diff --git a/kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch b/kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch new file mode 100644 index 0000000..52532b4 --- /dev/null +++ b/kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch @@ -0,0 +1,49 @@ +From 51c6fc79d712c73bfeec2e4ff6779da3cab649fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 1 Mar 2021 08:39:20 -0500 +Subject: [PATCH 2/4] qxl: also notify the rendering is done when skipping it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Marc-André Lureau +Message-id: <20210301083920.895324-3-marcandre.lureau@redhat.com> +Patchwork-id: 101275 +O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] qxl: also notify the rendering is done when skipping it +Bugzilla: 1932190 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Sergio Lopez Pascual + +From: Marc-André Lureau + +Asynchronous handlers may be waiting for the graphic_hw_update_done() to +be called in this case too. + +Fixes: 4d6316218 ("console: add graphic_hw_update_done()") +Signed-off-by: Marc-André Lureau +Message-Id: <20210201201422.446552-3-marcandre.lureau@redhat.com> +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit b577ab2dda3afc7d6a7befabcf226507ff06c17c) +Signed-off-by: Marc-André Lureau +Signed-off-by: Danilo C. L. de Paula +--- + hw/display/qxl-render.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 3ce2e57b8f..d28849b121 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -181,6 +181,7 @@ void qxl_render_update(PCIQXLDevice *qxl) + qxl->mode == QXL_MODE_UNDEFINED) { + qxl_render_update_area_unlocked(qxl); + qemu_mutex_unlock(&qxl->ssd.lock); ++ graphic_hw_update_done(qxl->ssd.dcl.con); + return; + } + +-- +2.27.0 + diff --git a/kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch b/kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch new file mode 100644 index 0000000..55ea413 --- /dev/null +++ b/kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch @@ -0,0 +1,50 @@ +From 94dc0414a7d5dadbbfc29a19617df7facb0ea7d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 1 Mar 2021 08:39:19 -0500 +Subject: [PATCH 1/4] qxl: set qxl.ssd.dcl.con on secondary devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Marc-André Lureau +Message-id: <20210301083920.895324-2-marcandre.lureau@redhat.com> +Patchwork-id: 101274 +O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/2] qxl: set qxl.ssd.dcl.con on secondary devices +Bugzilla: 1932190 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Sergio Lopez Pascual + +From: Marc-André Lureau + +On secondary QXL devices, the console is only set on qxl.vga.con. But +graphic_hw_update_done() is called with qxl.ssd.dcl.con. + +Like for primary QXL devices, set qxl.sdd.dcl.con = qxl.vga.con. + +Signed-off-by: Marc-André Lureau +Message-Id: <20210201201422.446552-2-marcandre.lureau@redhat.com> +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit c502758670432195d61ff848b1b47b0f78918ae2) +Signed-off-by: Marc-André Lureau +Signed-off-by: Danilo C. L. de Paula +--- + hw/display/qxl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 431c107096..50f4756b6a 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -2266,6 +2266,7 @@ static void qxl_realize_secondary(PCIDevice *dev, Error **errp) + qxl->vga.vram_size, &error_fatal); + qxl->vga.vram_ptr = memory_region_get_ram_ptr(&qxl->vga.vram); + qxl->vga.con = graphic_console_init(DEVICE(dev), 0, &qxl_ops, qxl); ++ qxl->ssd.dcl.con = qxl->vga.con; + qxl->id = qemu_console_get_index(qxl->vga.con); /* == channel_id */ + + qxl_realize_common(qxl, errp); +-- +2.27.0 + diff --git a/kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch b/kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch new file mode 100644 index 0000000..72fe0a4 --- /dev/null +++ b/kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch @@ -0,0 +1,224 @@ +From 6a0564e81d5e329f955c4391809daf248f078481 Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Thu, 4 Mar 2021 15:49:01 -0500 +Subject: [PATCH 4/4] virtiofs: drop remapped security.capability xattr as + needed + +RH-Author: Dr. David Alan Gilbert +Message-id: <20210304154901.47930-3-dgilbert@redhat.com> +Patchwork-id: 101305 +O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] virtiofs: drop remapped security.capability xattr as needed +Bugzilla: 1935071 +RH-Acked-by: Connor Kuehl +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi + +From: "Dr. David Alan Gilbert" + +On Linux, the 'security.capability' xattr holds a set of +capabilities that can change when an executable is run, giving +a limited form of privilege escalation to those programs that +the writer of the file deemed worthy. + +Any write causes the 'security.capability' xattr to be dropped, +stopping anyone from gaining privilege by modifying a blessed +file. + +Fuse relies on the daemon to do this dropping, and in turn the +daemon relies on the host kernel to drop the xattr for it. However, +with the addition of -o xattrmap, the xattr that the guest +stores its capabilities in is now not the same as the one that +the host kernel automatically clears. + +Where the mapping changes 'security.capability', explicitly clear +the remapped name to preserve the same behaviour. + +This bug is assigned CVE-2021-20263. + +Signed-off-by: Dr. David Alan Gilbert +Reviewed-by: Vivek Goyal +(cherry picked from commit e586edcb410543768ef009eaa22a2d9dd4a53846) +Signed-off-by: Dr. David Alan Gilbert + Downstream slight context difference due to missing d64907ac FUSE_HANDLE_KILLPRIV_V2 +Signed-off-by: Danilo C. L. de Paula +--- + docs/tools/virtiofsd.rst | 4 ++ + tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++- + 2 files changed, 80 insertions(+), 1 deletion(-) + +diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst +index 5b3be8a6d6..6e0fc94005 100644 +--- a/docs/tools/virtiofsd.rst ++++ b/docs/tools/virtiofsd.rst +@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix + to the matched **key** (or all attributes if **key** is empty). + There may be at most one 'map' rule and it must be the last rule in the set. + ++Note: When the 'security.capability' xattr is remapped, the daemon has to do ++extra work to remove it during many operations, which the host kernel normally ++does itself. ++ + xattr-mapping Examples + ---------------------- + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index f06074d81f..9c33b0344b 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -160,6 +160,7 @@ struct lo_data { + int posix_lock; + int xattr; + char *xattrmap; ++ char *xattr_security_capability; + char *source; + char *modcaps; + double timeout; +@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0; + + static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st, + uint64_t mnt_id); ++static int xattr_map_client(const struct lo_data *lo, const char *client_name, ++ char **out_name); + + static int is_dot_or_dotdot(const char *name) + { +@@ -365,6 +368,37 @@ out: + return ret; + } + ++/* ++ * The host kernel normally drops security.capability xattr's on ++ * any write, however if we're remapping xattr names we need to drop ++ * whatever the clients security.capability is actually stored as. ++ */ ++static int drop_security_capability(const struct lo_data *lo, int fd) ++{ ++ if (!lo->xattr_security_capability) { ++ /* We didn't remap the name, let the host kernel do it */ ++ return 0; ++ } ++ if (!fremovexattr(fd, lo->xattr_security_capability)) { ++ /* All good */ ++ return 0; ++ } ++ ++ switch (errno) { ++ case ENODATA: ++ /* Attribute didn't exist, that's fine */ ++ return 0; ++ ++ case ENOTSUP: ++ /* FS didn't support attribute anyway, also fine */ ++ return 0; ++ ++ default: ++ /* Hmm other error */ ++ return errno; ++ } ++} ++ + static void lo_map_init(struct lo_map *map) + { + map->elems = NULL; +@@ -718,6 +752,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1; + gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; + ++ saverr = drop_security_capability(lo, ifd); ++ if (saverr) { ++ goto out_err; ++ } ++ + res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); + if (res == -1) { + saverr = errno; +@@ -737,6 +776,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + } + } + ++ saverr = drop_security_capability(lo, truncfd); ++ if (saverr) { ++ if (!fi) { ++ close(truncfd); ++ } ++ goto out_err; ++ } ++ + res = ftruncate(truncfd, attr->st_size); + saverr = res == -1 ? errno : 0; + if (!fi) { +@@ -1727,6 +1774,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, + if (fd < 0) { + return -fd; + } ++ if (fi->flags & (O_TRUNC)) { ++ int err = drop_security_capability(lo, fd); ++ if (err) { ++ close(fd); ++ return err; ++ } ++ } + } + + pthread_mutex_lock(&lo->mutex); +@@ -2115,6 +2169,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino, + "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino, + out_buf.buf[0].size, (unsigned long)off); + ++ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd); ++ if (res) { ++ fuse_reply_err(req, res); ++ return; ++ } ++ + /* + * If kill_priv is set, drop CAP_FSETID which should lead to kernel + * clearing setuid/setgid on file. +@@ -2354,6 +2414,7 @@ static void parse_xattrmap(struct lo_data *lo) + { + const char *map = lo->xattrmap; + const char *tmp; ++ int ret; + + lo->xattr_map_nentries = 0; + while (*map) { +@@ -2384,7 +2445,7 @@ static void parse_xattrmap(struct lo_data *lo) + * the last entry. + */ + parse_xattrmap_map(lo, map, sep); +- return; ++ break; + } else { + fuse_log(FUSE_LOG_ERR, + "%s: Unexpected type;" +@@ -2453,6 +2514,19 @@ static void parse_xattrmap(struct lo_data *lo) + fuse_log(FUSE_LOG_ERR, "Empty xattr map\n"); + exit(1); + } ++ ++ ret = xattr_map_client(lo, "security.capability", ++ &lo->xattr_security_capability); ++ if (ret) { ++ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n", ++ strerror(ret)); ++ exit(1); ++ } ++ if (!strcmp(lo->xattr_security_capability, "security.capability")) { ++ /* 1-1 mapping, don't need to do anything */ ++ free(lo->xattr_security_capability); ++ lo->xattr_security_capability = NULL; ++ } + } + + /* +@@ -3481,6 +3555,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo) + + free(lo->xattrmap); + free_xattrmap(lo); ++ free(lo->xattr_security_capability); + free(lo->source); + } + +-- +2.27.0 + diff --git a/kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch b/kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch new file mode 100644 index 0000000..72e42ac --- /dev/null +++ b/kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch @@ -0,0 +1,100 @@ +From 22fe525a532619088a135c0f5f80bde12da68109 Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Thu, 4 Mar 2021 15:49:00 -0500 +Subject: [PATCH 3/4] virtiofsd: Save error code early at the failure callsite + +RH-Author: Dr. David Alan Gilbert +Message-id: <20210304154901.47930-2-dgilbert@redhat.com> +Patchwork-id: 101304 +O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/2] virtiofsd: Save error code early at the failure callsite +Bugzilla: 1935071 +RH-Acked-by: Connor Kuehl +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi + +From: Vivek Goyal + +Change error code handling slightly in lo_setattr(). Right now we seem +to jump to out_err and assume that "errno" is valid and use that to +send reply. + +But if caller has to do some other operations before jumping to out_err, +then it does the dance of first saving errno to saverr and the restore +errno before jumping to out_err. This makes it more confusing. + +I am about to make more changes where caller will have to do some +work after error before jumping to out_err. I found it easier to +change the convention a bit. That is caller saves error in "saverr" +before jumping to out_err. And out_err uses "saverr" to send error +back and does not rely on "errno" having actual error. + +v3: Resolved conflicts in lo_setattr() due to lo_inode_open() changes. + +Signed-off-by: Vivek Goyal +Reviewed-by: Dr. David Alan Gilbert +Message-Id: <20210208224024.43555-2-vgoyal@redhat.com> +(cherry picked from commit 1e08f164e9fdc9528ad6990012301b9a04b0bc90) +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Danilo C. L. de Paula +--- + tools/virtiofsd/passthrough_ll.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 03c5e0d13c..f06074d81f 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -710,6 +710,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + res = fchmodat(lo->proc_self_fd, procname, attr->st_mode, 0); + } + if (res == -1) { ++ saverr = errno; + goto out_err; + } + } +@@ -719,6 +720,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + + res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); + if (res == -1) { ++ saverr = errno; + goto out_err; + } + } +@@ -730,16 +732,15 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + } else { + truncfd = lo_inode_open(lo, inode, O_RDWR); + if (truncfd < 0) { +- errno = -truncfd; ++ saverr = -truncfd; + goto out_err; + } + } + + res = ftruncate(truncfd, attr->st_size); ++ saverr = res == -1 ? errno : 0; + if (!fi) { +- saverr = errno; + close(truncfd); +- errno = saverr; + } + if (res == -1) { + goto out_err; +@@ -772,6 +773,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + res = utimensat(lo->proc_self_fd, procname, tv, 0); + } + if (res == -1) { ++ saverr = errno; + goto out_err; + } + } +@@ -780,7 +782,6 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + return lo_getattr(req, ino, fi); + + out_err: +- saverr = errno; + lo_inode_put(lo, &inode); + fuse_reply_err(req, saverr); + } +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index fb49fac..07c2861 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -64,7 +64,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 5.2.0 -Release: 10%{?dist} +Release: 11%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -284,6 +284,14 @@ Patch122: kvm-virtio-net-add-missing-object_unref.patch Patch123: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch # For bz#1926785 - [RFE] AMD Milan - Add KVM/support for EPYC-Milan CPU Model - Fast Train Patch124: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch +# For bz#1932190 - Timeout when dump the screen from 2nd VGA +Patch125: kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch +# For bz#1932190 - Timeout when dump the screen from 2nd VGA +Patch126: kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch +# For bz#1935071 - CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8] +Patch127: kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch +# For bz#1935071 - CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8] +Patch128: kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch BuildRequires: wget BuildRequires: rpm-build @@ -1473,6 +1481,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %changelog +* Mon Mar 15 2021 Miroslav Rezanina - 5.2.0-11.el9 +- kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch [bz#1932190] +- kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch [bz#1932190] +- kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch [bz#1935071] +- kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch [bz#1935071] +- Resolves: bz#1932190 + (Timeout when dump the screen from 2nd VGA) +- Resolves: bz#1935071 + (CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8]) + * Wed Mar 03 2021 Danilo Cesar Lemes de Paula - 5.2.0-10.el8 - kvm-migration-dirty-bitmap-Use-struct-for-alias-map-inne.patch [bz#1930757] - kvm-migration-dirty-bitmap-Allow-control-of-bitmap-persi.patch [bz#1930757]