Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
I guess i missed the patch status. Apologies for that. Thank-you for updating me on the status. Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187477): https://lists.openembedded.org/g/openembedded-core/message/187477 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
On Thu, Sep 7, 2023 at 5:51 PM Siddharth via lists.openembedded.org wrote: > > Hi Team, > > Any updates for this patch? The patch was accepted and is now in the kirkstone branch: https://git.yoctoproject.org/poky/commit/?h=kirkstone=074ad15e1e34007997e58892daf759c8d6d9abff Steve > Regards, > Siddharth > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187418): https://lists.openembedded.org/g/openembedded-core/message/187418 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Team, Any updates for this patch? Regards, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187399): https://lists.openembedded.org/g/openembedded-core/message/187399 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
Hi Steve,
Please find the detailed error log:
{{{
| [629/6213] Compiling C object libqemuutil.a.p/stubs_win32-kbd-hook.c.o
| [630/6213] Compiling C object libqemuutil.a.p/stubs_replay-tools.c.o
| [631/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-marshal.c.o
| [632/6213] Compiling C object libqemuutil.a.p/stubs_xen-hw-stub.c.o
| [633/6213] Compiling C object fsdev/virtfs-proxy-helper.p/9p-iov-marshal.c.o
| [634/6213] Linking static target libqemuutil.a
| [635/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qos_external.c.o
| [636/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/fw_cfg.c.o
| [637/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/pci.c.o
| [638/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/qgraph.c.o
| [639/6213] Compiling C object
fsdev/virtfs-proxy-helper.p/virtfs-proxy-helper.c.o
| In file included from ../qemu-6.2.0/fsdev/virtfs-proxy-helper.c:29:
| /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h: In
function 'close_if_special_file':
| /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9:
warning: implicit declaration of function 'qemu_fstat'
[-Wimplicit-function-declaration]
| 46 | if (qemu_fstat(fd, ) < 0) {
| | ^~
| /home/siddharth/tmp/work/../qemu/6.2.0-r0/qemu-6.2.0/hw/9pfs/9p-util.h:46:9:
warning: nested extern declaration of 'qemu_fstat' [-Wnested-externs]
| [640/6213] Compiling C object tests/qtest/libqos/libqos.fa.p/malloc-pc.c.o
| [641/6213] Linking target fsdev/virtfs-proxy-helper
| FAILED: fsdev/virtfs-proxy-helper
}}}
>
> The fix patch mentions that the issue leads to "undefined symbol error
> on certain architectures", but doesn't identify which architectures
> specifically.
>
>
- I am facing this on x86_64 and riscv architectures. Atleast these are the two
which i tried on and got the same error.
- Logically looking at the code, it should ideally fail on any machine it is
compiled on regardless of the architecture as the wrapper "qemu_fstat" is not
defined anywhere in the code and is called.
- However, since i had not tested on all architectures, i couldn't tell about
all the architectures.
- It definately made me confuse more since it had passed autobuilder test, so i
explicitly mentioned in certain architectures and not fails everywhere.
- Just building qemu with `PACKAGECONFIG:append = " libusb virtfs" ` is enough
to re-produce the error. Atleast that's what i am building it with.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186816):
https://lists.openembedded.org/g/openembedded-core/message/186816
Mute This Topic: https://lists.openembedded.org/mt/100951881/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
On Sat, Aug 26, 2023 at 10:08 PM Weihmann, Konrad (Avnet Embedded) wrote: > > Hi all, > > > > this mentioned patch is needed to fix the currently broken Yocto 4.0.12 > release. > > This there a plan to issue a hotfix tag release, or will this be part of the > next 4.0.13 in roughly 6 weeks? The above referenced patch is in my current test queue. If all goes well in testing it should be pushed to the poky kirkstone branch mid-week. > I’m also wondering how the original patch could have not failed at least two > times on the auto-builder (patch and release level). > That might need to be investigated. The fix patch mentions that the issue leads to "undefined symbol error on certain architectures", but doesn't identify which architectures specifically. Siddarth, Archana: Do you know which architectures display the issue? Once we know this, I can comment on why local and autobuilder testing didn't catch this. At this point all I can say is that none of the architectures tested on my local machine or the autobuilder displayed this issue. Steve > Regards > > Konrad > > > > We continuously commit to comply with the applicable data protection laws and > ensure fair and transparent processing of your personal data. > Please read our privacy statement including an information notice and data > protection policy for detailed information on our website. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#186773): https://lists.openembedded.org/g/openembedded-core/message/186773 Mute This Topic: https://lists.openembedded.org/mt/100951881/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone][PATCH] Qemu: Resolve undefined reference issue in CVE-2023-2861
The commit
[https://github.com/openembedded/openembedded-core/commit/9bd4ddeb4b5efc65b0514d50d6991211271924c1]
backports fix for CVE-2023-2861 for version 6.2.0.
The 'qemu_fstat' in `do_create_others' is not defined which leads to the
undefined symbol error on certain architectures.
Also, the commit message says "(Mjt: drop adding qemu_fstat wrapper for 7.2
where wrappers aren't used)". So either the wrapper has to be dropped or it has
to be defined.
Hence, backported the main patch rather than the cherry picked one.
Signed-off-by: Siddharth Doshi
---
.../qemu/qemu/CVE-2023-2861.patch | 66 +++
1 file changed, 37 insertions(+), 29 deletions(-)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
index 48f51f5d03..a86413fbad 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -1,14 +1,16 @@
-From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
+From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
From: Christian Schoenebeck
-Date: Wed Jun 7 18:29:33 2023 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
- protocol does not specifically define how server shall behave when client
- tries to open a special file, however from security POV it does make sense
- for 9p server to prohibit opening any special file on host side in general. A
- sane Linux 9p client for instance would never attempt to open a special file
- on host side, it would always handle those exclusively on its guest side. A
- malicious client however could potentially escape from the exported 9p tree
- by creating and opening a device file on host side.
+Date: Wed, 7 Jun 2023 18:29:33 +0200
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
+
+The 9p protocol does not specifically define how server shall behave when
+client tries to open a special file, however from security POV it does
+make sense for 9p server to prohibit opening any special file on host side
+in general. A sane Linux 9p client for instance would never attempt to
+open a special file on host side, it would always handle those exclusively
+on its guest side. A malicious client however could potentially escape
+from the exported 9p tree by creating and opening a device file on host
+side.
With QEMU this could only be exploited in the following unsafe setups:
@@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck
Reviewed-by: Greg Kurz
Reviewed-by: Michael Tokarev
Message-Id:
-(cherry picked from commit f6b0de5)
-Signed-off-by: Michael Tokarev
-(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
-
-Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+Upstream-Status: Backport from
[https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
CVE: CVE-2023-2861
Signed-off-by: Archana Polampalli
+Signed-off-by: Siddharth Doshi
---
- fsdev/virtfs-proxy-helper.c | 27 --
- hw/9pfs/9p-util.h | 38 +
- 2 files changed, 63 insertions(+), 2 deletions(-)
+ fsdev/virtfs-proxy-helper.c | 27 +++--
+ hw/9pfs/9p-util.h | 40 +
+ 2 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 15c0e79b0..f9e4669a5 100644
@@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644
#include "hw/9pfs/9p-proxy.h"
+#include "hw/9pfs/9p-util.h"
#include "fsdev/9p-iov-marshal.h"
-
+
#define PROGNAME "virtfs-proxy-helper"
@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
}
}
-
+
+/*
+ * Open regular file or directory. Attempts to open any special file are
+ * rejected.
@@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644
ret = -errno;
}
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
-index 546f46dc7..54e270ac6 100644
+index 546f46dc7..23000e917 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
+@@ -13,12 +13,16 @@
#ifndef QEMU_9P_UTIL_H
#define QEMU_9P_UTIL_H
-
+
+#include "qemu/error-report.h"
+
#ifdef O_PATH
#define O_PATH_9P_UTIL O_PATH
#else
-@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
+ #define O_PATH_9P_UTIL 0
+ #endif
+
++#define qemu_fstat fstat
++
+ static inline void close_preserve_errno(int fd)
+ {
+ int serrno = errno;
+@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
errno = serrno;
}
-
+
+/**
+ * close_if_special_file() - Close @fd if neither regular file nor directory.
+ *
@@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644
static inline int openat_dir(int dirfd, const char *name)
{
return openat(dirfd, name,
-@@ -56,6 +90,10 @@ again:
+@@ -56,6
