Re: unrealize mechanism in 9pfs
Hi Guido, Thank you for your investigations. I've marked CVE-2016-9914/15/16 as no-dsa and will upload my patches for the two remaining issues. Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
Re: unrealize mechanism in 9pfs
Hi Hugo, sorry for the delay. On Tue, Dec 20, 2016 at 10:49:31AM +0100, Hugo Lefeuvre wrote: > Hi, > > > Could you paste the commands / libvirt configs you used to test this? > > for handle: > qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev > handle,id=ninepfstest,path=/home/user/ -device > virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest > > for proxy: > qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev > proxy,id=ninepfstest,path=/home/user/,sock_fd=1 -device > virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest > > I've tested with several sock_fd values. For qemu-kvm, I've just > replaced 'qemu' by 'kvm'. > > You can find the 'debian_wheezy_amd64_standard.qcow2' image here[0]. > > The libvirt config files are the default ones. I used the official > wheezy livecd[1] as test system. A tarred copy of the /etc/libvirt > directory is in attachment. With # qemu-system-x86_64 -drive file=foo.img -fsdev handle,id=fsid,path=/home/agx/tmp -device virtio-9p-pci,id=devid,fsdev=fsid,mount_tag=mt I get fsdev: fsdriver handle not found which is exactly what you had. And this is caused by the missing declaration of open_by_handle_at in Wheezy's glibc. The function was introduced in glibc 2.14. And therefore this fails to compile (from QEMU's configure): #include #if !defined(AT_EMPTY_PATH) # error missing definition #else int main(void) { struct file_handle fh; return open_by_handle_at(0, , 0); } #endif and so the handle backend gets disabled. So I think it's safe to mark this as no-dsa in Wheezy (the code is in the source tree but not compiled in by default). I've started https://anonscm.debian.org/viewvc/secure-testing/data/wheezy-no-dsa.txt So we have such things at glance for larger packages (Xen, Firefox, Icedove, etc come to mind as well). Cheers, -- Guido
Re: unrealize mechanism in 9pfs
Hi, > Could you paste the commands / libvirt configs you used to test this? for handle: qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev handle,id=ninepfstest,path=/home/user/ -device virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest for proxy: qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev proxy,id=ninepfstest,path=/home/user/,sock_fd=1 -device virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest I've tested with several sock_fd values. For qemu-kvm, I've just replaced 'qemu' by 'kvm'. You can find the 'debian_wheezy_amd64_standard.qcow2' image here[0]. The libvirt config files are the default ones. I used the official wheezy livecd[1] as test system. A tarred copy of the /etc/libvirt directory is in attachment. Cheers, Hugo [0] https://people.debian.org/~aurel32/qemu/amd64/ [1] http://cdimage.debian.org/mirror/cdimage/archive/7.11.0-live/ -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E libvirt.tar.xz Description: application/xz signature.asc Description: PGP signature
Re: unrealize mechanism in 9pfs
On Sun, Dec 18, 2016 at 09:55:55PM +0100, Hugo Lefeuvre wrote: > Hi Guido, > > > We don't have virtfs-proxy-helper in wheezy so I think we don't need > > support the "proxy" case. > > > > As for "handle" did you check that it works in Wheezy including unplug? > > If so please let me know and we can have a closer look. > > > > I've only used "local" so far which does not seem to be affected by the > > CVEs. > > Hum, I wasn't excepting that. I did a quick test and it looks like handle > is not working either. I get "fsdriver handle not found". > > Should I throw out my work and mark them unaffected ? Could you test on > your machine ? Could you paste the commands / libvirt configs you used to test this? -- Guido
Re: unrealize mechanism in 9pfs
On Sat, Dec 17, 2016 at 10:29:57AM +0100, Hugo Lefeuvre wrote: > Hi, > > I'm currently finishing my upload for qemu, and a question is > remaining concerning the fix of CVE-2016-99{14,15,16}[0,1,2]. > > It is clear to me that the 9pfs proxy/handle backend drivers may > issue a memory leakage when unrealized (ctx->private not deallocated We don't have virtfs-proxy-helper in wheezy so I think we don't need support the "proxy" case. As for "handle" did you check that it works in Wheezy including unplug? If so please let me know and we can have a closer look. I've only used "local" so far which does not seem to be affected by the CVEs. Cheers, -- Gudio > for example). Thus, if they can be unrealized, we will need to > implement a cleanup mechanism, as proposed in the upstream patch[3,4]. > > In recent versions following the QOM model, the unrealize operation > is implemented in 9p.c. It is not the case in the wheezy version, > for which I can't find any function performing unrealize operations[5] > (the current unrealize function got implemented in this commit[6]). > > So, I am having trouble defining whether it is possible to unrealize the > 9pfs device in the wheezy version, and if yes, which method (if there's > one) is handling it. > > Does anybody have an idea ? > > Cheers, > Hugo > > [0] https://security-tracker.debian.org/tracker/CVE-2016-9914 > [1] https://security-tracker.debian.org/tracker/CVE-2016-9915 > [2] https://security-tracker.debian.org/tracker/CVE-2016-9916 > [3] > http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30 > [4] > http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68 > [5] For the record, the equivalent in wheezy of the modern realize function is > virtio_9p_init in virtio-9p-device.c. > [6] > http://git.qemu.org/?p=qemu.git;a=commit;h=6cecf093735f2e5af7d0e29d957350320044e354 > > -- > Hugo Lefeuvre (hle)|www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E