poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch - openbmc/openbmc - Gitiles

 From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Thu, 6 Sep 2018 14:52:12 +0800
 Subject: [PATCH] seccomp: set the seccomp filter to all threads
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 When using "-seccomp on", the seccomp policy is only applied to the
 main thread, the vcpu worker thread and other worker threads created
 after seccomp policy is applied; the seccomp policy is not applied to
 e.g. the RCU thread because it is created before the seccomp policy is
 applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.

 This can be verified with
 for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
 Seccomp:	2
 Seccomp:	0
 Seccomp:	0
 Seccomp:	2
 Seccomp:	2
 Seccomp:	2

 Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
 seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
 on all threads.

 libseccomp requirement was bumped to 2.2.0 in previous patch.
 libseccomp should fail to set the filter if it can't honour
 SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
 kernel < 3.17.

 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Acked-by: Eduardo Otubo <otubo@redhat.com>

 Upstream-Status: Backport[https://github.com/qemu/qemu/commit/
 70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d]

 CVE: CVE-2018-15746

 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
  qemu-seccomp.c | 5 +++++
  1 file changed, 5 insertions(+)

 diff --git a/qemu-seccomp.c b/qemu-seccomp.c
 index 9cd8eb9..ba5500a 100644
 --- a/qemu-seccomp.c
 +++ b/qemu-seccomp.c
 @@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts)
          goto seccomp_return;
      }

 +    rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
 +    if (rc != 0) {
 +        goto seccomp_return;
 +    }
 +
      for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
          if (!(seccomp_opts & blacklist[i].set)) {
              continue;
 --
 2.7.4
	From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001
	From: Changqing Li <changqing.li@windriver.com>
	Date: Thu, 6 Sep 2018 14:52:12 +0800
	Subject: [PATCH] seccomp: set the seccomp filter to all threads
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	When using "-seccomp on", the seccomp policy is only applied to the
	main thread, the vcpu worker thread and other worker threads created
	after seccomp policy is applied; the seccomp policy is not applied to
	e.g. the RCU thread because it is created before the seccomp policy is
	applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.

	This can be verified with
	for task in /proc/`pidof qemu`/task/*; do cat $task/status \| grep Secc ; done
	Seccomp: 2
	Seccomp: 0
	Seccomp: 0
	Seccomp: 2
	Seccomp: 2
	Seccomp: 2

	Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
	seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
	on all threads.

	libseccomp requirement was bumped to 2.2.0 in previous patch.
	libseccomp should fail to set the filter if it can't honour
	SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
	kernel < 3.17.

	Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
	Acked-by: Eduardo Otubo <otubo@redhat.com>

	Upstream-Status: Backport[https://github.com/qemu/qemu/commit/
	70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d]

	CVE: CVE-2018-15746

	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	---
	qemu-seccomp.c \| 5 +++++
	1 file changed, 5 insertions(+)

	diff --git a/qemu-seccomp.c b/qemu-seccomp.c
	index 9cd8eb9..ba5500a 100644
	--- a/qemu-seccomp.c
	+++ b/qemu-seccomp.c
	@@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts)
	goto seccomp_return;
	}

	+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
	+ if (rc != 0) {
	+ goto seccomp_return;
	+ }
	+
	for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
	if (!(seccomp_opts & blacklist[i].set)) {
	continue;
	--
	2.7.4