From 764decebb9faba0cd09c84a816bafd7ba0ebfdcb Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Tue, 12 Jul 2022 09:47:06 +0800
Subject: [PATCH] fix CVE-2022-0358

---
 CVE-2022-0358.patch | 100 ++++++++++++++++++++++++++++++++++++++++++++
 qemu.spec           |   6 ++-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-0358.patch

diff --git a/CVE-2022-0358.patch b/CVE-2022-0358.patch
new file mode 100644
index 00000000..6f6ee458
--- /dev/null
+++ b/CVE-2022-0358.patch
@@ -0,0 +1,100 @@
+From 364518d7ff1042d52f7d3de1911c17a2eb4b2fbf Mon Sep 17 00:00:00 2001
+From: yinyongkang <yinyongkang@kylinos.cn>
+Date: Tue, 12 Jul 2022 09:40:39 +0800
+Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
+ (CVE-2022-0358)
+
+At the start, drop membership of all supplementary groups. This is
+not required.
+
+If we have membership of "root" supplementary group and when we switch
+uid/gid using setresuid/setsgid, we still retain membership of existing
+supplemntary groups. And that can allow some operations which are not
+normally allowed.
+
+For example, if root in guest creates a dir as follows.
+
+$ mkdir -m 03777 test_dir
+
+This sets SGID on dir as well as allows unprivileged users to write into
+this dir.
+
+And now as unprivileged user open file as follows.
+
+$ su test
+$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
+
+This will create SGID set executable in test_dir/.
+
+And that's a problem because now an unpriviliged user can execute it,
+get egid=0 and get access to resources owned by "root" group. This is
+privilege escalation.
+
+Fixes: CVE-2022-0358
+Reported-by: default avatarJIETAO XIAO <shawtao1125@gmail.com>
+Suggested-by: Miklos Szeredi's avatarMiklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Stefan Hajnoczi's avatarStefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert's avatarDr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Vivek Goyal's avatarVivek Goyal <vgoyal@redhat.com>
+Message-Id: <YfBGoriS38eBQrAb@redhat.com>
+Signed-off-by: Dr. David Alan Gilbert's avatarDr. David Alan Gilbert <dgilbert@redhat.com>
+  dgilbert: Fixed missing {}'s style nit
+---
+ tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 64b5b4fbb..b3d0674f6 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -54,6 +54,7 @@
+ #include <sys/wait.h>
+ #include <sys/xattr.h>
+ #include <syslog.h>
++#include <grp.h>
+ 
+ #include "qemu/cutils.h"
+ #include "passthrough_helpers.h"
+@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
+ #define OURSYS_setresuid SYS_setresuid
+ #endif
+ 
++static void drop_supplementary_groups(void)
++{
++    int ret;
++
++    ret = getgroups(0, NULL);
++    if (ret == -1) {
++        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
++                 errno, strerror(errno));
++        exit(1);
++    }
++
++    if (!ret) {
++        return;
++    }
++
++    /* Drop all supplementary groups. We should not need it */
++    ret = setgroups(0, NULL);
++    if (ret == -1) {
++        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
++                 errno, strerror(errno));
++        exit(1);
++    }
++}
++
+ /*
+  * Change to uid/gid of caller so that file is created with
+  * ownership of caller.
+@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
+ 
+     qemu_init_exec_dir(argv[0]);
+ 
++    drop_supplementary_groups();
++
+     pthread_mutex_init(&lo.mutex, NULL);
+     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
+     lo.root.fd = -1;
+-- 
+2.33.0
+
diff --git a/qemu.spec b/qemu.spec
index db721b8c..ea76c380 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 6.2.0
-Release: 41
+Release: 42
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -280,6 +280,7 @@ Patch0266: hw-audio-intel-hda-Do-not-ignore-DMA-overrun-errors.patch
 Patch0267: hw-audio-intel-hda-Restrict-DMA-engine-to-memories-n.patch
 Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch
 Patch0269: hw-nvme-fix-CVE-2021-3929.patch
+Patch0270: CVE-2022-0358.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -782,6 +783,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jul 12 2022 yinyongkang <yinyongkang@kylinos.cn> - 2:6.2.0-42
+- fix CVE-2022-0358
+
 * Wed Jun 22 2022 yezengruan <yezengruan@huawei.com> - 2:6.2.0-41
 - hw/nvme: fix CVE-2021-3929
 
-- 
Gitee