diff --git a/0065-spapr-Simplify-handling-of-host-ser.patch b/0065-spapr-Simplify-handling-of-host-ser.patch new file mode 100644 index 00000000..915108f3 --- /dev/null +++ b/0065-spapr-Simplify-handling-of-host-ser.patch @@ -0,0 +1,167 @@ +From: David Gibson +Date: Wed, 27 Mar 2019 13:54:11 +1100 +Subject: spapr: Simplify handling of host-serial and host-model values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +27461d69a0f "ppc: add host-serial and host-model machine attributes +(CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine +properties for spapr to explicitly control the values advertised to the +guest in device tree properties with the same names. + +The previous behaviour on KVM was to unconditionally populate the device +tree with the real host serial number and model, which leaks possibly +sensitive information about the host to the guest. + +To maintain compatibility for old machine types, we allowed those props +to be set to "passthrough" to take the value from the host as before. Or +they could be set to "none" to explicitly omit the device tree items. + +Special casing specific values on what's otherwise a user supplied string +is very ugly. So, this patch simplifies things by implementing the +backwards compatibility in a different way: we have a machine class flag +set for the older machines, and we only load the host values into the +device tree if A) they're not set by the user and B) we have that flag set. + +This does mean that the "passthrough" functionality is no longer available +with the current machine type. That's ok though: if a user or management +layer really wants the information passed through they can read it +themselves (OpenStack Nova already does something similar for x86). + +It also means the user can't explicitly ask for the values to be omitted +on the old machine types. I think that's an acceptable trade-off: if you +care enough about not leaking the host information you can either move to +the new machine type, or use a dummy value for the properties. + +For the new machine type, this also removes an odd inconsistency +between running on a POWER and non-POWER (or non-Linux) hosts: if the +host information couldn't be read from where we expect (in the host's +device tree as exposed by Linux), we'd fallback to omitting the guest +device tree items. + +While we're there, improve some poorly worded comments, and the help text +for the properties. + +Signed-off-by: David Gibson +Reviewed-by: Daniel P. Berrangé +Reviewed-by: Greg Kurz +Tested-by: Greg Kurz +(cherry picked from commit 0a794529bd1109aeea0c407784b40a2605e808b9) +[BR: BSC#1126455 CVE-2019-03812] +Signed-off-by: Bruce Rogers +--- + hw/ppc/spapr.c | 56 +++++++++++++++--------------------------- + include/hw/ppc/spapr.h | 1 + + 2 files changed, 21 insertions(+), 36 deletions(-) + +diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c +index d3098d520e..b60e1702fc 100644 +--- a/hw/ppc/spapr.c ++++ b/hw/ppc/spapr.c +@@ -1240,38 +1240,8 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, + _FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by qemu)")); + _FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries")); + +- /* +- * Add info to guest to indentify which host is it being run on +- * and what is the uuid of the guest +- */ +- if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { +- if (g_str_equal(spapr->host_model, "passthrough")) { +- /* -M host-model=passthrough */ +- if (kvmppc_get_host_model(&buf)) { +- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); +- g_free(buf); +- } +- } else { +- /* -M host-model= */ +- _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); +- } +- } +- +- if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { +- if (g_str_equal(spapr->host_serial, "passthrough")) { +- /* -M host-serial=passthrough */ +- if (kvmppc_get_host_serial(&buf)) { +- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); +- g_free(buf); +- } +- } else { +- /* -M host-serial= */ +- _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); +- } +- } +- ++ /* Guest UUID & Name*/ + buf = qemu_uuid_unparse_strdup(&qemu_uuid); +- + _FDT(fdt_setprop_string(fdt, 0, "vm,uuid", buf)); + if (qemu_uuid_set) { + _FDT(fdt_setprop_string(fdt, 0, "system-id", buf)); +@@ -1283,6 +1253,21 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, + qemu_get_vm_name())); + } + ++ /* Host Model & Serial Number */ ++ if (spapr->host_model) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); ++ } else if (smc->broken_host_serial_model && kvmppc_get_host_model(&buf)) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); ++ g_free(buf); ++ } ++ ++ if (spapr->host_serial) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); ++ } else if (smc->broken_host_serial_model && kvmppc_get_host_serial(&buf)) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); ++ g_free(buf); ++ } ++ + _FDT(fdt_setprop_cell(fdt, 0, "#address-cells", 2)); + _FDT(fdt_setprop_cell(fdt, 0, "#size-cells", 2)); + +@@ -3119,12 +3104,12 @@ static void spapr_instance_init(Object *obj) + spapr_get_host_model, spapr_set_host_model, + &error_abort); + object_property_set_description(obj, "host-model", +- "Set host's model-id to use - none|passthrough|string", &error_abort); ++ "Host model to advertise in guest device tree", &error_abort); + object_property_add_str(obj, "host-serial", + spapr_get_host_serial, spapr_set_host_serial, + &error_abort); + object_property_set_description(obj, "host-serial", +- "Set host's system-id to use - none|passthrough|string", &error_abort); ++ "Host serial number to advertise in guest device tree", &error_abort); + } + + static void spapr_machine_finalizefn(Object *obj) +@@ -4019,14 +4004,13 @@ static const TypeInfo spapr_machine_info = { + */ + static void spapr_machine_3_1_instance_options(MachineState *machine) + { +- sPAPRMachineState *spapr = SPAPR_MACHINE(machine); +- spapr->host_model = g_strdup("passthrough"); +- spapr->host_serial = g_strdup("passthrough"); + } + + static void spapr_machine_3_1_class_options(MachineClass *mc) + { + /* Defaults for the latest behaviour inherited from the base class */ ++ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc); ++ smc->broken_host_serial_model = true; + } + + DEFINE_SPAPR_MACHINE(3_1, "3.1", true); +diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h +index 63692a13bd..d3142e0d26 100644 +--- a/include/hw/ppc/spapr.h ++++ b/include/hw/ppc/spapr.h +@@ -105,6 +105,7 @@ struct sPAPRMachineClass { + bool use_ohci_by_default; /* use USB-OHCI instead of XHCI */ + bool pre_2_10_has_unused_icps; + bool legacy_irq_allocation; ++ bool broken_host_serial_model; /* present real host info to the guest */ + + void (*phb_placement)(sPAPRMachineState *spapr, uint32_t index, + uint64_t *buid, hwaddr *pio, diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 039781f9..b5fdd1dd 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Mar 29 13:13:59 UTC 2019 - Bruce Rogers + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0065-spapr-Simplify-handling-of-host-ser.patch + ------------------------------------------------------------------- Wed Mar 27 16:59:53 UTC 2019 - Bruce Rogers diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index d2eb0d26..ff22e636 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -96,6 +96,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch Patch0063: 0063-i2c-ddc-fix-oob-read.patch Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch +Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -191,6 +192,7 @@ syscall layer occurs on the native hardware and operating system. %patch0062 -p1 %patch0063 -p1 %patch0064 -p1 +%patch0065 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 628cec21..d1e89133 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers + +- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest + upstream adjustments for the same. Basically now the security fix + is to provide a dummy host-model and host-serial value, which + overrides getting that value from the host + 0065-spapr-Simplify-handling-of-host-ser.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index af6654bd..43740381 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -207,6 +207,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch Patch0063: 0063-i2c-ddc-fix-oob-read.patch Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch +Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM. %patch0062 -p1 %patch0063 -p1 %patch0064 -p1 +%patch0065 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 628cec21..d1e89133 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers + +- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest + upstream adjustments for the same. Basically now the security fix + is to provide a dummy host-model and host-serial value, which + overrides getting that value from the host + 0065-spapr-Simplify-handling-of-host-ser.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 692a2fb6..aaf8e61b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -207,6 +207,7 @@ Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch Patch0063: 0063-i2c-ddc-fix-oob-read.patch Patch0064: 0064-device_tree.c-Don-t-use-load_image.patch +Patch0065: 0065-spapr-Simplify-handling-of-host-ser.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM. %patch0062 -p1 %patch0063 -p1 %patch0064 -p1 +%patch0065 -p1 pushd roms/seabios %patch1100 -p1