* Thu Sep 17 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-8.el8

- kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820] - kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376] - kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075] - kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528] - Resolves: bz#1738820 ('-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work) - Resolves: bz#1752376 (qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available) - Resolves: bz#1821528 (missing namespace attribute when access the rbd image with namespace) - Resolves: bz#1867075 (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
2020-09-17 14:02:36 -04:00 · 2020-09-17 14:02:36 -04:00 · 811a9b1b70
parent 7b68902699
commit 811a9b1b70
5 changed files with 268 additions and 1 deletions
--- a/kvm-Revert-Drop-bogus-IPv6-messages.patch
+++ b/kvm-Revert-Drop-bogus-IPv6-messages.patch
@ -0,0 +1,48 @@
+From 40ce2a0e9f0a9d5c00ba82f187802fdf0a0702d0 Mon Sep 17 00:00:00 2001
+From: Danilo de Paula <ddepaula@redhat.com>
+Date: Wed, 16 Sep 2020 01:25:22 -0400
+Subject: [PATCH 3/4] Revert "Drop bogus IPv6 messages"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Danilo de Paula <ddepaula@redhat.com>
+Message-id: <20200916012522.1183051-2-ddepaula@redhat.com>
+Patchwork-id: 98394
+O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] Revert "Drop bogus IPv6 messages"
+Bugzilla: 1867075
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+This reverts commit 6ceab004edfb7c1f0f03701bc2ae443941468fd7.
+
+This fix was applied during the rebase.
+The commit above just duplicates it.
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/src/ip6_input.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
+index f7ef354ee4..a83e4f8e3d 100644
+--- a/slirp/src/ip6_input.c
+++ b/slirp/src/ip6_input.c
+@@ -56,13 +56,6 @@ void ip6_input(struct mbuf *m)
+         goto bad;
+     }
+ 
+-    // Check if the message size is big enough to hold what's
+-    // set in the payload length header. If not this is an invalid
+-    // packet
+-    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+-        goto bad;
+-    }
+-
+     /* check ip_ttl for a correct ICMP reply */
+     if (ip6->ip_hl == 0) {
+         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+-- 
+2.27.0
+
--- a/kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch
+++ b/kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch
@ -0,0 +1,51 @@
+From ba82420d04b2e2ca69d5ff4720e37dd0748936ea Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Wed, 16 Sep 2020 11:40:25 -0400
+Subject: [PATCH 4/4] block/rbd: add 'namespace' to
+ qemu_rbd_strong_runtime_opts[]
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+Message-id: <20200916114025.47973-2-sgarzare@redhat.com>
+Patchwork-id: 98399
+O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] block/rbd: add 'namespace' to qemu_rbd_strong_runtime_opts[]
+Bugzilla: 1821528
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+
+Commit 19ae9ae014 ("block/rbd: Add support for ceph namespaces")
+introduced namespace support for RBD, but we forgot to add the
+new 'namespace' options to qemu_rbd_strong_runtime_opts[].
+
+The 'namespace' is used to identify the image, so it is a strong
+option since it can changes the data of a BDS.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1821528
+Fixes: 19ae9ae014 ("block/rbd: Add support for ceph namespaces")
+Cc: Florian Florensa <fflorensa@online.net>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20200914190553.74871-1-sgarzare@redhat.com>
+Reviewed-by: Jason Dillaman <dillaman@redhat.com>
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+(cherry picked from commit 7bae7c805d82675eb3a02c744093703d84ada2d6)
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ block/rbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/rbd.c b/block/rbd.c
+index 688074c64b..5356753fbe 100644
+--- a/block/rbd.c
+++ b/block/rbd.c
+@@ -1289,6 +1289,7 @@ static QemuOptsList qemu_rbd_create_opts = {
+ 
+ static const char *const qemu_rbd_strong_runtime_opts[] = {
+     "pool",
+    "namespace",
+     "image",
+     "conf",
+     "snapshot",
+-- 
+2.27.0
+
--- a/kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch
+++ b/kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch
@ -0,0 +1,61 @@
+From 020501879841afb788087f0455df79367c0337a0 Mon Sep 17 00:00:00 2001
+From: Danilo de Paula <ddepaula@redhat.com>
+Date: Fri, 11 Sep 2020 14:23:22 -0400
+Subject: [PATCH 1/4] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Danilo de Paula <ddepaula@redhat.com>
+Message-id: <20200911142322.1865501-2-ddepaula@redhat.com>
+Patchwork-id: 98358
+O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH v2 1/1] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/
+Bugzilla: 1738820
+RH-Acked-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+When qemu-ga was introduced to RHEL-8, we used the qemu-guest-agent
+from RHEL-7 as base.
+
+In RHEL-7, qemu-guest-agent is built as standalone package.
+It's built as "qemu-ga", hence the "qemu-ga" folders.
+
+For RHEL-8, that should have been renamed to qemu-kvm, but I missed it.
+Renaming those folders to /etc/qemu-kvm is a no go today, because
+users might have populated the /etc/qemu-ga/fsfreeze-hook.d folder.
+
+So, in order to make qemu-ga -F works in RHEL-8, a link is being
+created in the expected place, pointing to the real one.
+
+Also, fsfreeze-hook opens up the fsfreeze-hook.d on the same PATH where
+it is stored. However, it doesn't follow symlinks. In order to fix this,
+I had to change it to make sure it follows the link.
+
+An option would be to also link the fsfreeze-hook.d folder, but I choose
+not to do so as it creates a permanent/visible change in users
+environments. The downside is to keep another downstream-only change.
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ redhat/qemu-kvm.spec.template          | 6 ++++++
+ scripts/qemu-guest-agent/fsfreeze-hook | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+
+diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-agent/fsfreeze-hook
+index 13aafd4845..e9b84ec028 100755
+--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
+@@ -8,7 +8,7 @@
+ # request, it is issued with "thaw" argument after filesystem is thawed.
+ 
+ LOGFILE=/var/log/qga-fsfreeze-hook.log
+-FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d
+FSFREEZE_D=$(dirname -- "$(realpath $0)")/fsfreeze-hook.d
+ 
+ # Check whether file $1 is a backup or rpm-generated file and should be ignored
+ is_ignored_file() {
+-- 
+2.27.0
+
--- a/kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch
+++ b/kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch
@ -0,0 +1,79 @@
+From 4740b2ba008ca469409cf5af58ac85ae5dc7f6a5 Mon Sep 17 00:00:00 2001
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Tue, 15 Sep 2020 15:15:49 -0400
+Subject: [PATCH 2/4] seccomp: fix killing of whole process instead of thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Eduardo Otubo <otubo@redhat.com>
+Message-id: <20200915151549.5007-1-otubo@redhat.com>
+Patchwork-id: 98392
+O-Subject: [RHEL-AV-8.3.0/RHEL-8.3.0 qemu-kvm PATCH] seccomp: fix killing of whole process instead of thread
+Bugzilla: 1752376
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376
+BRANCH: rhel-av-8.3.0
+UPSTREAM: Merged
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339152
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376
+BRANCH: rhel-8.3.0
+UPSTREAM: Merged
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339111
+
+From: Daniel P. Berrangé <berrange@redhat.com>
+
+Back in 2018 we introduced support for killing the whole QEMU process
+instead of just one thread, when a seccomp rule is violated:
+
+  commit bda08a5764d470f101fa38635d30b41179a313e1
+  Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+  Date:   Wed Aug 22 19:02:48 2018 +0200
+
+    seccomp: prefer SCMP_ACT_KILL_PROCESS if available
+
+Fast forward a year and we introduced a patch to avoid killing the
+process for resource control syscalls tickled by Mesa.
+
+  commit 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8
+  Author: Daniel P. Berrangé <berrange@redhat.com>
+  Date:   Wed Mar 13 09:49:03 2019 +0000
+
+    seccomp: don't kill process for resource control syscalls
+
+Unfortunately a logic bug effectively reverted the first commit
+mentioned so that we go back to only killing the thread, not the whole
+process.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit e474e3aacf4276eb0781d11c45e2fab996f9dc56)
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ qemu-seccomp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index e0a1829b3d..8325ecb766 100644
+--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
+@@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set)
+ 
+             if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+                 kill_process = 1;
+            } else {
+                kill_process = 0;
+             }
+-            kill_process = 0;
+         }
+         if (kill_process == 1) {
+             return SCMP_ACT_KILL_PROCESS;
+-- 
+2.27.0
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -69,7 +69,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 5.1.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -185,6 +185,14 @@ Patch57: kvm-target-arm-Move-start-powered-off-property-to-generi.patch
 Patch58: kvm-target-arm-Move-setting-of-CPU-halted-state-to-gener.patch
 # For bz#1849483 - Failed to boot up guest when hotplugging vcpus on bios stage
 Patch59: kvm-ppc-spapr-Use-start-powered-off-CPUState-property.patch
+# For bz#1738820 - '-F' option of qemu-ga command  cause the guest-fsfreeze-freeze command doesn't work
+Patch60: kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch
+# For bz#1752376 - qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available
+Patch61: kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch
+# For bz#1867075 - CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]
+Patch62: kvm-Revert-Drop-bogus-IPv6-messages.patch
+# For bz#1821528 - missing namespace attribute when access the rbd image with namespace
+Patch63: kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -756,6 +764,11 @@ install -m 0644 %{_sourcedir}/99-qemu-guest-agent.rules %{buildroot}%{_udevrules
 install -D --preserve-timestamps \
            scripts/qemu-guest-agent/fsfreeze-hook \
            $RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook
+# Workaround for the missing /etc/qemu-kvm/fsfreeze-hook
+# Please, do not carry this over to RHEL-9
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/
+ln -s %{_sysconfdir}/qemu-ga/fsfreeze-hook \
+      $RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/fsfreeze-hook

 # - the directory for user scripts:
 mkdir $RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook.d
@ -1119,6 +1132,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %{_udevrulesdir}/99-qemu-guest-agent.rules
 %config(noreplace) %{_sysconfdir}/sysconfig/qemu-ga
 %{_sysconfdir}/qemu-ga
+%{_sysconfdir}/qemu-kvm/fsfreeze-hook
 %{_datadir}/%{name}/qemu-ga
 %dir %{_localstatedir}/log/qemu-ga

@ -1144,6 +1158,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \


 %changelog
+* Thu Sep 17 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-8.el8
+- kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820]
+- kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376]
+- kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075]
+- kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528]
+- Resolves: bz#1738820
+  ('-F' option of qemu-ga command  cause the guest-fsfreeze-freeze command doesn't work)
+- Resolves: bz#1752376
+  (qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available)
+- Resolves: bz#1821528
+  (missing namespace attribute when access the rbd image with namespace)
+- Resolves: bz#1867075
+  (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
+
 * Tue Sep 15 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.1.0-7.el8
 - kvm-target-ppc-Add-experimental-option-for-enabling-secu.patch [bz#1789757 bz#1870384]
 - kvm-target-arm-Move-start-powered-off-property-to-generi.patch [bz#1849483]