rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity
86ffd40d11
qemu/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
Bruce Rogers 86ffd40d11 Accepting request 882222 from home:bfrogers:branches:Virtualization 
- Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a
  module to what was accepted upstream (bsc#1181103)
* Patches dropped:
  hw-s390x-modularize-virtio-gpu-ccw.patch
* Patches added:
  s390x-add-have_virtio_ccw.patch
  s390x-modularize-virtio-gpu-ccw.patch
  s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch
- Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144,
  CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282)
  hw-sd-sd-Actually-perform-the-erase-oper.patch
  hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch
  hw-sd-sdhci-Correctly-set-the-controller.patch
  hw-sd-sdhci-Don-t-transfer-any-data-when.patch
  hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch
  hw-sd-sdhci-Limit-block-size-only-when-S.patch
  hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch
  hw-sd-sd-Move-the-sd_block_-read-write-a.patch
  hw-sd-sd-Skip-write-protect-groups-check.patch
- Fix potential privilege escalation in virtiofsd tool
  (CVE-2021-20263, bsc#1183373)
  tools-virtiofsd-Replace-the-word-whiteli.patch
  viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch
  virtiofsd-extract-lo_do_open-from-lo_ope.patch
  virtiofsd-optionally-return-inode-pointe.patch
  virtiofsd-prevent-opening-of-special-fil.patch
  virtiofs-drop-remapped-security.capabili.patch
  virtiofsd-Save-error-code-early-at-the-f.patch
- Fix OOB access (stack overflow) in rtl8139 NIC emulation
  (CVE-2021-3416, bsc#1182968)
  net-introduce-qemu_receive_packet.patch
  rtl8139-switch-to-use-qemu_receive_packe.patch
- Fix OOB access (stack overflow) in other NIC emulations
  (CVE-2021-3416)
  cadence_gem-switch-to-use-qemu_receive_p.patch
  dp8393x-switch-to-use-qemu_receive_packe.patch
  e1000-switch-to-use-qemu_receive_packet-.patch
  lan9118-switch-to-use-qemu_receive_packe.patch
  msf2-mac-switch-to-use-qemu_receive_pack.patch
  pcnet-switch-to-use-qemu_receive_packet-.patch
  sungem-switch-to-use-qemu_receive_packet.patch
  tx_pkt-switch-to-use-qemu_receive_packet.patch
- Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
  memory-clamp-cached-translation-in-case-.patch
- Include upstream patches designated as stable material and
  reviewed for applicability to include here
  hw-arm-virt-Disable-pl011-clock-migratio.patch
  xen-block-Fix-removal-of-backend-instanc.patch
- Fix package scripts to not use hard coded paths for temporary
  working directories and log files (bsc#1182425)

OBS-URL: https://build.opensuse.org/request/show/882222
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=632
2021-03-30 20:27:28 +00:00

77 lines
3.1 KiB
Diff
Raw Blame History

From: Greg Kurz <groug@kaod.org>
Date: Thu, 14 Jan 2021 17:04:12 +0100
Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305
References: bsc#1182137
Depending on the client activity, the server can be asked to open a huge
number of file descriptors and eventually hit RLIMIT_NOFILE. This is
currently mitigated using a reclaim logic : the server closes the file
descriptors of idle fids, based on the assumption that it will be able
to re-open them later. This assumption doesn't hold of course if the
client requests the file to be unlinked. In this case, we loop on the
entire fid list and mark all related fids as unreclaimable (the reclaim
logic will just ignore them) and, of course, we open or re-open their
file descriptors if needed since we're about to unlink the file.
This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
opening of a file can cause the coroutine to yield, another client
request could possibly add a new fid that we may want to mark as
non-reclaimable as well. The loop is thus restarted if the re-open
request was actually transmitted to the backend. This is achieved
by keeping a reference on the first fid (head) before traversing
the list.
This is wrong in several ways:
- a potential clunk request from the client could tear the first
fid down and cause the reference to be stale. This leads to a
use-after-free error that can be detected with ASAN, using a
custom 9p client
- fids are added at the head of the list : restarting from the
previous head will always miss fids added by a some other
potential request
All these problems could be avoided if fids were being added at the
end of the list. This can be achieved with a QSIMPLEQ, but this is
probably too much change for a bug fix. For now let's keep it
simple and just restart the loop from the current head.
Fixes: CVE-2021-20181
Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 94df440fc74004bfa45b3fe30540..6026b51a1c04ee82d6366cb13d50 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
{
int err;
V9fsState *s = pdu->s;
- V9fsFidState *fidp, head_fid;
+ V9fsFidState *fidp;
- head_fid.next = s->fid_list;
+again:
for (fidp = s->fid_list; fidp; fidp = fidp->next) {
if (fidp->path.size != path->size) {
continue;
@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
* switched to the worker thread
*/
if (err == 0) {
- fidp = &head_fid;
+ goto again;
}
}
}
View Git Blame Copy Permalink