packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/qga-win32-Use-rundll-for-VSS-installation.patch
Jiabo Feng c4dab45526 QEMU update to version 6.2.0-76(master) 
- qga/win32: Use rundll for VSS installation
- qga/win32: Remove change action from MSI installer
- ide: Increment BB in-flight counter for TRIM BH
- hw/pci-bridge/pxb: Fix missing swizzle
- host-vdpa: make notifiers _init()/_uninit() symmetric
- hw/virtio: vdpa: Fix leak of host-notifier memory-region
- accel/tcg/cpu-exec: Fix precise single-stepping after interrupt
- Allow setting up to 8 bytes with the generic loader
- hw/net/virtio-net: make some VirtIONet const
- accel/tcg: Optimize jump cache flush during tlb range flush
- 9pfs: prevent opening special files (CVE-2023-2861)
- tcg: Reduce tcg_assert_listed_vecop() scope
- gitlab: Disable plugins for cross-i386-tci
- vfio/pci: Fix a segfault in vfio_realize
- block/iscsi: fix double-free on BUSY or similar statuses
- tests/tcg: fix unused variable in linux-test
- hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value
- qga/vss-win32: fix warning for clang++-15
- vnc: avoid underflow when accessing user-provided address
- block/monitor: Fix crash when executing HMP commit
- virtio-gpu: add a FIXME for virtio_gpu_load()
- hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI
- migration: report compress thread pid to libvirt

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2023-08-07 16:46:33 +08:00

100 lines
3.2 KiB
Diff
Raw Blame History

From bc472314a51895f67112e3ac35439df63292f101 Mon Sep 17 00:00:00 2001
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: Fri, 3 Mar 2023 21:20:08 +0200
Subject: [PATCH] qga/win32: Use rundll for VSS installation
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
---
qga/installer/qemu-ga.wxs | 10 +++++-----
qga/vss-win32/install.cpp | 9 +++++++++
qga/vss-win32/qga-vss.def | 2 ++
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index b62e709a4c..11b66a22e6 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -143,22 +143,22 @@
</Directory>
</Directory>
- <Property Id="cmd" Value="cmd.exe"/>
+ <Property Id="rundll" Value="rundll32.exe"/>
<Property Id="REINSTALLMODE" Value="amus"/>
<?ifdef var.InstallVss?>
<CustomAction Id="RegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
</CustomAction>
<CustomAction Id="UnRegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
index e90a03c1cf..8b7400e4e5 100644
--- a/qga/vss-win32/install.cpp
+++ b/qga/vss-win32/install.cpp
@@ -352,6 +352,15 @@ out:
return hr;
}
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMRegister();
+}
+
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMUnregister();
+}
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
{
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
index 927782c31b..ee97a81427 100644
--- a/qga/vss-win32/qga-vss.def
+++ b/qga/vss-win32/qga-vss.def
@@ -1,6 +1,8 @@
LIBRARY "QGA-PROVIDER.DLL"
EXPORTS
+ DLLCOMRegister
+ DLLCOMUnregister
COMRegister PRIVATE
COMUnregister PRIVATE
DllCanUnloadNow PRIVATE
--
2.41.0.windows.1
Reference in New Issue View Git Blame Copy Permalink