Version in base suite: 3.1+dfsg-8+deb10u2 Version in overlay suite: 3.1+dfsg-8+deb10u3 Base version: qemu_3.1+dfsg-8+deb10u3 Target version: qemu_3.1+dfsg-8+deb10u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/q/qemu/qemu_3.1+dfsg-8+deb10u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/q/qemu/qemu_3.1+dfsg-8+deb10u4.dsc changelog | 18 ++ patches/io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch | 77 ++++++++++ patches/iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch | 62 ++++++++ patches/series | 8 - patches/slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch | 42 +++++ patches/slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch | 51 ++++++ patches/slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch | 50 ++++++ patches/tcp_emu-fix-OOB-access-CVE-2020-7039.patch | 37 ++++ 8 files changed, 344 insertions(+), 1 deletion(-) diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2019-11-11 06:29:19.000000000 +0000 +++ qemu-3.1+dfsg/debian/changelog 2020-01-30 20:28:55.000000000 +0000 @@ -1,3 +1,21 @@ +qemu (1:3.1+dfsg-8+deb10u4) buster-security; urgency=medium + + * acknowledge the last NMU by the Security Team + * io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch + Closes: #946210 + * slirp possible use-after-free in ip_reass(), + slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch + Closes: #939869, CVE-2019-15890 + * slirp emulation fixes, Closes: CVE-2020-7039 + tcp_emu-fix-OOB-access-CVE-2020-7039.patch + slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch + slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch + * fix iscsi OOB heap access via an unexpected response of iSCSI Server, + scsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch + Closes: #949731, CVE-2020-1711 + + -- Michael Tokarev Thu, 30 Jan 2020 23:28:55 +0300 + qemu (1:3.1+dfsg-8+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru qemu-3.1+dfsg/debian/patches/io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch qemu-3.1+dfsg/debian/patches/io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch --- qemu-3.1+dfsg/debian/patches/io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch 2020-01-30 20:21:53.000000000 +0000 @@ -0,0 +1,77 @@ +Commit-Id: 73564c407caedf992a1c688b5fea776a8b56ba2a Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrangé +Date: Mon, 14 Jan 2019 11:33:18 +0000 +Subject: io: ensure UNIX client doesn't unlink server socket +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: http://bugs.debian.org/946210 + +The qio_channel_socket_close method for was mistakenly unlinking the +UNIX server socket, even if the channel was a client connection. This +was not noticed with chardevs, since they never call close, but with the +VNC server, this caused the VNC server socket to be deleted after the +first client quit. + +The qio_channel_socket_close method also needlessly reimplemented the +logic that already exists in socket_listen_cleanup(). Just call that +method directly, for listen sockets only. + +This fixes a regression introduced in QEMU 3.0.0 with + + commit d66f78e1eaa832f73c771d9df1b606fe75d52a50 + Author: Pavel Balaev + Date: Mon May 21 19:17:35 2018 +0300 + + Delete AF_UNIX socket after close + +Fixes launchpad #1795100 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrangé +--- + io/channel-socket.c | 19 ++------ + +diff --git a/io/channel-socket.c b/io/channel-socket.c +index b50e63a053a..bc5f80e780e 100644 +--- a/io/channel-socket.c ++++ b/io/channel-socket.c +@@ -688,10 +688,13 @@ qio_channel_socket_close(QIOChannel *ioc, + int rc = 0; + + if (sioc->fd != -1) { +- SocketAddress *addr = socket_local_address(sioc->fd, errp); + #ifdef WIN32 + WSAEventSelect(sioc->fd, NULL, 0); + #endif ++ if (qio_channel_has_feature(ioc, QIO_CHANNEL_FEATURE_LISTEN)) { ++ socket_listen_cleanup(sioc->fd, errp); ++ } ++ + if (closesocket(sioc->fd) < 0) { + sioc->fd = -1; + error_setg_errno(errp, errno, +@@ -699,20 +702,6 @@ qio_channel_socket_close(QIOChannel *ioc, + return -1; + } + sioc->fd = -1; +- +- if (addr && addr->type == SOCKET_ADDRESS_TYPE_UNIX +- && addr->u.q_unix.path) { +- if (unlink(addr->u.q_unix.path) < 0 && errno != ENOENT) { +- error_setg_errno(errp, errno, +- "Failed to unlink socket %s", +- addr->u.q_unix.path); +- rc = -1; +- } +- } +- +- if (addr) { +- qapi_free_SocketAddress(addr); +- } + } + return rc; + } +-- +2.20.1 + diff -Nru qemu-3.1+dfsg/debian/patches/iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch qemu-3.1+dfsg/debian/patches/iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch --- qemu-3.1+dfsg/debian/patches/iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch 2020-01-30 20:27:48.000000000 +0000 @@ -0,0 +1,62 @@ +From: Felipe Franciosi +Date: Thu, 23 Jan 2020 12:44:59 +0000 +Subject: iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) +Commit-Id: 693fd2acdf14dd86c0bf852610f1c2cca80a74dc +Bug-Debian: http://bugs.debian.org/949731 + +When querying an iSCSI server for the provisioning status of blocks (via +GET LBA STATUS), Qemu only validates that the response descriptor zero's +LBA matches the one requested. Given the SCSI spec allows servers to +respond with the status of blocks beyond the end of the LUN, Qemu may +have its heap corrupted by clearing/setting too many bits at the end of +its allocmap for the LUN. + +A malicious guest in control of the iSCSI server could carefully program +Qemu's heap (by selectively setting the bitmap) and then smash it. + +This limits the number of bits that iscsi_co_block_status() will try to +update in the allocmap so it can't overflow the bitmap. + +Fixes: CVE-2020-1711 +Cc: qemu-stable@nongnu.org +Signed-off-by: Felipe Franciosi +Signed-off-by: Peter Turschmid +Signed-off-by: Raphael Norwitz +Signed-off-by: Kevin Wolf +--- + block/iscsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 2aea7e3f13..cbd57294ab 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + struct scsi_get_lba_status *lbas = NULL; + struct scsi_lba_status_descriptor *lbasd = NULL; + struct IscsiTask iTask; +- uint64_t lba; ++ uint64_t lba, max_bytes; + int ret; + + iscsi_co_init_iscsitask(iscsilun, &iTask); +@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + } + + lba = offset / iscsilun->block_size; ++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; + + qemu_mutex_lock(&iscsilun->mutex); + retry: +@@ -764,7 +765,7 @@ retry: + goto out_unlock; + } + +- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; ++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +2.20.1 + diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series --- qemu-3.1+dfsg/debian/patches/series 2019-11-11 06:29:19.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/series 2020-01-30 20:27:48.000000000 +0000 @@ -14,7 +14,13 @@ aarch32-exception-return-to-switch-from-hyp-mon.patch enable-md-no.patch enable-md-clear.patch +enable-pschange-mc-no.patch qxl-check-release-info-object-CVE-2019-12155.patch qemu-bridge-helper-restrict-interface-name-to-IFNAMSIZ-CVE-2019-13164.patch slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input-CVE-2019-14378.patch -enable-pschange-mc-no.patch +slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch +tcp_emu-fix-OOB-access-CVE-2020-7039.patch +slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch +slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch +io-ensure-UNIX-client-doesn-t-unlink-server-socket.patch +iscsi-cap-block-count-from-GET-LBA-STATUS-CVE-2020-1711.patch diff -Nru qemu-3.1+dfsg/debian/patches/slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch qemu-3.1+dfsg/debian/patches/slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch --- qemu-3.1+dfsg/debian/patches/slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/slirp-ip_reass-fix-use-after-free-CVE-CVE-2019-15890.patch 2020-01-30 20:06:50.000000000 +0000 @@ -0,0 +1,42 @@ +From: Samuel Thibault +Date: Mon, 26 Aug 2019 00:55:03 +0200 +Subject: ip_reass: Fix use after free (CVE-2019-15890) +Commit-Id: c59279437eda91841b9d26079c70b8a540d41204 +Bug-Debian: http://bugs.debian.org/939869 + +Using ip_deq after m_free might read pointers from an allocation reuse. + +This would be difficult to exploit, but that is still related with +CVE-2019-14378 which generates fragmented IP packets that would trigger this +issue and at least produce a DoS. + +Signed-off-by: Samuel Thibault +--- + slirp/ip_input.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/slirp/ip_input.c b/slirp/ip_input.c +index 7364ce0..aa514ae 100644 +--- a/slirp/ip_input.c ++++ b/slirp/ip_input.c +@@ -300,6 +300,7 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + */ + while (q != (struct ipasfrag*)&fp->frag_link && + ip->ip_off + ip->ip_len > q->ipf_off) { ++ struct ipasfrag *prev; + i = (ip->ip_off + ip->ip_len) - q->ipf_off; + if (i < q->ipf_len) { + q->ipf_len -= i; +@@ -307,9 +308,10 @@ ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + m_adj(dtom(slirp, q), i); + break; + } ++ prev = q; + q = q->ipf_next; +- m_free(dtom(slirp, q->ipf_prev)); +- ip_deq(q->ipf_prev); ++ ip_deq(prev); ++ m_free(dtom(slirp, prev)); + } + + insert: diff -Nru qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch --- qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-IRC-commands-CVE-2020-7039.patch 2020-01-30 20:03:36.000000000 +0000 @@ -0,0 +1,51 @@ +Commit-Id: ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:27 +0530 +Subject: slirp: use correct size while emulating IRC commands +Bug-Debian: http://bugs.debian.org/949084 + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> +--- + slirp/tcp_subr.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index fa61349cbb0..5429805f87b 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -778,7 +778,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -789,7 +789,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -800,7 +800,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); diff -Nru qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch --- qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/slirp-use-correct-size-while-emulating-commands-CVE-2020-7039.patch 2020-01-30 20:03:36.000000000 +0000 @@ -0,0 +1,50 @@ +Commit-Id: 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 +From: Prasad J Pandit +Date: Thu, 9 Jan 2020 15:12:28 +0530 +Subject: slirp: use correct size while emulating commands +Bug-Debian: http://bugs.debian.org/949084 + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> +--- + slirp/tcp_subr.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index fa61349cbb0..ea9b9608034 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -699,7 +699,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -732,7 +732,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -758,8 +758,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: diff -Nru qemu-3.1+dfsg/debian/patches/tcp_emu-fix-OOB-access-CVE-2020-7039.patch qemu-3.1+dfsg/debian/patches/tcp_emu-fix-OOB-access-CVE-2020-7039.patch --- qemu-3.1+dfsg/debian/patches/tcp_emu-fix-OOB-access-CVE-2020-7039.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/tcp_emu-fix-OOB-access-CVE-2020-7039.patch 2020-01-30 20:03:36.000000000 +0000 @@ -0,0 +1,37 @@ +Commit-Id: 2655fffed7a9e765bcb4701dd876e9dab975f289 +From: Samuel Thibault +Date: Wed, 8 Jan 2020 00:58:48 +0100 +Subject: tcp_emu: Fix oob access +Bug-Debian: http://bugs.debian.org/949084 + +The main loop only checks for one available byte, while we sometimes +need two bytes. +--- + slirp/tcp_subr.c | 7 +++++++ + 1 files changed, 7 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index fa61349cbb0..965d54941e3 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -887,6 +887,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -902,6 +905,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((u_char*)bptr)[0] << 8) + + ((u_char *)bptr)[1]; + if (lport < 6970)