guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch master updated: gnu: QEMU: Fix CVE-2020-1711.

From: guix-commits
Subject: branch master updated: gnu: QEMU: Fix CVE-2020-1711.
Date: Mon, 03 Feb 2020 12:04:56 -0500 
This is an automated email from the git hooks/post-receive script.

lfam pushed a commit to branch master
in repository guix.

The following commit(s) were added to refs/heads/master by this push:
     new ca5e404  gnu: QEMU: Fix CVE-2020-1711.
ca5e404 is described below

commit ca5e404f9a1ff81a38a32578c9c3a6c866482a9a
Author: Leo Famulari <address@hidden>
AuthorDate: Sun Feb 2 16:35:33 2020 -0500

    gnu: QEMU: Fix CVE-2020-1711.
    
    * gnu/packages/patches/qemu-CVE-2020-1711.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/virtualization.scm (qemu)[source]: Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/patches/qemu-CVE-2020-1711.patch | 69 +++++++++++++++++++++++++++
 gnu/packages/virtualization.scm               |  3 +-
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index cdad650..0096010 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1342,6 +1342,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/python-unittest2-remove-argparse.patch  \
   %D%/packages/patches/python-waitress-fix-tests.patch         \
   %D%/packages/patches/qemu-glibc-2.27.patch                   \
+  %D%/packages/patches/qemu-CVE-2020-1711.patch                        \
   %D%/packages/patches/qemu-CVE-2020-7039.patch                        \
   %D%/packages/patches/qemu-CVE-2020-7211.patch                        \
   %D%/packages/patches/qemu-fix-documentation-build-failure.patch      \
diff --git a/gnu/packages/patches/qemu-CVE-2020-1711.patch 
b/gnu/packages/patches/qemu-CVE-2020-1711.patch
new file mode 100644
index 0000000..32d04f6
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2020-1711.patch
@@ -0,0 +1,69 @@
+Fix CVE-2020-1711:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc
+
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <address@hidden>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: address@hidden
+Signed-off-by: Felipe Franciosi <address@hidden>
+Signed-off-by: Peter Turschmid <address@hidden>
+Signed-off-by: Raphael Norwitz <address@hidden>
+Signed-off-by: Kevin Wolf <address@hidden>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn 
iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
++    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn 
iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
++    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, 
max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+2.25.0
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index b7e4dfe..3670b39 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -115,7 +115,8 @@
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-";
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2020-7039.patch"
+             (patches (search-patches "qemu-CVE-2020-1711.patch"
+                                      "qemu-CVE-2020-7039.patch"
                                       "qemu-CVE-2020-7211.patch"
                                       
"qemu-fix-documentation-build-failure.patch"))
              (sha256
reply via email to
[Prev in Thread] Current Thread [Next in Thread]