From ea6f03ddd591a238d9c5004d5ffbfaf7215c01ee Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 22 Oct 2023 20:41:01 +0100 Subject: gentoo auto-resync : 22:10:2023 - 20:41:01 --- app-emulation/Manifest.gz | Bin 15162 -> 15162 bytes app-emulation/qemu/Manifest | 2 - .../qemu/files/qemu-7.2.3-CVE-2023-2861.patch | 162 -------------------- .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch | 167 --------------------- 4 files changed, 331 deletions(-) delete mode 100644 app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch delete mode 100644 app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch (limited to 'app-emulation') diff --git a/app-emulation/Manifest.gz b/app-emulation/Manifest.gz index 34f6da1cd62b..b39662858310 100644 Binary files a/app-emulation/Manifest.gz and b/app-emulation/Manifest.gz differ diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index a087f6c2fc7b..6b42c87350d0 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -7,11 +7,9 @@ AUX qemu-7.1.0-capstone-include-path.patch 1076 BLAKE2B cb595acb50ff2a64d0b879d5 AUX qemu-7.2.0-disable-gmp.patch 1554 BLAKE2B ac21e5985676123e8b61de8d590d8489de1d7401e5005899e5a95d7e86b77741572087a294d4b63533c26fe53f81c76e23ee482fd3a371f2e3700859644b6c8a SHA512 d4a600cfe42f1c49d45cffae64ba1e1225ae8e75a92454cbb534be5f95e1b8dbdbf441d092764cc9f9e97ed6bf6367175d7b56cdf97694dec57da2c8fabd1969 AUX qemu-7.2.0-linux-headers-6.2-glibc-2.36.patch 5148 BLAKE2B 74d22dbc2113d7e7150908046f5c7c04be2f330143d7f61b5a08d8b837b3665857327f50176393a3df0078c5b856cd34b72e779825d10fb8faec9678812d8654 SHA512 3c4a7d41710b34bdce4ab09929aba25fe3995c85dfa1e2a88ea780179709e8ccfe7e7c5073ef321c986061282725896ca615193be68c48674d6b5632f4995661 AUX qemu-7.2.0-tcg-curl-ssl.patch 6514 BLAKE2B 02bde5269b02472a9afb24019bbeee6995a317ca6c0ab355dad20bcfa088be7ac2c82ce3f544d8397fb44db52dc94cb060139b74515c216479d12ccb1b152f8d SHA512 1117179b48824d0aed39e352783f8228658a39e8f52a171076ba60df42cd5869bde6092d7bd63b88a594e4d7b355935f8f2294057a19be26a53c63b98d8cb761 -AUX qemu-7.2.3-CVE-2023-2861.patch 4876 BLAKE2B bff2f605cb8217169519deb8f10270815731e379f2413b9320cb8ac254db3e5dd2cc96768552a3be6bd1265a157e2278c16d4e74c59531078761834849704e90 SHA512 27f55f7a92c6fd4ff794219f2beeeb1c52358c504f60512addf96d2b57cc7f5d83b1a069a3b4fee9db8ae9e8f30dacc5c8bc9ff3b7fee4fc9f000e0a8c354df6 AUX qemu-8.0.0-disable-keymap.patch 968 BLAKE2B f9496eb2c1fd91c2b570d3328d309f880bc15380a5302266aa18a0e85ed63df2263efa12c2295a7a3ec94a7ab205394b817a066b66e61e7ed875e3c501a3465b SHA512 3d686bfb9b4d7d58f1aec1ebd28f158e4e4ea521df9da5d15e6e28fc11de74da141c88e4f0a1eda234eb06fcd1e1767847aaa1883009c8468099cfa6acbd8761 AUX qemu-8.0.0-make.patch 231 BLAKE2B a38c26a1150a47b627add1ebf43d319cc405855515a6ee75a44dc31e042f2e5049e142367d1371efd3377d1a3be133ec95c1b9c4755097c0f522bfad67718178 SHA512 1c23959b5d860829000cf699a6943215f073530eb57745a8683d8df0978ddb380cbdcbdd9ed6936ca5d1c4b7897b8d92068bb37c894f8ffa39ee8c8751e0a56c AUX qemu-8.0.0-remove-python-meson-check.patch 1413 BLAKE2B b5e24afacb4289126b7b6b475406f2aead0dd62009a57649a929a15689caf3e41e9240e42930f05bf2889d902dee91bd5b7ef37825ab1a91bfd7a0ea8dfaa7af SHA512 fc59b3f413496337c84a63f85552fb571e77d343b7ad5271120f08b14aee9a2d6e5ea16b6c28c9fbbf22ce86924e399185797f3f18575d8c23334b0872fae592 -AUX qemu-8.0.2-CVE-2023-2861.patch 5036 BLAKE2B 12586ee2fdd7d70d9af8993e9d6afb741fb1a987b1c734df4113d05a27f70f3fad14658ee4a89c8e3314116412148ab01b22f8d9565761b2deadd6b01ad3fecf SHA512 ce9d691af6ae51ef40a67da8021a6e43f8da9bb558d0f8358740cecd703efd127bf83294a997fed8f299882f8ea57d576e12aee11e45792664054e3452012722 AUX qemu-8.1.0-also-build-virtfs-proxy-helper.patch 1267 BLAKE2B c9634257cc59a6772557d4ae773020ce3edb8a83ea99533f83c0ca7b48a14272f8b6cb54bb54053e74f9b76e4acd74de45aeef38749bfa36129c5c1171d26188 SHA512 36770fe05a9741f4bc8fae68c7bd28504d4c28b075fdb60a8f2dadf324ec3c9070899f3e5391a0a693eba57280465b5e7ae537fa7f4da4154abe92a8279384b5 AUX qemu-8.1.0-find-sphinx.patch 427 BLAKE2B 2834abad14361b63b18f05d0e672215b88492f7f6bf2a5b52c21f5f6ebb7e71d6c1904f07238fd9170c12caff33e644b969e7f01d2a530fc53f00c7b39a372d3 SHA512 8824231b5ca80828d8aeee7093e62b892f91fce7bd7d0ed6a0559b8fa88cc1e99d2b7f48b64ce4b6c2225ab3aa697725d9dfaaa5e6a160a63d37460520b41f12 AUX qemu-8.1.0-skip-tests.patch 2767 BLAKE2B b55b4225f7afa6bc3634fe072c10150e21f9ea109f6706da663f9ab5ca3c05ee5a03fad9061c1e35b8945e009b86715d3fa220b7b30f95597ed933f647e64e33 SHA512 db643b31152c9d10817ee2abf298c728adcf3d2dfc808582a352fb924ea9877865d26cd7c8bec7feacca51741a5498984022f8bc77ca9cacbe0d5088c6e37233 diff --git a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch deleted file mode 100644 index 9a9c11a41d66..000000000000 --- a/app-emulation/qemu/files/qemu-7.2.3-CVE-2023-2861.patch +++ /dev/null @@ -1,162 +0,0 @@ -https://bugs.gentoo.org/909542 -https://gitlab.com/qemu-project/qemu/-/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 - -From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001 -From: Christian Schoenebeck -Date: Wed, 7 Jun 2023 18:29:33 +0200 -Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) - -The 9p protocol does not specifically define how server shall behave when -client tries to open a special file, however from security POV it does -make sense for 9p server to prohibit opening any special file on host side -in general. A sane Linux 9p client for instance would never attempt to -open a special file on host side, it would always handle those exclusively -on its guest side. A malicious client however could potentially escape -from the exported 9p tree by creating and opening a device file on host -side. - -With QEMU this could only be exploited in the following unsafe setups: - - - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' - security model. - -or - - - Using 9p 'proxy' fs driver (which is running its helper daemon as - root). - -These setups were already discouraged for safety reasons before, -however for obvious reasons we are now tightening behaviour on this. - -Fixes: CVE-2023-2861 -Reported-by: Yanwu Shen -Reported-by: Jietao Xiao -Reported-by: Jinku Li -Reported-by: Wenbo Shen -Signed-off-by: Christian Schoenebeck -Reviewed-by: Greg Kurz -Reviewed-by: Michael Tokarev -Message-Id: -(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda) -Signed-off-by: Michael Tokarev -(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used) ---- a/fsdev/virtfs-proxy-helper.c -+++ b/fsdev/virtfs-proxy-helper.c -@@ -26,6 +26,7 @@ - #include "qemu/xattr.h" - #include "9p-iov-marshal.h" - #include "hw/9pfs/9p-proxy.h" -+#include "hw/9pfs/9p-util.h" - #include "fsdev/9p-iov-marshal.h" - - #define PROGNAME "virtfs-proxy-helper" -@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) - } - } - -+/* -+ * Open regular file or directory. Attempts to open any special file are -+ * rejected. -+ * -+ * returns file descriptor or -1 on error -+ */ -+static int open_regular(const char *pathname, int flags, mode_t mode) -+{ -+ int fd; -+ -+ fd = open(pathname, flags, mode); -+ if (fd < 0) { -+ return fd; -+ } -+ -+ if (close_if_special_file(fd) < 0) { -+ return -1; -+ } -+ -+ return fd; -+} -+ - /* - * send response in two parts - * 1) ProxyHeader -@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) - if (ret < 0) { - goto unmarshal_err_out; - } -- ret = open(path.data, flags, mode); -+ ret = open_regular(path.data, flags, mode); - if (ret < 0) { - ret = -errno; - } -@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) - if (ret < 0) { - goto err_out; - } -- ret = open(path.data, flags); -+ ret = open_regular(path.data, flags, 0); - if (ret < 0) { - ret = -errno; - } ---- a/hw/9pfs/9p-util.h -+++ b/hw/9pfs/9p-util.h -@@ -13,6 +13,8 @@ - #ifndef QEMU_9P_UTIL_H - #define QEMU_9P_UTIL_H - -+#include "qemu/error-report.h" -+ - #ifdef O_PATH - #define O_PATH_9P_UTIL O_PATH - #else -@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd) - errno = serrno; - } - -+/** -+ * close_if_special_file() - Close @fd if neither regular file nor directory. -+ * -+ * @fd: file descriptor of open file -+ * Return: 0 on regular file or directory, -1 otherwise -+ * -+ * CVE-2023-2861: Prohibit opening any special file directly on host -+ * (especially device files), as a compromised client could potentially gain -+ * access outside exported tree under certain, unsafe setups. We expect -+ * client to handle I/O on special files exclusively on guest side. -+ */ -+static inline int close_if_special_file(int fd) -+{ -+ struct stat stbuf; -+ -+ if (fstat(fd, &stbuf) < 0) { -+ close_preserve_errno(fd); -+ return -1; -+ } -+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { -+ error_report_once( -+ "9p: broken or compromised client detected; attempt to open " -+ "special file (i.e. neither regular file, nor directory)" -+ ); -+ close(fd); -+ errno = ENXIO; -+ return -1; -+ } -+ -+ return 0; -+} -+ - static inline int openat_dir(int dirfd, const char *name) - { - return openat(dirfd, name, -@@ -146,6 +180,10 @@ again: - return -1; - } - -+ if (close_if_special_file(fd) < 0) { -+ return -1; -+ } -+ - serrno = errno; - /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't - * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() --- -GitLab diff --git a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch b/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch deleted file mode 100644 index 75fa534b4f1c..000000000000 --- a/app-emulation/qemu/files/qemu-8.0.2-CVE-2023-2861.patch +++ /dev/null @@ -1,167 +0,0 @@ -https://bugs.gentoo.org/909542 -https://gitlab.com/qemu-project/qemu/-/commit/b9d2887be4e616cdaeedd0b7456bfaa71ee798af - -From b9d2887be4e616cdaeedd0b7456bfaa71ee798af Mon Sep 17 00:00:00 2001 -From: Christian Schoenebeck -Date: Wed, 7 Jun 2023 18:29:33 +0200 -Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) - -The 9p protocol does not specifically define how server shall behave when -client tries to open a special file, however from security POV it does -make sense for 9p server to prohibit opening any special file on host side -in general. A sane Linux 9p client for instance would never attempt to -open a special file on host side, it would always handle those exclusively -on its guest side. A malicious client however could potentially escape -from the exported 9p tree by creating and opening a device file on host -side. - -With QEMU this could only be exploited in the following unsafe setups: - - - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' - security model. - -or - - - Using 9p 'proxy' fs driver (which is running its helper daemon as - root). - -These setups were already discouraged for safety reasons before, -however for obvious reasons we are now tightening behaviour on this. - -Fixes: CVE-2023-2861 -Reported-by: Yanwu Shen -Reported-by: Jietao Xiao -Reported-by: Jinku Li -Reported-by: Wenbo Shen -Signed-off-by: Christian Schoenebeck -Reviewed-by: Greg Kurz -Reviewed-by: Michael Tokarev -Message-Id: -(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda) -Signed-off-by: Michael Tokarev ---- a/fsdev/virtfs-proxy-helper.c -+++ b/fsdev/virtfs-proxy-helper.c -@@ -26,6 +26,7 @@ - #include "qemu/xattr.h" - #include "9p-iov-marshal.h" - #include "hw/9pfs/9p-proxy.h" -+#include "hw/9pfs/9p-util.h" - #include "fsdev/9p-iov-marshal.h" - - #define PROGNAME "virtfs-proxy-helper" -@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) - } - } - -+/* -+ * Open regular file or directory. Attempts to open any special file are -+ * rejected. -+ * -+ * returns file descriptor or -1 on error -+ */ -+static int open_regular(const char *pathname, int flags, mode_t mode) -+{ -+ int fd; -+ -+ fd = open(pathname, flags, mode); -+ if (fd < 0) { -+ return fd; -+ } -+ -+ if (close_if_special_file(fd) < 0) { -+ return -1; -+ } -+ -+ return fd; -+} -+ - /* - * send response in two parts - * 1) ProxyHeader -@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) - if (ret < 0) { - goto unmarshal_err_out; - } -- ret = open(path.data, flags, mode); -+ ret = open_regular(path.data, flags, mode); - if (ret < 0) { - ret = -errno; - } -@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) - if (ret < 0) { - goto err_out; - } -- ret = open(path.data, flags); -+ ret = open_regular(path.data, flags, 0); - if (ret < 0) { - ret = -errno; - } ---- a/hw/9pfs/9p-util.h -+++ b/hw/9pfs/9p-util.h -@@ -13,6 +13,8 @@ - #ifndef QEMU_9P_UTIL_H - #define QEMU_9P_UTIL_H - -+#include "qemu/error-report.h" -+ - #ifdef O_PATH - #define O_PATH_9P_UTIL O_PATH - #else -@@ -95,6 +97,7 @@ static inline int errno_to_dotl(int err) { - #endif - - #define qemu_openat openat -+#define qemu_fstat fstat - #define qemu_fstatat fstatat - #define qemu_mkdirat mkdirat - #define qemu_renameat renameat -@@ -108,6 +111,38 @@ static inline void close_preserve_errno(int fd) - errno = serrno; - } - -+/** -+ * close_if_special_file() - Close @fd if neither regular file nor directory. -+ * -+ * @fd: file descriptor of open file -+ * Return: 0 on regular file or directory, -1 otherwise -+ * -+ * CVE-2023-2861: Prohibit opening any special file directly on host -+ * (especially device files), as a compromised client could potentially gain -+ * access outside exported tree under certain, unsafe setups. We expect -+ * client to handle I/O on special files exclusively on guest side. -+ */ -+static inline int close_if_special_file(int fd) -+{ -+ struct stat stbuf; -+ -+ if (qemu_fstat(fd, &stbuf) < 0) { -+ close_preserve_errno(fd); -+ return -1; -+ } -+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { -+ error_report_once( -+ "9p: broken or compromised client detected; attempt to open " -+ "special file (i.e. neither regular file, nor directory)" -+ ); -+ close(fd); -+ errno = ENXIO; -+ return -1; -+ } -+ -+ return 0; -+} -+ - static inline int openat_dir(int dirfd, const char *name) - { - return qemu_openat(dirfd, name, -@@ -142,6 +177,10 @@ again: - return -1; - } - -+ if (close_if_special_file(fd) < 0) { -+ return -1; -+ } -+ - serrno = errno; - /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't - * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() -- cgit v1.2.3