Fix CVE-2022-0358 and CVE-2021-4158

2022-07-12 15:41:12 +08:00 · 2022-07-12 15:41:12 +08:00 · 8b199ba599
commit 8b199ba599
parent ef91d7e09d
3 changed files with 149 additions and 1 deletions
--- a/acpi-validate-hotplug-selector-on-access.patch
+++ b/acpi-validate-hotplug-selector-on-access.patch
@ -0,0 +1,41 @@
 From 1205bf5738346fe9f217f5db08500b12b812aafa Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Tue, 21 Dec 2021 09:45:44 -0500
 Subject: [PATCH 1/2] acpi: validate hotplug selector on access
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 When bus is looked up on a pci write, we didn't
 validate that the lookup succeeded.
 Fuzzers thus can trigger QEMU crash by dereferencing the NULL
 bus pointer.
 Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device")
 Fixes: CVE-2021-4158
 Cc: "Igor Mammedov" <imammedo@redhat.com>
 Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Ani Sinha <ani@anisinha.ca>
 ---
 hw/acpi/pcihp.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
 index 30405b5113..a5e182dd3a 100644
 --- a/hw/acpi/pcihp.c
 +++ b/hw/acpi/pcihp.c
@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data,
         }
         bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select);
 +        if (!bus) {
 +            break;
 +        }
         QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
             Object *o = OBJECT(kid->child);
             PCIDevice *dev = PCI_DEVICE(o);
 -- 
 2.27.0
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 6.2.0
-Release: 41
+Release: 42
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -280,6 +280,8 @@ Patch0266: hw-audio-intel-hda-Do-not-ignore-DMA-overrun-errors.patch
 Patch0267: hw-audio-intel-hda-Restrict-DMA-engine-to-memories-n.patch
 Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch
 Patch0269: hw-nvme-fix-CVE-2021-3929.patch
 Patch0270: acpi-validate-hotplug-selector-on-access.patch
 Patch0271: virtiofsd-Drop-membership-of-all-supplementary-group.patch
 BuildRequires: flex
 BuildRequires: gcc
@ -782,6 +784,10 @@ getent passwd qemu >/dev/null || \
 %endif
 %changelog
 * Tue Jul 12 2022 liuxiangdong <liuxiangdong5@huawei.com> - 2:6.2.0-42
 - acpi: validate hotplug selector on access
 - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
 * Wed Jun 22 2022 yezengruan <yezengruan@huawei.com> - 2:6.2.0-41
 - hw/nvme: fix CVE-2021-3929
--- a/virtiofsd-Drop-membership-of-all-supplementary-group.patch
+++ b/virtiofsd-Drop-membership-of-all-supplementary-group.patch
@ -0,0 +1,101 @@
 From fa471a127c7bacd760b6dcb9d6a8434883eedf8c Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 25 Jan 2022 13:51:14 -0500
 Subject: [PATCH 2/2] virtiofsd: Drop membership of all supplementary groups
 (CVE-2022-0358)
 At the start, drop membership of all supplementary groups. This is
 not required.
 If we have membership of "root" supplementary group and when we switch
 uid/gid using setresuid/setsgid, we still retain membership of existing
 supplemntary groups. And that can allow some operations which are not
 normally allowed.
 For example, if root in guest creates a dir as follows.
 $ mkdir -m 03777 test_dir
 This sets SGID on dir as well as allows unprivileged users to write into
 this dir.
 And now as unprivileged user open file as follows.
 $ su test
 $ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
 This will create SGID set executable in test_dir/.
 And that's a problem because now an unpriviliged user can execute it,
 get egid=0 and get access to resources owned by "root" group. This is
 privilege escalation.
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
 Fixes: CVE-2022-0358
 Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
 Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
 Message-Id: <YfBGoriS38eBQrAb@redhat.com>
 Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  dgilbert: Fixed missing {}'s style nit
 ---
 tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
 index 64b5b4fbb1..b3d0674f6d 100644
 --- a/tools/virtiofsd/passthrough_ll.c
 +++ b/tools/virtiofsd/passthrough_ll.c
@@ -54,6 +54,7 @@
 #include <sys/wait.h>
 #include <sys/xattr.h>
 #include <syslog.h>
 +#include <grp.h>
 #include "qemu/cutils.h"
 #include "passthrough_helpers.h"
@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
 #define OURSYS_setresuid SYS_setresuid
 #endif
 +static void drop_supplementary_groups(void)
 +{
 +    int ret;
 +
 +    ret = getgroups(0, NULL);
 +    if (ret == -1) {
 +        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
 +                 errno, strerror(errno));
 +        exit(1);
 +    }
 +
 +    if (!ret) {
 +        return;
 +    }
 +
 +    /* Drop all supplementary groups. We should not need it */
 +    ret = setgroups(0, NULL);
 +    if (ret == -1) {
 +        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
 +                 errno, strerror(errno));
 +        exit(1);
 +    }
 +}
 +
 /*
  * Change to uid/gid of caller so that file is created with
  * ownership of caller.
@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
     qemu_init_exec_dir(argv[0]);
 +    drop_supplementary_groups();
 +
     pthread_mutex_init(&lo.mutex, NULL);
     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
     lo.root.fd = -1;
 -- 
 2.27.0