Bastian Blank
2008-Dec-24 12:51 UTC
[Pkg-xen-changes] r612 - in trunk/xen-3/debian: . patches
Author: waldi
Date: Wed Dec 24 12:51:50 2008
New Revision: 612
Log:
Fix disk format vulnerability.
See: CVE-2008-2004
* debian/changelog: Update.
* debian/patches/series: Add new patches.
* debian/patches/CVE-2008-2004.1.diff,
debian/patches/CVE-2008-2004.2.diff,
debian/patches/CVE-2008-2004.3.diff: Add.
Added:
trunk/xen-3/debian/patches/CVE-2008-2004.1.diff
trunk/xen-3/debian/patches/CVE-2008-2004.2.diff
trunk/xen-3/debian/patches/CVE-2008-2004.3.diff
Modified:
trunk/xen-3/debian/changelog
trunk/xen-3/debian/patches/series
Modified: trunk/xen-3/debian/changelog
=============================================================================---
trunk/xen-3/debian/changelog (original)
+++ trunk/xen-3/debian/changelog Wed Dec 24 12:51:50 2008
@@ -1,7 +1,11 @@
xen-3 (3.2.1-3) UNRELEASED; urgency=low
[ Bastian Blank ]
- * Remove useless qemu-dm.debug script. (Closes: #496367)
+ * Remove useless qemu-dm.debug script. (closes: #496367)
+
+ [ Thomas Viehmann ]
+ * Fix disk format vulnerability. (closes: #490409)
+ See: CVE-2008-2004
-- Julien Danjou <acid at debian.org> Mon, 25 Aug 2008 10:01:29 +0200
Added: trunk/xen-3/debian/patches/CVE-2008-2004.1.diff
=============================================================================---
(empty file)
+++ trunk/xen-3/debian/patches/CVE-2008-2004.1.diff Wed Dec 24 12:51:50 2008
@@ -0,0 +1,128 @@
+
+# HG changeset patch
+# User Keir Fraser <keir.fraser at citrix.com>
+# Date 1210688387 -3600
+# Node ID 80730d294e51e39a7f8f58708d1de2f735001392
+# Parent fd285b18158e8bc355ac036cf9d305d06bbfbce3
+ioemu: fix disk format security vulnerability
+
+* make the xenstore reader in qemu-dm''s startup determine which
+ of qemu''s block drivers to use according to the xenstore
+ backend `type'' field. This `type'' field typically comes
from
+ the front of the drive mapping string in ioemu. The
+ supported cases are:
+ xm config file string `type'' image format qemu driver
+ phy:[/dev/]<device> phy raw image bdrv_raw
+ file:<filename> file raw image bdrv_raw
+ tap:aio:<filename> tap raw image bdrv_raw
+ tap:qcow:<image> tap not raw autoprobe
+ tap:<cow-fmt>:<image> tap named format
bdrv_<cow-fmt>
+ It is still necessary to autoprobe when the image is specified as
+ `tap:qcow:<image>'', because qemu distinguishes `qcow''
and `qcow2''
+ whereas blktap doesn''t; `qcow'' in xenstore typically means
what
+ qemu calls qcow2. This is OK because qemu can safely distinguish
+ the different cow formats provided we know it''s not a raw image.
+
+* Make the format autoprobing machinery never return `raw''. This has
+ two purposes: firstly, it arranges that the `tap:qcow:...'' case
+ above can be handled without accidentally falling back to raw
+ format. Secondly it prevents accidents in case the code changes in
+ future: autoprobing will now always fail on supposed cow files which
+ actually contain junk, rather than giving the guest access to the
+ underlying file.
+
+Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
+xen-unstable changeset: 17606:e3be00bd6aa963aca563692c271af762f9380ba0
+xen-unstable date: Mon May 12 10:09:12 2008 +0100
+
+--- a/tools/ioemu/block.c Tue May 13 15:16:59 2008 +0100
++++ b/tools/ioemu/block.c Tue May 13 15:19:47 2008 +0100
+@@ -250,7 +250,7 @@ static BlockDriver *find_protocol(const
+ #endif
+ p = strchr(filename, '':'');
+ if (!p)
+- return &bdrv_raw;
++ return NULL; /* do not ever guess raw, it is a security problem! */
+ len = p - filename;
+ if (len > sizeof(protocol) - 1)
+ len = sizeof(protocol) - 1;
+--- a/tools/ioemu/xenstore.c Tue May 13 15:16:59 2008 +0100
++++ b/tools/ioemu/xenstore.c Tue May 13 15:19:47 2008 +0100
+@@ -86,6 +86,7 @@ void xenstore_parse_domain_config(int do
+ int i, is_scsi, is_hdN = 0;
+ unsigned int len, num, hd_index;
+ BlockDriverState *bs;
++ BlockDriver *format;
+
+ for(i = 0; i < MAX_DISKS + MAX_SCSI_DISKS; i++)
+ media_filename[i] = NULL;
+@@ -131,6 +132,8 @@ void xenstore_parse_domain_config(int do
+ }
+
+ for (i = 0; i < num; i++) {
++ format = NULL; /* don''t know what the format is yet */
++
+ /* read the backend path */
+ if (pasprintf(&buf, "%s/device/vbd/%s/backend", path,
e[i]) == -1)
+ continue;
+@@ -177,13 +180,20 @@ void xenstore_parse_domain_config(int do
+ drv = xs_read(xsh, XBT_NULL, buf, &len);
+ if (drv == NULL)
+ continue;
+- /* Strip off blktap sub-type prefix aio: - QEMU can autodetect this */
++ /* Obtain blktap sub-type prefix */
+ if (!strcmp(drv, "tap") && params[0]) {
+ char *offset = strchr(params, '':'');
+ if (!offset)
+ continue ;
++ free(drv);
++ drv = malloc(offset - params + 1);
++ memcpy(drv, params, offset - params);
++ drv[offset - params] = ''\0'';
++ if (!strcmp(drv, "aio"))
++ /* qemu does aio anyway if it can */
++ format = &bdrv_raw;
+ memmove(params, offset+1, strlen(offset+1)+1 );
+- fprintf(logfile, "Strip off blktap sub-type prefix to
%s\n", params);
++ fprintf(logfile, "Strip off blktap sub-type prefix to %s (drv
''%s'')\n", params, drv);
+ }
+ /* Prefix with /dev/ if needed */
+ if (!strcmp(drv, "phy") && params[0] !=
''/'') {
+@@ -191,6 +201,7 @@ void xenstore_parse_domain_config(int do
+ sprintf(newparams, "/dev/%s", params);
+ free(params);
+ params = newparams;
++ format = &bdrv_raw;
+ }
+
+ /*
+@@ -227,9 +238,25 @@ void xenstore_parse_domain_config(int do
+
+ /* open device now if media present */
+ if (params[0]) {
+- if (bdrv_open(bs, params, 0 /* snapshot */) < 0)
+- fprintf(stderr, "qemu: could not open hard disk image
''%s''\n",
+- params);
++ if (!format) {
++ if (!drv) {
++ fprintf(stderr, "qemu: type (image format) not specified for vbd
''%s'' or image ''%s''\n", buf, params);
++ continue;
++ }
++ if (!strcmp(drv,"qcow")) {
++ /* autoguess qcow vs qcow2 */
++ } else if (!strcmp(drv,"file")) {
++ format = &bdrv_raw;
++ } else {
++ format = bdrv_find_format(drv);
++ if (!format) {
++ fprintf(stderr, "qemu: type (image format) ''%s''
unknown for vbd ''%s'' or image ''%s''\n",
drv, buf, params);
++ continue;
++ }
++ }
++ }
++ if (bdrv_open2(bs, params, 0 /* snapshot */, format) < 0)
++ fprintf(stderr, "qemu: could not open vbd
''%s'' or hard disk image ''%s'' (drv
''%s'')\n", buf, params, drv ? drv : "?");
+ }
+ }
+
+
Added: trunk/xen-3/debian/patches/CVE-2008-2004.2.diff
=============================================================================---
(empty file)
+++ trunk/xen-3/debian/patches/CVE-2008-2004.2.diff Wed Dec 24 12:51:50 2008
@@ -0,0 +1,16 @@
+
+--- a/tools/ioemu/xenstore.c Tue May 13 15:19:47 2008 +0100
++++ b/tools/ioemu/xenstore.c Wed May 14 09:12:27 2008 +0100
+@@ -245,7 +245,7 @@ void xenstore_parse_domain_config(int do
+ }
+ if (!strcmp(drv,"qcow")) {
+ /* autoguess qcow vs qcow2 */
+- } else if (!strcmp(drv,"file")) {
++ } else if (!strcmp(drv,"file") || !strcmp(drv,"phy")) {
+ format = &bdrv_raw;
+ } else {
+ format = bdrv_find_format(drv);
+
+
+
+
Added: trunk/xen-3/debian/patches/CVE-2008-2004.3.diff
=============================================================================---
(empty file)
+++ trunk/xen-3/debian/patches/CVE-2008-2004.3.diff Wed Dec 24 12:51:50 2008
@@ -0,0 +1,110 @@
+
+# HG changeset patch
+# User Keir Fraser <keir.fraser at citrix.com>
+# Date 1210860689 -3600
+# Node ID 0016f5a1dd5a1622bcc66b82d2ef9bf4d36e88e3
+# Parent aee5dc4a4a37005994c9ea7e9eab73043f30cb2c
+ioemu: Do not try to guess backing file format when using qcow vbds.
+Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
+xen-unstable changeset: 17646:e3b13e1ecf6ca61b84c8bdf5ae3e961268c920f5
+xen-unstable date: Thu May 15 15:10:05 2008 +0100
+
+--- a/tools/ioemu/block.c Thu May 15 09:59:19 2008 +0100
++++ b/tools/ioemu/block.c Thu May 15 15:11:29 2008 +0100
+@@ -236,8 +236,28 @@ static int is_windows_drive(const char *
+ }
+ #endif
+
++static int bdrv_invalid_protocol_open(BlockDriverState *bs,
++ const char *filename, int flags) {
++ return -ENOENT;
++}
++
++static BlockDriver bdrv_invalid_protocol = {
++ "invalid_protocol",
++ .bdrv_open = bdrv_invalid_protocol_open,
++};
++
+ static BlockDriver *find_protocol(const char *filename)
+ {
++ /* Return values:
++ * &bdrv_xxx
++ * filename specifies protocol xxx
++ * caller should use that
++ * NULL filename does not specify any protocol
++ * caller may apply their own default
++ * &bdrv_invalid_protocol filename speciies an unknown protocol
++ * caller should return -ENOENT; or may just try to open with
++ * that bdrv, which always fails that way.
++ */
+ BlockDriver *drv1;
+ char protocol[128];
+ int len;
+@@ -250,7 +270,7 @@ static BlockDriver *find_protocol(const
+ #endif
+ p = strchr(filename, '':'');
+ if (!p)
+- return NULL; /* do not ever guess raw, it is a security problem! */
++ return NULL;
+ len = p - filename;
+ if (len > sizeof(protocol) - 1)
+ len = sizeof(protocol) - 1;
+@@ -261,7 +281,7 @@ static BlockDriver *find_protocol(const
+ !strcmp(drv1->protocol_name, protocol))
+ return drv1;
+ }
+- return NULL;
++ return &bdrv_invalid_protocol;
+ }
+
+ /* XXX: force raw format if block or character device ? It would
+@@ -291,8 +311,8 @@ static BlockDriver *find_image_format(co
+ #endif
+
+ drv = find_protocol(filename);
+- /* no need to test disk image formats for vvfat */
+- if (drv == &bdrv_vvfat)
++ /* no need to test disk image format if the filename told us */
++ if (drv != NULL)
+ return drv;
+
+ ret = bdrv_file_open(&bs, filename, BDRV_O_RDONLY);
+@@ -386,7 +406,7 @@ int bdrv_open2(BlockDriverState *bs, con
+ if (flags & BDRV_O_FILE) {
+ drv = find_protocol(filename);
+ if (!drv)
+- return -ENOENT;
++ drv = &bdrv_raw;
+ } else {
+ if (!drv) {
+ drv = find_image_format(filename);
+@@ -434,7 +454,7 @@ int bdrv_open2(BlockDriverState *bs, con
+ }
+ path_combine(backing_filename, sizeof(backing_filename),
+ filename, bs->backing_file);
+- if (bdrv_open(bs->backing_hd, backing_filename, 0) < 0)
++ if (bdrv_open2(bs->backing_hd, backing_filename, 0, &bdrv_raw)
< 0)
+ goto fail;
+ }
+
+--- a/tools/ioemu/xenstore.c Thu May 15 09:59:19 2008 +0100
++++ b/tools/ioemu/xenstore.c Thu May 15 15:11:29 2008 +0100
+@@ -247,6 +247,8 @@ void xenstore_parse_domain_config(int do
+ /* autoguess qcow vs qcow2 */
+ } else if (!strcmp(drv,"file") || !strcmp(drv,"phy")) {
+ format = &bdrv_raw;
++ } else if (!strcmp(drv,"phy")) {
++ format = &bdrv_raw;
+ } else {
+ format = bdrv_find_format(drv);
+ if (!format) {
+@@ -256,7 +258,7 @@ void xenstore_parse_domain_config(int do
+ }
+ }
+ if (bdrv_open2(bs, params, 0 /* snapshot */, format) < 0)
+- fprintf(stderr, "qemu: could not open vbd
''%s'' or hard disk image ''%s'' (drv
''%s'')\n", buf, params, drv ? drv : "?");
++ fprintf(stderr, "qemu: could not open vbd
''%s'' or hard disk image ''%s'' (drv
''%s'' format ''%s'')\n", buf, params, drv
? drv : "?", format ? format->format_name : "0");
+ }
+ }
+
+
Modified: trunk/xen-3/debian/patches/series
=============================================================================---
trunk/xen-3/debian/patches/series (original)
+++ trunk/xen-3/debian/patches/series Wed Dec 24 12:51:50 2008
@@ -17,3 +17,6 @@
doc-remove-unused.diff
tools-blktap-crypto.patch
tools-ioemu-debug.diff
+CVE-2008-2004.1.diff
+CVE-2008-2004.2.diff
+CVE-2008-2004.3.diff