------------------------
include/hw/ppc/spapr.h | 1 +
2 files changed, 21 insertions(+), 36 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index d3098d520e..b60e1702fc 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1240,38 +1240,8 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
_FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by qemu)"));
_FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries"));
- /*
- * Add info to guest to indentify which host is it being run on
- * and what is the uuid of the guest
- */
- if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
- if (g_str_equal(spapr->host_model, "passthrough")) {
- /* -M host-model=passthrough */
- if (kvmppc_get_host_model(&buf)) {
- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
- g_free(buf);
- }
- } else {
- /* -M host-model=<user-string> */
- _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
- }
- }
-
- if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
- if (g_str_equal(spapr->host_serial, "passthrough")) {
- /* -M host-serial=passthrough */
- if (kvmppc_get_host_serial(&buf)) {
- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
- g_free(buf);
- }
- } else {
- /* -M host-serial=<user-string> */
- _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
- }
- }
-
+ /* Guest UUID & Name*/
buf = qemu_uuid_unparse_strdup(&qemu_uuid);
-
_FDT(fdt_setprop_string(fdt, 0, "vm,uuid", buf));
if (qemu_uuid_set) {
_FDT(fdt_setprop_string(fdt, 0, "system-id", buf));
@@ -1283,6 +1253,21 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
qemu_get_vm_name()));
}
+ /* Host Model & Serial Number */
+ if (spapr->host_model) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
+ } else if (smc->broken_host_serial_model && kvmppc_get_host_model(&buf)) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+ g_free(buf);
+ }
+
+ if (spapr->host_serial) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
+ } else if (smc->broken_host_serial_model && kvmppc_get_host_serial(&buf)) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+ g_free(buf);
+ }
+
_FDT(fdt_setprop_cell(fdt, 0, "#address-cells", 2));
_FDT(fdt_setprop_cell(fdt, 0, "#size-cells", 2));
@@ -3119,12 +3104,12 @@ static void spapr_instance_init(Object *obj)
spapr_get_host_model, spapr_set_host_model,
&error_abort);
object_property_set_description(obj, "host-model",
- "Set host's model-id to use - none|passthrough|string", &error_abort);
+ "Host model to advertise in guest device tree", &error_abort);
object_property_add_str(obj, "host-serial",
spapr_get_host_serial, spapr_set_host_serial,
&error_abort);
object_property_set_description(obj, "host-serial",
- "Set host's system-id to use - none|passthrough|string", &error_abort);
+ "Host serial number to advertise in guest device tree", &error_abort);
}
static void spapr_machine_finalizefn(Object *obj)
@@ -4019,14 +4004,13 @@ static const TypeInfo spapr_machine_info = {
*/
static void spapr_machine_3_1_instance_options(MachineState *machine)
{
- sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
- spapr->host_model = g_strdup("passthrough");
- spapr->host_serial = g_strdup("passthrough");
}
static void spapr_machine_3_1_class_options(MachineClass *mc)
{
/* Defaults for the latest behaviour inherited from the base class */
+ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
+ smc->broken_host_serial_model = true;
}
DEFINE_SPAPR_MACHINE(3_1, "3.1", true);
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 63692a13bd..d3142e0d26 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -105,6 +105,7 @@ struct sPAPRMachineClass {
bool use_ohci_by_default; /* use USB-OHCI instead of XHCI */
bool pre_2_10_has_unused_icps;
bool legacy_irq_allocation;
+ bool broken_host_serial_model; /* present real host info to the guest */
void (*phb_placement)(sPAPRMachineState *spapr, uint32_t index,
uint64_t *buid, hwaddr *pio,

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Mar 29 13:13:59 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
* Patches added:
0065-spapr-Simplify-handling-of-host-ser.patch
-------------------------------------------------------------------
Wed Mar 27 16:59:53 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -96,6 +96,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch
Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
ExcludeArch: s390
@ -191,6 +192,7 @@ syscall layer occurs on the native hardware and operating system.
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%build
./configure \

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest
upstream adjustments for the same. Basically now the security fix
is to provide a dummy host-model and host-serial value, which
overrides getting that value from the host
0065-spapr-Simplify-handling-of-host-ser.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
-------------------------------------------------------------------
Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -207,6 +207,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch
Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM.
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
pushd roms/seabios
%patch1100 -p1

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest
upstream adjustments for the same. Basically now the security fix
is to provide a dummy host-model and host-serial value, which
overrides getting that value from the host
0065-spapr-Simplify-handling-of-host-ser.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
-------------------------------------------------------------------
Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -207,6 +207,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch
Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM.
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
pushd roms/seabios
%patch1100 -p1