Version in base suite: 5.2+dfsg-11+deb11u1 Base version: qemu_5.2+dfsg-11+deb11u1 Target version: qemu_5.2+dfsg-11+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/q/qemu/qemu_5.2+dfsg-11+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/q/qemu/qemu_5.2+dfsg-11+deb11u2.dsc changelog | 17 + patches/display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch | 37 +++ patches/series | 5 patches/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch | 83 ++++++++ patches/vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch | 56 +++++ patches/virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch | 39 +++ patches/virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch | 100 ++++++++++ 7 files changed, 337 insertions(+) diff: /srv/release.debian.org/tmp/53Kqy8IF_Q/qemu-5.2+dfsg/roms/skiboot/ccan/heap/LICENSE: No such file or directory diff: /srv/release.debian.org/tmp/zTSgAI4wsa/qemu-5.2+dfsg/roms/skiboot/ccan/heap/LICENSE: No such file or directory diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog --- qemu-5.2+dfsg/debian/changelog 2021-09-29 10:14:52.000000000 +0000 +++ qemu-5.2+dfsg/debian/changelog 2022-05-04 19:50:01.000000000 +0000 @@ -1,3 +1,20 @@ +qemu (1:5.2+dfsg-11+deb11u2) bullseye-security; urgency=medium + + * virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch + fix memory leak after fix for CVE-2021-3748 + * vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch + vhost-sock device was not detaching invalid element from + the virtqueue on error + * ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch, + display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch + two flaws can lead to allocation of small cursor object followed by a + subsequent heap-based buffer overflow with a potential for executing + arbitrary code within the context of QEMU process + * virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch + potential group escalation allowed by virtiofsd + + -- Michael Tokarev Wed, 04 May 2022 22:50:01 +0300 + qemu (1:5.2+dfsg-11+deb11u1) bullseye-security; urgency=medium [ Michael Tokarev ] diff -Nru qemu-5.2+dfsg/debian/patches/display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch qemu-5.2+dfsg/debian/patches/display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch --- qemu-5.2+dfsg/debian/patches/display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch 2022-05-04 14:36:41.000000000 +0000 @@ -0,0 +1,37 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/series qemu-5.2+dfsg/debian/patches/series --- qemu-5.2+dfsg/debian/patches/series 2021-09-29 10:14:52.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/series 2022-05-04 15:01:31.000000000 +0000 @@ -50,6 +50,7 @@ usbredir-fix-free-call-CVE-2021-3682.patch uas-add-stream-number-sanity-checks-CVE-2021-3713.patch virtio-net-fix-use-after-unmap-free-for-sg-CVE-2021-3748.patch +virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch ati_2d-fix-buffer-overflow-in-ati_2d_blt-CVE-2021-3638.patch vhost-user-gpu/fix-memory-disclosure-in-virgl_cmd_get_capset_info-CVE-2021-3545.patch vhost-user-gpu/fix-resource-leak-in-vg_resource_create_2d-CVE-2021-3544.patch @@ -58,3 +59,7 @@ vhost-user-gpu/fix-memory-leak-in-virgl_cmd_resource_unref-CVE-2021-3544.patch vhost-user-gpu/fix-memory-leak-in-virgl_resource_attach_backing-CVE-2021-3544.patch vhost-user-gpu/fix-OOB-write-in-virgl_cmd_get_capset-CVE-2021-3546.patch +ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch +display-qxl-render-fix-race-condition-in-qxl_cursor-CVE-2021-4207.patch +virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch +vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch diff -Nru qemu-5.2+dfsg/debian/patches/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch qemu-5.2+dfsg/debian/patches/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch --- qemu-5.2+dfsg/debian/patches/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2021-4206.patch 2022-05-04 14:36:46.000000000 +0000 @@ -0,0 +1,83 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c83474ad..45d06cbe25 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch qemu-5.2+dfsg/debian/patches/vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch --- qemu-5.2+dfsg/debian/patches/vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/vhost-vsock-detach-the-virqueue-element-on-error-CVE-2022-26354.patch 2022-05-04 14:56:38.000000000 +0000 @@ -0,0 +1,56 @@ +From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 28 Feb 2022 10:50:58 +0100 +Subject: vhost-vsock: detach the virqueue element in case of error + +In vhost_vsock_common_send_transport_reset(), if an element popped from +the virtqueue is invalid, we should call virtqueue_detach_element() to +detach it from the virtqueue before freeing its memory. + +Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") +Fixes: CVE-2022-26354 +Cc: qemu-stable@nongnu.org +Reported-by: VictorV +Signed-off-by: Stefano Garzarella +Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/virtio/vhost-vsock-common.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +index 3f3771274e..ed706681ac 100644 +--- a/hw/virtio/vhost-vsock-common.c ++++ b/hw/virtio/vhost-vsock-common.c +@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +- goto out; ++ goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + &event, sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +- goto out; ++ goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vvc), vq); + +-out: ++ g_free(elem); ++ return; ++ ++err: ++ virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch qemu-5.2+dfsg/debian/patches/virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch --- qemu-5.2+dfsg/debian/patches/virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch 2022-05-04 15:01:01.000000000 +0000 @@ -0,0 +1,39 @@ +From abe300d9d894f7138e1af7c8e9c88c04bfe98b37 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: virtio-net: fix map leaking on error during receive + +Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +tries to fix the use after free of the sg by caching the virtqueue +elements in an array and unmap them at once after receiving the +packets, But it forgot to unmap the cached elements on error which +will lead to leaking of mapping and other unexpected results. + +Fixing this by detaching the cached elements on error. This addresses +CVE-2022-26353. + +Reported-by: Victor Tom +Cc: qemu-stable@nongnu.org +Fixes: CVE-2022-26353 +Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index b02a0632df..2087516253 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1870,6 +1870,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch qemu-5.2+dfsg/debian/patches/virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch --- qemu-5.2+dfsg/debian/patches/virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/virtiofsd-drop-membership-of-all-supplementary-group-CVE-2022-0358.patch 2022-05-04 14:42:46.000000000 +0000 @@ -0,0 +1,100 @@ +From 449e8171f96a6a944d1f3b7d3627ae059eae21ca Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 64b5b4fbb1..b3d0674f6d 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "qemu/cutils.h" + #include "passthrough_helpers.h" +@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) + + qemu_init_exec_dir(argv[0]); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.30.2 +