Import rpm: bdff3a86d2bf311945ebd4dff96caff13863a390

This commit is contained in:
James Antill 2023-02-23 13:22:07 -05:00
parent fca0a454c6
commit 6826884b71
4 changed files with 220 additions and 4 deletions

View File

@ -0,0 +1,92 @@
From bb19cc0cdd43619ccf830e1e608f79e46f8ddf86 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 12 May 2022 08:36:37 +0100
Subject: [PATCH] lib: Disable 5-level page tables when using -cpu max
In https://bugzilla.redhat.com/show_bug.cgi?id=2082806 we've been
tracking an insidious qemu bug which intermittently prevents the
libguestfs appliance from starting. The symptoms are that SeaBIOS
starts and displays its messages, but the kernel isn't reached. We
found that the kernel does in fact start, but when it tries to set up
page tables and jump to protected mode it gets a triple fault which
causes the emulated CPU in qemu to reset (qemu exits).
This seems to only affect TCG (not KVM).
Yesterday I found that this is caused by using -cpu max which enables
the "la57" feature (5-level page tables[0]), and that we can make the
problem go away using -cpu max,la57=off. Note that I still don't
fully understand the qemu bug, so this is only a workaround.
I chose to disable 5-level page tables for both TCG and KVM, partly to
make the patch simpler, and partly because I guess it's not a feature
(ie. 57 bit linear addresses) that is useful for the libguestfs
appliance case, where we have limited physical memory and no need to
run any programs with huge address spaces.
I tested this by running both the direct & libvirt paths overnight. I
expect that this patch will fail with old qemu/libvirt which doesn't
understand the "la57" feature, but this is only intended as a
temporary workaround.
[0] Article about 5-level page tables as background:
https://lwn.net/Articles/717293/
Thanks: Laszlo Ersek
Fixes: https://answers.launchpad.net/ubuntu/+source/libguestfs/+question/701625
[RHEL 8.7: Patch is not upstream. This is the initial patch as posted
to the mailing list here:
https://listman.redhat.com/archives/libguestfs/2022-May/028853.html]
---
lib/launch-direct.c | 15 +++++++++++++--
lib/launch-libvirt.c | 7 +++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/lib/launch-direct.c b/lib/launch-direct.c
index de17d2167..6b28e4724 100644
--- a/lib/launch-direct.c
+++ b/lib/launch-direct.c
@@ -534,8 +534,19 @@ launch_direct (guestfs_h *g, void *datav, const char *arg)
} end_list ();
cpu_model = guestfs_int_get_cpu_model (has_kvm && !force_tcg);
- if (cpu_model)
- arg ("-cpu", cpu_model);
+ if (cpu_model) {
+#if defined(__x86_64__)
+ /* Temporary workaround for RHBZ#2082806 */
+ if (STREQ (cpu_model, "max")) {
+ start_list ("-cpu") {
+ append_list (cpu_model);
+ append_list ("la57=off");
+ } end_list ();
+ }
+ else
+#endif
+ arg ("-cpu", cpu_model);
+ }
if (g->smp > 1)
arg_format ("-smp", "%d", g->smp);
diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
index db619910f..bad4a54ea 100644
--- a/lib/launch-libvirt.c
+++ b/lib/launch-libvirt.c
@@ -1172,6 +1172,13 @@ construct_libvirt_xml_cpu (guestfs_h *g,
else if (STREQ (cpu_model, "max")) {
/* https://bugzilla.redhat.com/show_bug.cgi?id=1935572#c11 */
attribute ("mode", "maximum");
+#if defined(__x86_64__)
+ /* Temporary workaround for RHBZ#2082806 */
+ start_element ("feature") {
+ attribute ("policy", "disable");
+ attribute ("name", "la57");
+ } end_element ();
+#endif
}
else
single_element ("model", cpu_model);
--
2.31.1

View File

@ -0,0 +1,103 @@
From 22d779d5982dc82d629710d41973ed6545707bd9 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Tue, 28 Jun 2022 13:54:16 +0200
Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211
Short log for the common submodule, commit range
f8de5508fe75..35467027f657:
Laszlo Ersek (2):
mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
options: fix buffer overflow in get_keys() [CVE-2022-2211]
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20220628115418.5376-2-lersek@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53.
For the cherry pick I only added one submodule commit:
options: fix buffer overflow in get_keys() [CVE-2022-2211]
---
common | 2 +-
docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
Submodule common be09523d6..1174b443a:
diff --git a/common/options/keys.c b/common/options/keys.c
index 798315c..d27a712 100644
--- a/common/options/keys.c
+++ b/common/options/keys.c
@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename)
char **
get_keys (struct key_store *ks, const char *device, const char *uuid)
{
- size_t i, j, len;
+ size_t i, j, nmemb;
char **r;
char *s;
/* We know the returned list must have at least one element and not
* more than ks->nr_keys.
*/
- len = 1;
- if (ks)
- len = MIN (1, ks->nr_keys);
- r = calloc (len+1, sizeof (char *));
+ nmemb = 1;
+ if (ks && ks->nr_keys > nmemb)
+ nmemb = ks->nr_keys;
+
+ /* make room for the terminating NULL */
+ if (nmemb == (size_t)-1)
+ error (EXIT_FAILURE, 0, _("size_t overflow"));
+ nmemb++;
+
+ r = calloc (nmemb, sizeof (char *));
if (r == NULL)
error (EXIT_FAILURE, errno, "calloc");
diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
index 9ceef5623..efa35b29d 100644
--- a/docs/guestfs-security.pod
+++ b/docs/guestfs-security.pod
@@ -406,6 +406,34 @@ The libvirt backend is not affected.
The solution is to update qemu to a version containing the fix (see
L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
+=head2 CVE-2022-2211
+
+L<https://bugzilla.redhat.com/CVE-2022-2211>
+
+The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
+those I<--key> options from the command line into a new array that match
+a particular block device that's being decrypted for inspection. The
+function intends to size the result array such that potentially all
+I<--key> options, plus a terminating C<NULL> element, fit into it. The
+code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
+only one element is allocated before the C<NULL> terminator.
+
+Passing precisely two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> to overwrite the
+terminating C<NULL>, leading to an out-of-bounds read in
+C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
+
+Passing more than two I<--key ID:...> options on the command line for
+the encrypted block device C<ID> causes C<get_keys> itself to perform
+out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
+later on.
+
+This issue affects -- broadly speaking -- all libguestfs-based utilities
+that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
+C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
+C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
+C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
+
=head1 SEE ALSO
L<guestfs(3)>,
--
2.31.1

View File

@ -32,7 +32,7 @@ Summary: Access and modify virtual machine disk images
Name: libguestfs Name: libguestfs
Epoch: 1 Epoch: 1
Version: 1.44.0 Version: 1.44.0
Release: 6%{?dist} Release: 9%{?dist}
License: LGPLv2+ License: LGPLv2+
ExclusiveArch: x86_64 %{power64} aarch64 s390x ExclusiveArch: x86_64 %{power64} aarch64 s390x
@ -71,6 +71,8 @@ Patch0018: 0018-lib-extract-NETWORK_ADDRESS-and-NETWORK_PREFIX-as-ma.patch
Patch0019: 0019-launch-libvirt-add-virtio-net-via-the-standard-inter.patch Patch0019: 0019-launch-libvirt-add-virtio-net-via-the-standard-inter.patch
Patch0020: 0020-appliance-Use-cpu-max.patch Patch0020: 0020-appliance-Use-cpu-max.patch
Patch0021: 0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch Patch0021: 0021-appliance-Use-cpu-mode-maximum-for-cpu-max-on-libvir.patch
Patch0022: 0022-lib-Disable-5-level-page-tables-when-using-cpu-max.patch
Patch0023: 0023-docs-guestfs-security-document-CVE-2022-2211.patch
# Replacement README file. # Replacement README file.
Source4: README-replacement.in Source4: README-replacement.in
@ -230,7 +232,7 @@ BuildRequires: iputils
%if !0%{?rhel} %if !0%{?rhel}
BuildRequires: jfsutils BuildRequires: jfsutils
%endif %endif
BuildRequires: kernel BuildRequires: (kernel without kernel-debug-core)
BuildRequires: kmod BuildRequires: kmod
BuildRequires: kpartx BuildRequires: kpartx
BuildRequires: less BuildRequires: less
@ -300,6 +302,12 @@ BuildRequires: zfs-fuse
# to replace it with (eg) a fixed appliance. # to replace it with (eg) a fixed appliance.
Requires: (%{name}-appliance = %{epoch}:%{version}-%{release} or %{name}-noappliance) Requires: (%{name}-appliance = %{epoch}:%{version}-%{release} or %{name}-noappliance)
# libguestfs-benchmarking was accidentally present in RHEL AV 8.5 and
# removed in RHEL 8.6+. Add an Obsoletes to smooth the upgrade path
# for anyone who had this package installed.
# https://bugzilla.redhat.com/show_bug.cgi?id=2091597
Obsoletes: %{name}-benchmarking < %{epoch}:%{version}-%{release}
# The daemon dependencies are not included automatically, because it # The daemon dependencies are not included automatically, because it
# is buried inside the appliance, so list them here. # is buried inside the appliance, so list them here.
Requires: augeas-libs%{?_isa} Requires: augeas-libs%{?_isa}
@ -1186,6 +1194,19 @@ rm ocaml/html/.gitignore
%changelog %changelog
* Tue Jul 05 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-9
- Fix CVE-2022-2211 Denial of Service in --key parameter
resolves: rhbz#2101280
* Tue Jun 07 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-8
- Obsolete old libguestfs-benchmarking subpackage
resolves: rhbz#2091597
* Thu May 12 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-7
- Disable 5-level page tables when using -cpu max
resolves: rhbz#2084566
related: rhbz#2075424
* Thu Apr 14 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-6 * Thu Apr 14 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.44.0-6
- Backport support for -cpu max to allow RHEL 9 guests to be modified - Backport support for -cpu max to allow RHEL 9 guests to be modified
resolves: rhbz#2075424 resolves: rhbz#2075424

View File

@ -1,2 +1,2 @@
SHA512 (libguestfs-1.44.0.tar.gz) = e5052d6deb130f9bceea06d2d6626162991cb83ffaf0ed9923ff5d8bb67137e565053104d8854d37ea8c871dce2a5ca29507d17357de813a8ac49896f00be103 SHA1 (libguestfs-1.44.0.tar.gz) = 99d241dc4a5ba0dc6111954ed7a872e0b0bb6944
SHA512 (libguestfs.keyring) = 297a15edc7c220222b9f650e0a9361ae132d3f0fed04aeb2237a1d9c3f6dac6f336846434f66480faed72635a33f659e849b052e74b88d1508aeff03f8c9a2ac SHA1 (libguestfs.keyring) = 1bbc40f501a7fef9eef2a39b701a71aee2fea7c4