From 9769489cb1ed070cb1527259bd54f654ec03cfd5 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Mon, 7 Feb 2022 06:52:23 -0500 Subject: [PATCH] * Mon Feb 07 2022 Miroslav Rezanina - 6.2.0-7 - kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch [bz#1962088] - kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch [bz#1962088] - kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046201] - kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2034791] - kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2034791] - Resolves: bz#1962088 ([QSD] wrong help message for the fuse) - Resolves: bz#2046201 (CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0]) - Resolves: bz#2034791 (Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD) --- ...ndling-of-holes-in-.bdrv_co_block_st.patch | 59 ++++++++++ ...-rbd-workaround-for-ceph-issue-53784.patch | 103 ++++++++++++++++ ...orage-daemon-Add-vhost-user-blk-help.patch | 72 ++++++++++++ ...emon-Fix-typo-in-vhost-user-blk-help.patch | 41 +++++++ ...embership-of-all-supplementary-group.patch | 110 ++++++++++++++++++ qemu-kvm.spec | 25 +++- 6 files changed, 409 insertions(+), 1 deletion(-) create mode 100644 kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch create mode 100644 kvm-block-rbd-workaround-for-ceph-issue-53784.patch create mode 100644 kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch create mode 100644 kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch create mode 100644 kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch diff --git a/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch b/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch new file mode 100644 index 0000000..39aa96c --- /dev/null +++ b/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch @@ -0,0 +1,59 @@ +From d374d5aa4485a0c62d6b48eec64491cae2fd0873 Mon Sep 17 00:00:00 2001 +From: Peter Lieven +Date: Thu, 13 Jan 2022 15:44:25 +0100 +Subject: [PATCH 4/5] block/rbd: fix handling of holes in .bdrv_co_block_status + +RH-Author: Stefano Garzarella +RH-MergeRequest: 68: block/rbd: fix handling of holes in .bdrv_co_block_status +RH-Commit: [1/2] 8ef178b01885e3c292f7844ccff865b1a8d4faf0 (sgarzarella/qemu-kvm-c-9-s) +RH-Bugzilla: 2034791 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Kevin Wolf +RH-Acked-by: Hanna Reitz + +the assumption that we can't hit a hole if we do not diff against a snapshot was wrong. + +We can see a hole in an image if we diff against base if there exists an older snapshot +of the image and we have discarded blocks in the image where the snapshot has data. + +Fix this by simply handling a hole like an unallocated area. There are no callbacks +for unallocated areas so just bail out if we hit a hole. + +Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b +Suggested-by: Ilya Dryomov +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <20220113144426.4036493-2-pl@kamp.de> +Reviewed-by: Ilya Dryomov +Reviewed-by: Stefano Garzarella +Signed-off-by: Kevin Wolf +(cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee) +Signed-off-by: Stefano Garzarella +--- + block/rbd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/block/rbd.c b/block/rbd.c +index def96292e0..20bb896c4a 100644 +--- a/block/rbd.c ++++ b/block/rbd.c +@@ -1279,11 +1279,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len, + RBDDiffIterateReq *req = opaque; + + assert(req->offs + req->bytes <= offs); +- /* +- * we do not diff against a snapshot so we should never receive a callback +- * for a hole. +- */ +- assert(exists); ++ ++ /* treat a hole like an unallocated area and bail out */ ++ if (!exists) { ++ return 0; ++ } + + if (!req->exists && offs > req->offs) { + /* +-- +2.27.0 + diff --git a/kvm-block-rbd-workaround-for-ceph-issue-53784.patch b/kvm-block-rbd-workaround-for-ceph-issue-53784.patch new file mode 100644 index 0000000..dd3876e --- /dev/null +++ b/kvm-block-rbd-workaround-for-ceph-issue-53784.patch @@ -0,0 +1,103 @@ +From f035b5250529eed8d12e0b93b1b6d6f2c50003f6 Mon Sep 17 00:00:00 2001 +From: Peter Lieven +Date: Thu, 13 Jan 2022 15:44:26 +0100 +Subject: [PATCH 5/5] block/rbd: workaround for ceph issue #53784 + +RH-Author: Stefano Garzarella +RH-MergeRequest: 68: block/rbd: fix handling of holes in .bdrv_co_block_status +RH-Commit: [2/2] 5feaa2e20a77886cc1a84cdf212ade3dcda28289 (sgarzarella/qemu-kvm-c-9-s) +RH-Bugzilla: 2034791 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Kevin Wolf +RH-Acked-by: Hanna Reitz + +librbd had a bug until early 2022 that affected all versions of ceph that +supported fast-diff. This bug results in reporting of incorrect offsets +if the offset parameter to rbd_diff_iterate2 is not object aligned. + +This patch works around this bug for pre Quincy versions of librbd. + +Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <20220113144426.4036493-3-pl@kamp.de> +Reviewed-by: Ilya Dryomov +Reviewed-by: Stefano Garzarella +Tested-by: Stefano Garzarella +Signed-off-by: Kevin Wolf +(cherry picked from commit fc176116cdea816ceb8dd969080b2b95f58edbc0) +Signed-off-by: Stefano Garzarella +--- + block/rbd.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +diff --git a/block/rbd.c b/block/rbd.c +index 20bb896c4a..8f183eba2a 100644 +--- a/block/rbd.c ++++ b/block/rbd.c +@@ -1320,6 +1320,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs, + int status, r; + RBDDiffIterateReq req = { .offs = offset }; + uint64_t features, flags; ++ uint64_t head = 0; + + assert(offset + bytes <= s->image_size); + +@@ -1347,7 +1348,43 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs, + return status; + } + +- r = rbd_diff_iterate2(s->image, NULL, offset, bytes, true, true, ++#if LIBRBD_VERSION_CODE < LIBRBD_VERSION(1, 17, 0) ++ /* ++ * librbd had a bug until early 2022 that affected all versions of ceph that ++ * supported fast-diff. This bug results in reporting of incorrect offsets ++ * if the offset parameter to rbd_diff_iterate2 is not object aligned. ++ * Work around this bug by rounding down the offset to object boundaries. ++ * This is OK because we call rbd_diff_iterate2 with whole_object = true. ++ * However, this workaround only works for non cloned images with default ++ * striping. ++ * ++ * See: https://tracker.ceph.com/issues/53784 ++ */ ++ ++ /* check if RBD image has non-default striping enabled */ ++ if (features & RBD_FEATURE_STRIPINGV2) { ++ return status; ++ } ++ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ++ /* ++ * check if RBD image is a clone (= has a parent). ++ * ++ * rbd_get_parent_info is deprecated from Nautilus onwards, but the ++ * replacement rbd_get_parent is not present in Luminous and Mimic. ++ */ ++ if (rbd_get_parent_info(s->image, NULL, 0, NULL, 0, NULL, 0) != -ENOENT) { ++ return status; ++ } ++#pragma GCC diagnostic pop ++ ++ head = req.offs & (s->object_size - 1); ++ req.offs -= head; ++ bytes += head; ++#endif ++ ++ r = rbd_diff_iterate2(s->image, NULL, req.offs, bytes, true, true, + qemu_rbd_diff_iterate_cb, &req); + if (r < 0 && r != QEMU_RBD_EXIT_DIFF_ITERATE2) { + return status; +@@ -1366,7 +1403,8 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs, + status = BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID; + } + +- *pnum = req.bytes; ++ assert(req.bytes > head); ++ *pnum = req.bytes - head; + return status; + } + +-- +2.27.0 + diff --git a/kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch b/kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch new file mode 100644 index 0000000..bc36f5c --- /dev/null +++ b/kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch @@ -0,0 +1,72 @@ +From 0f4592f79f8c24f84db18a8c39c6056b2a0be524 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 7 Jan 2022 11:54:19 +0100 +Subject: [PATCH 1/5] qemu-storage-daemon: Add vhost-user-blk help +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Kevin Wolf +RH-MergeRequest: 63: qemu-storage-daemon: Add vhost-user-blk help +RH-Commit: [1/2] 6b08fec5d6ceea9f8f3810321099310069e08b53 (kmwolf/centos-qemu-kvm) +RH-Bugzilla: 1962088 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Hanna Reitz + +Add missing vhost-user-blk help: + + $ qemu-storage-daemon -h + ... + --export [type=]vhost-user-blk,id=,node-name=, + addr.type=unix,addr.path=[,writable=on|off] + [,logical-block-size=][,num-queues=] + export the specified block node as a + vhosts-user-blk device over UNIX domain socket + --export [type=]vhost-user-blk,id=,node-name=, + fd,addr.str=[,writable=on|off] + [,logical-block-size=][,num-queues=] + export the specified block node as a + vhosts-user-blk device over file descriptor + ... + +Fixes: 90fc91d50b7 ("convert vhost-user-blk server to block export API") +Reported-by: Qing Wang +Reviewed-by: Eric Blake +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20220107105420.395011-3-f4bug@amsat.org> +Signed-off-by: Kevin Wolf +(cherry picked from commit c8cbc9524269d9583749aaaea8aa244add7e1900) +Signed-off-by: Kevin Wolf +--- + storage-daemon/qemu-storage-daemon.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c +index 52cf17e8ac..9d76d1114d 100644 +--- a/storage-daemon/qemu-storage-daemon.c ++++ b/storage-daemon/qemu-storage-daemon.c +@@ -104,6 +104,19 @@ static void help(void) + " export the specified block node over FUSE\n" + "\n" + #endif /* CONFIG_FUSE */ ++#ifdef CONFIG_VHOST_USER_BLK_SERVER ++" --export [type=]vhost-user-blk,id=,node-name=,\n" ++" addr.type=unix,addr.path=[,writable=on|off]\n" ++" [,logical-block-size=][,num-queues=]\n" ++" export the specified block node as a\n" ++" vhost-user-blk device over UNIX domain socket\n" ++" --export [type=]vhost-user-blk,id=,node-name=,\n" ++" fd,addr.str=[,writable=on|off]\n" ++" [,logical-block-size=][,num-queues=]\n" ++" export the specified block node as a\n" ++" vhost-user-blk device over file descriptor\n" ++"\n" ++#endif /* CONFIG_VHOST_USER_BLK_SERVER */ + " --monitor [chardev=]name[,mode=control][,pretty[=on|off]]\n" + " configure a QMP monitor\n" + "\n" +-- +2.27.0 + diff --git a/kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch b/kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch new file mode 100644 index 0000000..798a27e --- /dev/null +++ b/kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch @@ -0,0 +1,41 @@ +From 20edf203c8cb314e27409918399aa7cbdc6fdb02 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Tue, 25 Jan 2022 16:15:14 +0100 +Subject: [PATCH 2/5] qemu-storage-daemon: Fix typo in vhost-user-blk help + +RH-Author: Kevin Wolf +RH-MergeRequest: 63: qemu-storage-daemon: Add vhost-user-blk help +RH-Commit: [2/2] b7afb670c398799b6e49b926e296771453a55fba (kmwolf/centos-qemu-kvm) +RH-Bugzilla: 1962088 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Hanna Reitz + +The syntax of the fd passing case misses the "addr.type=" key. Add it. + +Signed-off-by: Kevin Wolf +Message-Id: <20220125151514.49035-1-kwolf@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf +(cherry picked from commit e66e665f15736f5ee1fbd8087926cb0f1e52f61a) +Signed-off-by: Kevin Wolf +--- + storage-daemon/qemu-storage-daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c +index 9d76d1114d..ec9aa79b55 100644 +--- a/storage-daemon/qemu-storage-daemon.c ++++ b/storage-daemon/qemu-storage-daemon.c +@@ -111,7 +111,7 @@ static void help(void) + " export the specified block node as a\n" + " vhost-user-blk device over UNIX domain socket\n" + " --export [type=]vhost-user-blk,id=,node-name=,\n" +-" fd,addr.str=[,writable=on|off]\n" ++" addr.type=fd,addr.str=[,writable=on|off]\n" + " [,logical-block-size=][,num-queues=]\n" + " export the specified block node as a\n" + " vhost-user-blk device over file descriptor\n" +-- +2.27.0 + diff --git a/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch new file mode 100644 index 0000000..539b8fe --- /dev/null +++ b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch @@ -0,0 +1,110 @@ +From 846192d22a1ddfa87682bb0b67febef5c30c9743 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH 3/5] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 66: c9s: virtiofsd security fix - drop secondary groups +RH-Commit: [1/1] cdf3b0405ea3369933e76761890f16b040641036 (redhat/centos-stream/src/qemu-kvm) +RH-Bugzilla: 2046201 +RH-Acked-by: Hanna Reitz +RH-Acked-by: Sergio Lopez +RH-Acked-by: Vivek Goyal + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit +(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca) +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 64b5b4fbb1..b3d0674f6d 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "qemu/cutils.h" + #include "passthrough_helpers.h" +@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) + + qemu_init_exec_dir(argv[0]); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index be30965..d6b34c4 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -144,7 +144,7 @@ Obsoletes: %{name}-block-iscsi <= %{version} \ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.2.0 -Release: 6%{?rcrel}%{?dist}%{?cc_suffix} +Release: 7%{?rcrel}%{?dist}%{?cc_suffix} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -217,6 +217,16 @@ Patch36: kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch Patch37: kvm-x86-Add-q35-RHEL-9.0.0-machine-type.patch # For bz#2036669 - DEVICE_DELETED event is not delivered for device frontend if -device is configured via JSON Patch38: kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch +# For bz#1962088 - [QSD] wrong help message for the fuse +Patch39: kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch +# For bz#1962088 - [QSD] wrong help message for the fuse +Patch40: kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch +# For bz#2046201 - CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0] +Patch41: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch +# For bz#2034791 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD +Patch42: kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch +# For bz#2034791 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD +Patch43: kvm-block-rbd-workaround-for-ceph-issue-53784.patch # Source-git patches @@ -1275,6 +1285,19 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Mon Feb 07 2022 Miroslav Rezanina - 6.2.0-7 +- kvm-qemu-storage-daemon-Add-vhost-user-blk-help.patch [bz#1962088] +- kvm-qemu-storage-daemon-Fix-typo-in-vhost-user-blk-help.patch [bz#1962088] +- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046201] +- kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2034791] +- kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2034791] +- Resolves: bz#1962088 + ([QSD] wrong help message for the fuse) +- Resolves: bz#2046201 + (CVE-2022-0358 qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-9.0]) +- Resolves: bz#2034791 + (Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD) + * Wed Feb 02 2022 Miroslav Rezanina - 6.2.0-6 - Moving feature support out of qemu-kvm-core to separate packages (can cause loss of functionality when using only qemu-kvm-core - qemu-kvm keeps