* Thu Sep 17 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-8.el8

- kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820]
- kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376]
- kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075]
- kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528]
- Resolves: bz#1738820
  ('-F' option of qemu-ga command  cause the guest-fsfreeze-freeze command doesn't work)
- Resolves: bz#1752376
  (qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available)
- Resolves: bz#1821528
  (missing namespace attribute when access the rbd image with namespace)
- Resolves: bz#1867075
  (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
This commit is contained in:
Danilo C. L. de Paula 2020-09-17 14:02:36 -04:00
parent 7b68902699
commit 811a9b1b70
5 changed files with 268 additions and 1 deletions

View File

@ -0,0 +1,48 @@
From 40ce2a0e9f0a9d5c00ba82f187802fdf0a0702d0 Mon Sep 17 00:00:00 2001
From: Danilo de Paula <ddepaula@redhat.com>
Date: Wed, 16 Sep 2020 01:25:22 -0400
Subject: [PATCH 3/4] Revert "Drop bogus IPv6 messages"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Danilo de Paula <ddepaula@redhat.com>
Message-id: <20200916012522.1183051-2-ddepaula@redhat.com>
Patchwork-id: 98394
O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] Revert "Drop bogus IPv6 messages"
Bugzilla: 1867075
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This reverts commit 6ceab004edfb7c1f0f03701bc2ae443941468fd7.
This fix was applied during the rebase.
The commit above just duplicates it.
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
slirp/src/ip6_input.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
index f7ef354ee4..a83e4f8e3d 100644
--- a/slirp/src/ip6_input.c
+++ b/slirp/src/ip6_input.c
@@ -56,13 +56,6 @@ void ip6_input(struct mbuf *m)
goto bad;
}
- // Check if the message size is big enough to hold what's
- // set in the payload length header. If not this is an invalid
- // packet
- if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
- goto bad;
- }
-
/* check ip_ttl for a correct ICMP reply */
if (ip6->ip_hl == 0) {
icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
--
2.27.0

View File

@ -0,0 +1,51 @@
From ba82420d04b2e2ca69d5ff4720e37dd0748936ea Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Wed, 16 Sep 2020 11:40:25 -0400
Subject: [PATCH 4/4] block/rbd: add 'namespace' to
qemu_rbd_strong_runtime_opts[]
RH-Author: Stefano Garzarella <sgarzare@redhat.com>
Message-id: <20200916114025.47973-2-sgarzare@redhat.com>
Patchwork-id: 98399
O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] block/rbd: add 'namespace' to qemu_rbd_strong_runtime_opts[]
Bugzilla: 1821528
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Max Reitz <mreitz@redhat.com>
Commit 19ae9ae014 ("block/rbd: Add support for ceph namespaces")
introduced namespace support for RBD, but we forgot to add the
new 'namespace' options to qemu_rbd_strong_runtime_opts[].
The 'namespace' is used to identify the image, so it is a strong
option since it can changes the data of a BDS.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1821528
Fixes: 19ae9ae014 ("block/rbd: Add support for ceph namespaces")
Cc: Florian Florensa <fflorensa@online.net>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200914190553.74871-1-sgarzare@redhat.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
(cherry picked from commit 7bae7c805d82675eb3a02c744093703d84ada2d6)
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
block/rbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/rbd.c b/block/rbd.c
index 688074c64b..5356753fbe 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -1289,6 +1289,7 @@ static QemuOptsList qemu_rbd_create_opts = {
static const char *const qemu_rbd_strong_runtime_opts[] = {
"pool",
+ "namespace",
"image",
"conf",
"snapshot",
--
2.27.0

View File

@ -0,0 +1,61 @@
From 020501879841afb788087f0455df79367c0337a0 Mon Sep 17 00:00:00 2001
From: Danilo de Paula <ddepaula@redhat.com>
Date: Fri, 11 Sep 2020 14:23:22 -0400
Subject: [PATCH 1/4] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Danilo de Paula <ddepaula@redhat.com>
Message-id: <20200911142322.1865501-2-ddepaula@redhat.com>
Patchwork-id: 98358
O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH v2 1/1] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/
Bugzilla: 1738820
RH-Acked-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
When qemu-ga was introduced to RHEL-8, we used the qemu-guest-agent
from RHEL-7 as base.
In RHEL-7, qemu-guest-agent is built as standalone package.
It's built as "qemu-ga", hence the "qemu-ga" folders.
For RHEL-8, that should have been renamed to qemu-kvm, but I missed it.
Renaming those folders to /etc/qemu-kvm is a no go today, because
users might have populated the /etc/qemu-ga/fsfreeze-hook.d folder.
So, in order to make qemu-ga -F works in RHEL-8, a link is being
created in the expected place, pointing to the real one.
Also, fsfreeze-hook opens up the fsfreeze-hook.d on the same PATH where
it is stored. However, it doesn't follow symlinks. In order to fix this,
I had to change it to make sure it follows the link.
An option would be to also link the fsfreeze-hook.d folder, but I choose
not to do so as it creates a permanent/visible change in users
environments. The downside is to keep another downstream-only change.
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
redhat/qemu-kvm.spec.template | 6 ++++++
scripts/qemu-guest-agent/fsfreeze-hook | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-agent/fsfreeze-hook
index 13aafd4845..e9b84ec028 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -8,7 +8,7 @@
# request, it is issued with "thaw" argument after filesystem is thawed.
LOGFILE=/var/log/qga-fsfreeze-hook.log
-FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d
+FSFREEZE_D=$(dirname -- "$(realpath $0)")/fsfreeze-hook.d
# Check whether file $1 is a backup or rpm-generated file and should be ignored
is_ignored_file() {
--
2.27.0

View File

@ -0,0 +1,79 @@
From 4740b2ba008ca469409cf5af58ac85ae5dc7f6a5 Mon Sep 17 00:00:00 2001
From: Eduardo Otubo <otubo@redhat.com>
Date: Tue, 15 Sep 2020 15:15:49 -0400
Subject: [PATCH 2/4] seccomp: fix killing of whole process instead of thread
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Eduardo Otubo <otubo@redhat.com>
Message-id: <20200915151549.5007-1-otubo@redhat.com>
Patchwork-id: 98392
O-Subject: [RHEL-AV-8.3.0/RHEL-8.3.0 qemu-kvm PATCH] seccomp: fix killing of whole process instead of thread
Bugzilla: 1752376
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376
BRANCH: rhel-av-8.3.0
UPSTREAM: Merged
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339152
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376
BRANCH: rhel-8.3.0
UPSTREAM: Merged
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339111
From: Daniel P. Berrangé <berrange@redhat.com>
Back in 2018 we introduced support for killing the whole QEMU process
instead of just one thread, when a seccomp rule is violated:
commit bda08a5764d470f101fa38635d30b41179a313e1
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: Wed Aug 22 19:02:48 2018 +0200
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
Fast forward a year and we introduced a patch to avoid killing the
process for resource control syscalls tickled by Mesa.
commit 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed Mar 13 09:49:03 2019 +0000
seccomp: don't kill process for resource control syscalls
Unfortunately a logic bug effectively reverted the first commit
mentioned so that we go back to only killing the thread, not the whole
process.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit e474e3aacf4276eb0781d11c45e2fab996f9dc56)
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
qemu-seccomp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index e0a1829b3d..8325ecb766 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set)
if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
kill_process = 1;
+ } else {
+ kill_process = 0;
}
- kill_process = 0;
}
if (kill_process == 1) {
return SCMP_ACT_KILL_PROCESS;
--
2.27.0

View File

@ -69,7 +69,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 5.1.0
Release: 7%{?dist}
Release: 8%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -185,6 +185,14 @@ Patch57: kvm-target-arm-Move-start-powered-off-property-to-generi.patch
Patch58: kvm-target-arm-Move-setting-of-CPU-halted-state-to-gener.patch
# For bz#1849483 - Failed to boot up guest when hotplugging vcpus on bios stage
Patch59: kvm-ppc-spapr-Use-start-powered-off-CPUState-property.patch
# For bz#1738820 - '-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work
Patch60: kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch
# For bz#1752376 - qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available
Patch61: kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch
# For bz#1867075 - CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]
Patch62: kvm-Revert-Drop-bogus-IPv6-messages.patch
# For bz#1821528 - missing namespace attribute when access the rbd image with namespace
Patch63: kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -756,6 +764,11 @@ install -m 0644 %{_sourcedir}/99-qemu-guest-agent.rules %{buildroot}%{_udevrules
install -D --preserve-timestamps \
scripts/qemu-guest-agent/fsfreeze-hook \
$RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook
# Workaround for the missing /etc/qemu-kvm/fsfreeze-hook
# Please, do not carry this over to RHEL-9
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/
ln -s %{_sysconfdir}/qemu-ga/fsfreeze-hook \
$RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/fsfreeze-hook
# - the directory for user scripts:
mkdir $RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook.d
@ -1119,6 +1132,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%{_udevrulesdir}/99-qemu-guest-agent.rules
%config(noreplace) %{_sysconfdir}/sysconfig/qemu-ga
%{_sysconfdir}/qemu-ga
%{_sysconfdir}/qemu-kvm/fsfreeze-hook
%{_datadir}/%{name}/qemu-ga
%dir %{_localstatedir}/log/qemu-ga
@ -1144,6 +1158,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Thu Sep 17 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-8.el8
- kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820]
- kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376]
- kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075]
- kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528]
- Resolves: bz#1738820
('-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work)
- Resolves: bz#1752376
(qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available)
- Resolves: bz#1821528
(missing namespace attribute when access the rbd image with namespace)
- Resolves: bz#1867075
(CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
* Tue Sep 15 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-7.el8
- kvm-target-ppc-Add-experimental-option-for-enabling-secu.patch [bz#1789757 bz#1870384]
- kvm-target-arm-Move-start-powered-off-property-to-generi.patch [bz#1849483]