From 811a9b1b706f2992d69a6355c8c3b06ad0faf830 Mon Sep 17 00:00:00 2001 From: "Danilo C. L. de Paula" Date: Thu, 17 Sep 2020 14:02:36 -0400 Subject: [PATCH] * Thu Sep 17 2020 Danilo Cesar Lemes de Paula - 5.1.0-8.el8 - kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820] - kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376] - kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075] - kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528] - Resolves: bz#1738820 ('-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work) - Resolves: bz#1752376 (qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available) - Resolves: bz#1821528 (missing namespace attribute when access the rbd image with namespace) - Resolves: bz#1867075 (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]) --- kvm-Revert-Drop-bogus-IPv6-messages.patch | 48 +++++++++++ ...mespace-to-qemu_rbd_strong_runtime_o.patch | 51 ++++++++++++ ...qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch | 61 ++++++++++++++ ...ing-of-whole-process-instead-of-thre.patch | 79 +++++++++++++++++++ qemu-kvm.spec | 30 ++++++- 5 files changed, 268 insertions(+), 1 deletion(-) create mode 100644 kvm-Revert-Drop-bogus-IPv6-messages.patch create mode 100644 kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch create mode 100644 kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch create mode 100644 kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch diff --git a/kvm-Revert-Drop-bogus-IPv6-messages.patch b/kvm-Revert-Drop-bogus-IPv6-messages.patch new file mode 100644 index 0000000..5ac7159 --- /dev/null +++ b/kvm-Revert-Drop-bogus-IPv6-messages.patch @@ -0,0 +1,48 @@ +From 40ce2a0e9f0a9d5c00ba82f187802fdf0a0702d0 Mon Sep 17 00:00:00 2001 +From: Danilo de Paula +Date: Wed, 16 Sep 2020 01:25:22 -0400 +Subject: [PATCH 3/4] Revert "Drop bogus IPv6 messages" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Danilo de Paula +Message-id: <20200916012522.1183051-2-ddepaula@redhat.com> +Patchwork-id: 98394 +O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] Revert "Drop bogus IPv6 messages" +Bugzilla: 1867075 +RH-Acked-by: Jon Maloy +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Marc-André Lureau + +This reverts commit 6ceab004edfb7c1f0f03701bc2ae443941468fd7. + +This fix was applied during the rebase. +The commit above just duplicates it. + +Signed-off-by: Danilo C. L. de Paula +--- + slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index f7ef354ee4..a83e4f8e3d 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -56,13 +56,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +2.27.0 + diff --git a/kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch b/kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch new file mode 100644 index 0000000..932bc30 --- /dev/null +++ b/kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch @@ -0,0 +1,51 @@ +From ba82420d04b2e2ca69d5ff4720e37dd0748936ea Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Wed, 16 Sep 2020 11:40:25 -0400 +Subject: [PATCH 4/4] block/rbd: add 'namespace' to + qemu_rbd_strong_runtime_opts[] + +RH-Author: Stefano Garzarella +Message-id: <20200916114025.47973-2-sgarzare@redhat.com> +Patchwork-id: 98399 +O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] block/rbd: add 'namespace' to qemu_rbd_strong_runtime_opts[] +Bugzilla: 1821528 +RH-Acked-by: Danilo de Paula +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Max Reitz + +Commit 19ae9ae014 ("block/rbd: Add support for ceph namespaces") +introduced namespace support for RBD, but we forgot to add the +new 'namespace' options to qemu_rbd_strong_runtime_opts[]. + +The 'namespace' is used to identify the image, so it is a strong +option since it can changes the data of a BDS. + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1821528 +Fixes: 19ae9ae014 ("block/rbd: Add support for ceph namespaces") +Cc: Florian Florensa +Signed-off-by: Stefano Garzarella +Message-Id: <20200914190553.74871-1-sgarzare@redhat.com> +Reviewed-by: Jason Dillaman +Signed-off-by: Max Reitz +(cherry picked from commit 7bae7c805d82675eb3a02c744093703d84ada2d6) +Signed-off-by: Stefano Garzarella +Signed-off-by: Danilo C. L. de Paula +--- + block/rbd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/rbd.c b/block/rbd.c +index 688074c64b..5356753fbe 100644 +--- a/block/rbd.c ++++ b/block/rbd.c +@@ -1289,6 +1289,7 @@ static QemuOptsList qemu_rbd_create_opts = { + + static const char *const qemu_rbd_strong_runtime_opts[] = { + "pool", ++ "namespace", + "image", + "conf", + "snapshot", +-- +2.27.0 + diff --git a/kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch b/kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch new file mode 100644 index 0000000..069ed3a --- /dev/null +++ b/kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch @@ -0,0 +1,61 @@ +From 020501879841afb788087f0455df79367c0337a0 Mon Sep 17 00:00:00 2001 +From: Danilo de Paula +Date: Fri, 11 Sep 2020 14:23:22 -0400 +Subject: [PATCH 1/4] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Danilo de Paula +Message-id: <20200911142322.1865501-2-ddepaula@redhat.com> +Patchwork-id: 98358 +O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH v2 1/1] redhat: link /etc/qemu-ga/fsfreeze-hook to /etc/qemu-kvm/ +Bugzilla: 1738820 +RH-Acked-by: Eduardo Lima (Etrunko) +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Miroslav Rezanina + +When qemu-ga was introduced to RHEL-8, we used the qemu-guest-agent +from RHEL-7 as base. + +In RHEL-7, qemu-guest-agent is built as standalone package. +It's built as "qemu-ga", hence the "qemu-ga" folders. + +For RHEL-8, that should have been renamed to qemu-kvm, but I missed it. +Renaming those folders to /etc/qemu-kvm is a no go today, because +users might have populated the /etc/qemu-ga/fsfreeze-hook.d folder. + +So, in order to make qemu-ga -F works in RHEL-8, a link is being +created in the expected place, pointing to the real one. + +Also, fsfreeze-hook opens up the fsfreeze-hook.d on the same PATH where +it is stored. However, it doesn't follow symlinks. In order to fix this, +I had to change it to make sure it follows the link. + +An option would be to also link the fsfreeze-hook.d folder, but I choose +not to do so as it creates a permanent/visible change in users +environments. The downside is to keep another downstream-only change. + +Signed-off-by: Danilo C. L. de Paula +--- + redhat/qemu-kvm.spec.template | 6 ++++++ + scripts/qemu-guest-agent/fsfreeze-hook | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + + +diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-agent/fsfreeze-hook +index 13aafd4845..e9b84ec028 100755 +--- a/scripts/qemu-guest-agent/fsfreeze-hook ++++ b/scripts/qemu-guest-agent/fsfreeze-hook +@@ -8,7 +8,7 @@ + # request, it is issued with "thaw" argument after filesystem is thawed. + + LOGFILE=/var/log/qga-fsfreeze-hook.log +-FSFREEZE_D=$(dirname -- "$0")/fsfreeze-hook.d ++FSFREEZE_D=$(dirname -- "$(realpath $0)")/fsfreeze-hook.d + + # Check whether file $1 is a backup or rpm-generated file and should be ignored + is_ignored_file() { +-- +2.27.0 + diff --git a/kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch b/kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch new file mode 100644 index 0000000..f2dee26 --- /dev/null +++ b/kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch @@ -0,0 +1,79 @@ +From 4740b2ba008ca469409cf5af58ac85ae5dc7f6a5 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Tue, 15 Sep 2020 15:15:49 -0400 +Subject: [PATCH 2/4] seccomp: fix killing of whole process instead of thread +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Otubo +Message-id: <20200915151549.5007-1-otubo@redhat.com> +Patchwork-id: 98392 +O-Subject: [RHEL-AV-8.3.0/RHEL-8.3.0 qemu-kvm PATCH] seccomp: fix killing of whole process instead of thread +Bugzilla: 1752376 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Daniel P. Berrange + +BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376 +BRANCH: rhel-av-8.3.0 +UPSTREAM: Merged +BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339152 + +BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1752376 +BRANCH: rhel-8.3.0 +UPSTREAM: Merged +BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=31339111 + +From: Daniel P. Berrangé + +Back in 2018 we introduced support for killing the whole QEMU process +instead of just one thread, when a seccomp rule is violated: + + commit bda08a5764d470f101fa38635d30b41179a313e1 + Author: Marc-André Lureau + Date: Wed Aug 22 19:02:48 2018 +0200 + + seccomp: prefer SCMP_ACT_KILL_PROCESS if available + +Fast forward a year and we introduced a patch to avoid killing the +process for resource control syscalls tickled by Mesa. + + commit 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8 + Author: Daniel P. Berrangé + Date: Wed Mar 13 09:49:03 2019 +0000 + + seccomp: don't kill process for resource control syscalls + +Unfortunately a logic bug effectively reverted the first commit +mentioned so that we go back to only killing the thread, not the whole +process. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Stefan Hajnoczi +Acked-by: Eduardo Otubo +(cherry picked from commit e474e3aacf4276eb0781d11c45e2fab996f9dc56) +Signed-off-by: Eduardo Otubo +Signed-off-by: Danilo C. L. de Paula +--- + qemu-seccomp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index e0a1829b3d..8325ecb766 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set) + + if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { + kill_process = 1; ++ } else { ++ kill_process = 0; + } +- kill_process = 0; + } + if (kill_process == 1) { + return SCMP_ACT_KILL_PROCESS; +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 64848ce..6436e1a 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -69,7 +69,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 5.1.0 -Release: 7%{?dist} +Release: 8%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -185,6 +185,14 @@ Patch57: kvm-target-arm-Move-start-powered-off-property-to-generi.patch Patch58: kvm-target-arm-Move-setting-of-CPU-halted-state-to-gener.patch # For bz#1849483 - Failed to boot up guest when hotplugging vcpus on bios stage Patch59: kvm-ppc-spapr-Use-start-powered-off-CPUState-property.patch +# For bz#1738820 - '-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work +Patch60: kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch +# For bz#1752376 - qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available +Patch61: kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch +# For bz#1867075 - CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8] +Patch62: kvm-Revert-Drop-bogus-IPv6-messages.patch +# For bz#1821528 - missing namespace attribute when access the rbd image with namespace +Patch63: kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch BuildRequires: wget BuildRequires: rpm-build @@ -756,6 +764,11 @@ install -m 0644 %{_sourcedir}/99-qemu-guest-agent.rules %{buildroot}%{_udevrules install -D --preserve-timestamps \ scripts/qemu-guest-agent/fsfreeze-hook \ $RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook +# Workaround for the missing /etc/qemu-kvm/fsfreeze-hook +# Please, do not carry this over to RHEL-9 +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/ +ln -s %{_sysconfdir}/qemu-ga/fsfreeze-hook \ + $RPM_BUILD_ROOT%{_sysconfdir}/qemu-kvm/fsfreeze-hook # - the directory for user scripts: mkdir $RPM_BUILD_ROOT%{_sysconfdir}/qemu-ga/fsfreeze-hook.d @@ -1119,6 +1132,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %{_udevrulesdir}/99-qemu-guest-agent.rules %config(noreplace) %{_sysconfdir}/sysconfig/qemu-ga %{_sysconfdir}/qemu-ga +%{_sysconfdir}/qemu-kvm/fsfreeze-hook %{_datadir}/%{name}/qemu-ga %dir %{_localstatedir}/log/qemu-ga @@ -1144,6 +1158,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Thu Sep 17 2020 Danilo Cesar Lemes de Paula - 5.1.0-8.el8 +- kvm-redhat-link-etc-qemu-ga-fsfreeze-hook-to-etc-qemu-kv.patch [bz#1738820] +- kvm-seccomp-fix-killing-of-whole-process-instead-of-thre.patch [bz#1752376] +- kvm-Revert-Drop-bogus-IPv6-messages.patch [bz#1867075] +- kvm-block-rbd-add-namespace-to-qemu_rbd_strong_runtime_o.patch [bz#1821528] +- Resolves: bz#1738820 + ('-F' option of qemu-ga command cause the guest-fsfreeze-freeze command doesn't work) +- Resolves: bz#1752376 + (qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available) +- Resolves: bz#1821528 + (missing namespace attribute when access the rbd image with namespace) +- Resolves: bz#1867075 + (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]) + * Tue Sep 15 2020 Danilo Cesar Lemes de Paula - 5.1.0-7.el8 - kvm-target-ppc-Add-experimental-option-for-enabling-secu.patch [bz#1789757 bz#1870384] - kvm-target-arm-Move-start-powered-off-property-to-generi.patch [bz#1849483]