diff --git a/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch new file mode 100644 index 0000000000000000000000000000000000000000..152032b2207a82ed9cd1190a6bd3633fc4609664 --- /dev/null +++ b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch @@ -0,0 +1,111 @@ +From 746e07f2d54908296dde64e97e12ea33a35063e0 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 106: 8.5.0z non-av; virtiofsd security fix - drop secondary groups +RH-Commit: [1/1] e39df0b31f3c236675262395b94d5c10e8e3073f +RH-Bugzilla: 2048627 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Vivek Goyal + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit +(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca) + dgilbert: Minor fixup around #includes on backport +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index b47029da89..578131179c 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #include "passthrough_helpers.h" + #include "seccomp.h" +@@ -1058,6 +1059,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3010,6 +3035,8 @@ int main(int argc, char *argv[]) + /* Don't mask creation mode, kernel already did that */ + umask(0); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 2ebe8a1be53c6ecf49d1007309f187a238fd6e94..8bfffac267c3065e738bf8cf9a3e9e573107b221 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.1 %global SLOF_gittagdate 20191022 %global SLOF_gittagcommit 899d9883 @@ -68,7 +68,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 59%{anolis_release}%{?dist}.1 +Release: 59%{anolis_release}%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1253,6 +1253,8 @@ Patch544: kvm-scsi-make-io_timeout-configurable.patch Patch545: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch # For bz#2025011 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z] Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch +# For bz#2048627 - CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z] +Patch547: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch # Begin: Anolis customized patches # backport patch from upstream @@ -2208,12 +2210,15 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog -* Thu Jan 20 2022 Weitao Zhou - 4.2.0-59.0.2.1 +* Tue Mar 15 2022 Weitao Zhou - 4.2.0-59.0.2.1 - Fix gcc10 build issue - -* Fri Dec 24 2021 Jacob Wang - 4.2.0-59.0.1.1 - Adjust limit for virtiofsd minor version +* Tue Feb 08 2022 Jon Maloy - 4.2.0-59.el8_5.2 +- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2048627] +- Resolves: bz#2048627 + (CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z]) + * Thu Nov 25 2021 Jon Maloy - 4.2.0-59.el8_5 - kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2025605] - kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#2025011]