import qemu-kvm-4.2.0-59.module+el8.5.0+14169+68d2f392.2

2022-03-15 05:13:05 -04:00 · 2022-03-15 05:13:05 -04:00 · 4cda9e4498
parent 4cb2a81ea6
commit 4cda9e4498
2 changed files with 119 additions and 1 deletions
--- a/SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
+++ b/SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
@ -0,0 +1,111 @@
+From 746e07f2d54908296dde64e97e12ea33a35063e0 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 25 Jan 2022 13:51:14 -0500
+Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+
+RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-MergeRequest: 106: 8.5.0z non-av; virtiofsd security fix - drop secondary groups
+RH-Commit: [1/1] e39df0b31f3c236675262395b94d5c10e8e3073f
+RH-Bugzilla: 2048627
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Vivek Goyal <None>
+
+At the start, drop membership of all supplementary groups. This is
+not required.
+
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+
+For example, if root in guest creates a dir as follows.
+
+$ mkdir -m 03777 test_dir
+
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+
+And now as unprivileged user open file as follows.
+
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+
+This will create SGID set executable in test_dir/.
+
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+Fixes: CVE-2022-0358
+Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+  dgilbert: Fixed missing {}'s style nit
+(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca)
+  dgilbert: Minor fixup around #includes on backport
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index b47029da89..578131179c 100644
+--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
+@@ -63,6 +63,7 @@
+ #include <sys/xattr.h>
+ #include <syslog.h>
+ #include <unistd.h>
+#include <grp.h>
+ 
+ #include "passthrough_helpers.h"
+ #include "seccomp.h"
+@@ -1058,6 +1059,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+ 
+static void drop_supplementary_groups(void)
+{
+    int ret;
+
+    ret = getgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+
+    if (!ret) {
+        return;
+    }
+
+    /* Drop all supplementary groups. We should not need it */
+    ret = setgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+}
+
+ /*
+  * Change to uid/gid of caller so that file is created with
+  * ownership of caller.
+@@ -3010,6 +3035,8 @@ int main(int argc, char *argv[])
+     /* Don't mask creation mode, kernel already did that */
+     umask(0);
+ 
+    drop_supplementary_groups();
+
+     pthread_mutex_init(&lo.mutex, NULL);
+     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+     lo.root.fd = -1;
+-- 
+2.27.0
+
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@ -67,7 +67,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 4.2.0
-Release: 59%{?dist}.1
+Release: 59%{?dist}.2
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -1252,6 +1252,8 @@ Patch544: kvm-scsi-make-io_timeout-configurable.patch
 Patch545: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
 # For bz#2025011 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z]
 Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch
+# For bz#2048627 - CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z]
+Patch547: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -2200,6 +2202,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \


 %changelog
+* Tue Feb 08 2022 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59.el8_5.2
+- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2048627]
+- Resolves: bz#2048627
+  (CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z])
+
 * Thu Nov 25 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59.el8_5
 - kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2025605]
 - kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#2025011]