diff --git a/Be-explicit-about-fcommon-compiler-direc.patch b/Be-explicit-about-fcommon-compiler-direc.patch new file mode 100644 index 00000000..c609d27d --- /dev/null +++ b/Be-explicit-about-fcommon-compiler-direc.patch @@ -0,0 +1,35 @@ +From: Bruce Rogers +Date: Tue, 5 May 2020 10:09:47 -0600 +Subject: Be explicit about -fcommon compiler directive + +References: boo#1171140 + +gcc10 switched default behavior from -fcommon to -fno-common. Since +"__shared" relies on the legacy behavior, explicitly specify it. + +Signed-off-by: Bruce Rogers +--- + src/Makefile.housekeeping | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping +index 1ddbddd247d9929d63b1654d7206..3f091c7dc937fbdac6434d10aec7 100644 +--- a/roms/ipxe/src/Makefile.housekeeping ++++ b/roms/ipxe/src/Makefile.housekeeping +@@ -170,6 +170,16 @@ CFI_FLAGS := $(shell $(CFI_TEST) && \ + WORKAROUND_CFLAGS += $(CFI_FLAGS) + endif + ++# gcc 10 switched default behavior from -fcommon to -fno-common. Since ++# "__shared" relies on the legacy behavior, explicitly specify it. ++# ++ifeq ($(CCTYPE),gcc) ++FCOMMON_TEST = $(CC) -fcommon -x c -c /dev/null \ ++ -o /dev/null >/dev/null 2>&1 ++FCOMMON_FLAGS := $(shell $(FCOMMON_TEST) && $(ECHO) '-fcommon') ++WORKAROUND_CFLAGS += $(FCOMMON_FLAGS) ++endif ++ + # gcc 4.6 generates spurious warnings if -Waddress is in force. + # Inhibit this. + # diff --git a/add-enum-cast-to-avoid-gcc10-warning.patch b/add-enum-cast-to-avoid-gcc10-warning.patch new file mode 100644 index 00000000..83fe702e --- /dev/null +++ b/add-enum-cast-to-avoid-gcc10-warning.patch @@ -0,0 +1,38 @@ +From: Bruce Rogers +Date: Tue, 5 May 2020 13:33:49 -0600 +Subject: add enum cast to avoid gcc10 warning + +References: boo#1171139 + +Two enums are practically the same, and have been used interchangably +without problem. But gcc10 has flagged that usage as problematic. +Casting from one type to the other clears use the warning, and adds some +clarity that this is intentional usage. + +Signed-off-by: Bruce Rogers +--- + src/drivers/infiniband/flexboot_nodnic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c +index c13fcefc56866da67d701baa96b8..ac28949d3cca6b0c29a8a32165e7 100644 +--- a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c ++++ b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c +@@ -365,7 +365,7 @@ static int flexboot_nodnic_create_qp ( struct ib_device *ibdev, + goto qp_alloc_err; + } + +- status = nodnic_port_create_qp(&port->port_priv, qp->type, ++ status = nodnic_port_create_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type, + qp->send.num_wqes * sizeof(struct nodnic_send_wqbb), + qp->send.num_wqes, + qp->recv.num_wqes * sizeof(struct nodnic_recv_wqe), +@@ -406,7 +406,7 @@ static void flexboot_nodnic_destroy_qp ( struct ib_device *ibdev, + struct flexboot_nodnic_port *port = &flexboot_nodnic->port[ibdev->port - 1]; + struct flexboot_nodnic_queue_pair *flexboot_nodnic_qp = ib_qp_get_drvdata ( qp ); + +- nodnic_port_destroy_qp(&port->port_priv, qp->type, ++ nodnic_port_destroy_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type, + flexboot_nodnic_qp->nodnic_queue_pair); + + free(flexboot_nodnic_qp); diff --git a/bundles.tar.xz b/bundles.tar.xz index 11b70107..91e0c729 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7b48585377489cd7edb49ea0ca8195b1340f2d70d1c487aad8a71dd15dc333b3 -size 64676 +oid sha256:5bc454d2f284d04edfb3f0e3b8edf72a939e2935fcc81401b483b755a7e239be +size 64236 diff --git a/qemu.changes b/qemu.changes index def2842e..daa3ace4 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue May 5 21:11:11 UTC 2020 - Bruce Rogers + +- Fix DoS in virtiofsd, where a FUSE client could exhaust the + number of available open files on the host (CVE-2020-10717 + bsc#1171110) + virtiofsd-add-rlimit-nofile-NUM-option.patch + virtiofsd-stay-below-fs.file-max-sysctl-.patch + +------------------------------------------------------------------- +Tue May 5 19:41:48 UTC 2020 - Bruce Rogers + +- Add more fixes for gcc10 compatibility: Use NO_WERROR=1 when + building ipxe sources, at least until we get gcc10 compatibility + figured out. Also add patch for explicitly using -fcommon + (boo#1171140) + Be-explicit-about-fcommon-compiler-direc.patch + and fix for tighter enum compatibility checking (boo#1171139) + add-enum-cast-to-avoid-gcc10-warning.patch + and a work around for what seems to be a compiler regression + (boo#1171123) + work-around-gcc10-problem-with-zero-leng.patch + ------------------------------------------------------------------- Tue Apr 28 18:10:25 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index ece84447..e1352dfe 100644 --- a/qemu.spec +++ b/qemu.spec @@ -186,6 +186,8 @@ Patch00055: s390x-s390-virtio-ccw-Fix-build-on-syste.patch Patch00056: configure-remove-pkgversion-from-CONFIG_.patch Patch00057: gcc10-maybe-uninitialized.patch Patch00058: docs-add-SUSE-support-statements-to-html.patch +Patch00059: virtiofsd-add-rlimit-nofile-NUM-option.patch +Patch00060: virtiofsd-stay-below-fs.file-max-sysctl-.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -196,6 +198,9 @@ Patch02001: ipxe-Makefile-fix-issues-of-build-reprod.patch Patch02002: Fix-s-directive-argument-is-null-error.patch Patch02003: Workaround-compilation-error-with-gcc-9..patch Patch02004: Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch +Patch02005: Be-explicit-about-fcommon-compiler-direc.patch +Patch02006: work-around-gcc10-problem-with-zero-leng.patch +Patch02007: add-enum-cast-to-avoid-gcc10-warning.patch # Patches applied in roms/sgabios/: Patch03000: sgabios-Makefile-fix-issues-of-build-rep.patch Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch @@ -952,6 +957,8 @@ This package provides a service file for starting and stopping KSM. %if %{legacy_qemu_kvm} && 0%{?is_opensuse} == 0 %patch00058 -p1 %endif +%patch00059 -p1 +%patch00060 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -964,6 +971,9 @@ This package provides a service file for starting and stopping KSM. %ifarch aarch64 %patch02004 -p1 %endif +%patch02005 -p1 +%patch02006 -p1 +%patch02007 -p1 %patch03000 -p1 %patch03001 -p1 %patch08000 -p1 @@ -1358,11 +1368,11 @@ make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms seavgabios-ati \ HOSTCC=cc \ %endif -make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom +make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom NO_WERROR=1 %ifnarch %ix86 make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms efirom \ - EDK2_BASETOOLS_OPTFLAGS='-fPIE' + EDK2_BASETOOLS_OPTFLAGS='-fPIE' NO_WERROR=1 %endif make -C %{_builddir}/%buildsubdir/roms sgabios \ @@ -1372,7 +1382,8 @@ make -C %{_builddir}/%buildsubdir/roms sgabios \ pushd %{_builddir}/%buildsubdir patch -p1 < %_sourcedir/stub-out-the-SAN-req-s-in-int13.patch popd -make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom_variants=virtio pxerom_targets=1af41000 pxerom +make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms \ + pxerom_variants=virtio pxerom_targets=1af41000 pxerom NO_WERROR=1 %endif # enforce pxe rom sizes for migration compatability from SLE 11 SP3 forward diff --git a/qemu.spec.in b/qemu.spec.in index 6d93cd8d..e184f4ee 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -1201,11 +1201,11 @@ make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms seavgabios-ati \ HOSTCC=cc \ %endif -make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom +make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom NO_WERROR=1 %ifnarch %ix86 make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms efirom \ - EDK2_BASETOOLS_OPTFLAGS='-fPIE' + EDK2_BASETOOLS_OPTFLAGS='-fPIE' NO_WERROR=1 %endif make -C %{_builddir}/%buildsubdir/roms sgabios \ @@ -1215,7 +1215,8 @@ make -C %{_builddir}/%buildsubdir/roms sgabios \ pushd %{_builddir}/%buildsubdir patch -p1 < %_sourcedir/stub-out-the-SAN-req-s-in-int13.patch popd -make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms pxerom_variants=virtio pxerom_targets=1af41000 pxerom +make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms \ + pxerom_variants=virtio pxerom_targets=1af41000 pxerom NO_WERROR=1 %endif # enforce pxe rom sizes for migration compatability from SLE 11 SP3 forward diff --git a/virtiofsd-add-rlimit-nofile-NUM-option.patch b/virtiofsd-add-rlimit-nofile-NUM-option.patch new file mode 100644 index 00000000..d1fdc40e --- /dev/null +++ b/virtiofsd-add-rlimit-nofile-NUM-option.patch @@ -0,0 +1,147 @@ +From: Stefan Hajnoczi +Date: Fri, 1 May 2020 15:06:43 +0100 +Subject: virtiofsd: add --rlimit-nofile=NUM option + +Git-commit: 6dbb716877728ce4eb51619885ef6ef4ada9565f +References: bsc#1171110 + +Make it possible to specify the RLIMIT_NOFILE on the command-line. +Users running multiple virtiofsd processes should allocate a certain +number to each process so that the system-wide limit can never be +exhausted. + +When this option is set to 0 the rlimit is left at its current value. +This is useful when a management tool wants to configure the rlimit +itself. + +The default behavior remains unchanged: try to set the limit to +1,000,000 file descriptors if the current rlimit is lower. + +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Message-Id: <20200501140644.220940-2-stefanha@redhat.com> +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + tools/virtiofsd/fuse_lowlevel.h | 1 + + tools/virtiofsd/helper.c | 23 +++++++++++++++++++++++ + tools/virtiofsd/passthrough_ll.c | 22 ++++++++-------------- + 3 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/tools/virtiofsd/fuse_lowlevel.h b/tools/virtiofsd/fuse_lowlevel.h +index 8f6d705b5ccdb318b860ed2d2dc7..562fd5241ed400013f6fa65116ee 100644 +--- a/tools/virtiofsd/fuse_lowlevel.h ++++ b/tools/virtiofsd/fuse_lowlevel.h +@@ -1777,6 +1777,7 @@ struct fuse_cmdline_opts { + int syslog; + int log_level; + unsigned int max_idle_threads; ++ unsigned long rlimit_nofile; + }; + + /** +diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c +index 819c2bc13cf7c23c2876f175104b..dc59f38af02c73c2a492fd3b2d6f 100644 +--- a/tools/virtiofsd/helper.c ++++ b/tools/virtiofsd/helper.c +@@ -23,6 +23,8 @@ + #include + #include + #include ++#include ++#include + #include + + #define FUSE_HELPER_OPT(t, p) \ +@@ -53,6 +55,7 @@ static const struct fuse_opt fuse_helper_opts[] = { + FUSE_HELPER_OPT("subtype=", nodefault_subtype), + FUSE_OPT_KEY("subtype=", FUSE_OPT_KEY_KEEP), + FUSE_HELPER_OPT("max_idle_threads=%u", max_idle_threads), ++ FUSE_HELPER_OPT("--rlimit-nofile=%lu", rlimit_nofile), + FUSE_HELPER_OPT("--syslog", syslog), + FUSE_HELPER_OPT_VALUE("log_level=debug", log_level, FUSE_LOG_DEBUG), + FUSE_HELPER_OPT_VALUE("log_level=info", log_level, FUSE_LOG_INFO), +@@ -171,6 +174,9 @@ void fuse_cmdline_help(void) + " default: no_writeback\n" + " -o xattr|no_xattr enable/disable xattr\n" + " default: no_xattr\n" ++ " --rlimit-nofile= set maximum number of file descriptors\n" ++ " (0 leaves rlimit unchanged)\n" ++ " default: 1,000,000 if the current rlimit is lower\n" + ); + } + +@@ -191,11 +197,28 @@ static int fuse_helper_opt_proc(void *data, const char *arg, int key, + } + } + ++static unsigned long get_default_rlimit_nofile(void) ++{ ++ rlim_t max_fds = 1000000; /* our default RLIMIT_NOFILE target */ ++ struct rlimit rlim; ++ ++ if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { ++ fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); ++ exit(1); ++ } ++ ++ if (rlim.rlim_cur >= max_fds) { ++ return 0; /* we have more fds available than required! */ ++ } ++ return max_fds; ++} ++ + int fuse_parse_cmdline(struct fuse_args *args, struct fuse_cmdline_opts *opts) + { + memset(opts, 0, sizeof(struct fuse_cmdline_opts)); + + opts->max_idle_threads = 10; ++ opts->rlimit_nofile = get_default_rlimit_nofile(); + opts->foreground = 1; + + if (fuse_opt_parse(args, opts, fuse_helper_opts, fuse_helper_opt_proc) == +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 4c35c95b256cbaa5d888037800a7..f7b9c1d20c312d1eefb4c8782c27 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -2707,24 +2707,18 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se, + setup_seccomp(enable_syslog); + } + +-/* Raise the maximum number of open file descriptors */ +-static void setup_nofile_rlimit(void) ++/* Set the maximum number of open file descriptors */ ++static void setup_nofile_rlimit(unsigned long rlimit_nofile) + { +- const rlim_t max_fds = 1000000; +- struct rlimit rlim; +- +- if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { +- fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); +- exit(1); +- } ++ struct rlimit rlim = { ++ .rlim_cur = rlimit_nofile, ++ .rlim_max = rlimit_nofile, ++ }; + +- if (rlim.rlim_cur >= max_fds) { ++ if (rlimit_nofile == 0) { + return; /* nothing to do */ + } + +- rlim.rlim_cur = max_fds; +- rlim.rlim_max = max_fds; +- + if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) { + /* Ignore SELinux denials */ + if (errno == EPERM) { +@@ -2977,7 +2971,7 @@ int main(int argc, char *argv[]) + + fuse_daemonize(opts.foreground); + +- setup_nofile_rlimit(); ++ setup_nofile_rlimit(opts.rlimit_nofile); + + /* Must be before sandbox since it wants /proc */ + setup_capng(); diff --git a/virtiofsd-stay-below-fs.file-max-sysctl-.patch b/virtiofsd-stay-below-fs.file-max-sysctl-.patch new file mode 100644 index 00000000..b6b144ce --- /dev/null +++ b/virtiofsd-stay-below-fs.file-max-sysctl-.patch @@ -0,0 +1,74 @@ +From: Stefan Hajnoczi +Date: Fri, 1 May 2020 15:06:44 +0100 +Subject: virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) + +Git-commit: 8c1d353d107b4fc344e27f2f08ea7fa25de2eea2 +References: bsc#1171110, CVE-2020-10717 + +The system-wide fs.file-max sysctl value determines how many files can +be open. It defaults to a value calculated based on the machine's RAM +size. Previously virtiofsd would try to set RLIMIT_NOFILE to 1,000,000 +and this allowed the FUSE client to exhaust the number of open files +system-wide on Linux hosts with less than 10 GB of RAM! + +Take fs.file-max into account when choosing the default RLIMIT_NOFILE +value. + +Fixes: CVE-2020-10717 +Reported-by: Yuval Avrahami +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Message-Id: <20200501140644.220940-3-stefanha@redhat.com> +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + tools/virtiofsd/helper.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c +index dc59f38af02c73c2a492fd3b2d6f..00a1ef666a510068bb687bb34756 100644 +--- a/tools/virtiofsd/helper.c ++++ b/tools/virtiofsd/helper.c +@@ -176,7 +176,8 @@ void fuse_cmdline_help(void) + " default: no_xattr\n" + " --rlimit-nofile= set maximum number of file descriptors\n" + " (0 leaves rlimit unchanged)\n" +- " default: 1,000,000 if the current rlimit is lower\n" ++ " default: min(1000000, fs.file-max - 16384)\n" ++ " if the current rlimit is lower\n" + ); + } + +@@ -199,9 +200,32 @@ static int fuse_helper_opt_proc(void *data, const char *arg, int key, + + static unsigned long get_default_rlimit_nofile(void) + { ++ g_autofree gchar *file_max_str = NULL; ++ const rlim_t reserved_fds = 16384; /* leave at least this many fds free */ + rlim_t max_fds = 1000000; /* our default RLIMIT_NOFILE target */ ++ rlim_t file_max; + struct rlimit rlim; + ++ /* ++ * Reduce max_fds below the system-wide maximum, if necessary. This ++ * ensures there are fds available for other processes so we don't ++ * cause resource exhaustion. ++ */ ++ if (!g_file_get_contents("/proc/sys/fs/file-max", &file_max_str, ++ NULL, NULL)) { ++ fuse_log(FUSE_LOG_ERR, "can't read /proc/sys/fs/file-max\n"); ++ exit(1); ++ } ++ file_max = g_ascii_strtoull(file_max_str, NULL, 10); ++ if (file_max < 2 * reserved_fds) { ++ fuse_log(FUSE_LOG_ERR, ++ "The fs.file-max sysctl is too low (%lu) to allow a " ++ "reasonable number of open files.\n", ++ (unsigned long)file_max); ++ exit(1); ++ } ++ max_fds = MIN(file_max - reserved_fds, max_fds); ++ + if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { + fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); + exit(1); diff --git a/work-around-gcc10-problem-with-zero-leng.patch b/work-around-gcc10-problem-with-zero-leng.patch new file mode 100644 index 00000000..b8bf03ff --- /dev/null +++ b/work-around-gcc10-problem-with-zero-leng.patch @@ -0,0 +1,30 @@ +From: Bruce Rogers +Date: Tue, 5 May 2020 13:26:33 -0600 +Subject: work around gcc10 problem with zero-length array + +References: boo#1171123 + +gcc10 has introduced a regression in handling zero-length array under +certain cirumstances. For now simply work around it by extending the +array to have 1 member. I've audited the code to ensure that will still +work right. +See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94940 + +Signed-off-by: Bruce Rogers +--- + src/drivers/net/intelvf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/roms/ipxe/src/drivers/net/intelvf.h b/roms/ipxe/src/drivers/net/intelvf.h +index ab404698fe6de9f48370931fdf56..abc2cd254bd44f4b2168e1ecee54 100644 +--- a/roms/ipxe/src/drivers/net/intelvf.h ++++ b/roms/ipxe/src/drivers/net/intelvf.h +@@ -132,7 +132,7 @@ union intelvf_msg { + /** Queue configuration message */ + struct intelvf_msg_queues queues; + /** Raw dwords */ +- uint32_t dword[0]; ++ uint32_t dword[1]; + }; + + /** Maximum time to wait for mailbox message