qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads

Debian Bug report logs - #907500
qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads

Date: Tue, 28 Aug 2018 21:52:40 +0200

Source: qemu
Version: 1:2.12+dfsg-2
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for qemu.

CVE-2018-15746[0]:
seccomp: blacklist is not applied to all threads

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15746
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html
[2] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html

Please adjust the affected versions in the BTS as needed. seccomp
support is enabled for the Debian builds only starting from
1:2.12+dfsg-2, isue would be present already before source-wise, but
going to mark the issue as no-dsa for older versions.

Regards,
Salvatore

Message #10 received at 907500@bugs.debian.org (full text, mbox, reply):

From: Christian Ehrhardt <christian.ehrhardt@canonical.com>

To: 907500@bugs.debian.org

Subject: Seccomp enabled much earlier

Date: Wed, 29 Aug 2018 07:26:56 +0200

[Message part 1 (text/plain, inline)]

Hi,
quote:
"seccomp support is enabled for the Debian builds only starting from
1:2.12+dfsg-2, issue would be present already before source-wise, but going
to mark the issue as no-dsa for older versions"

IMHO I'd think it is enabled since 1.3.0+dfsg-2exp quite a while back.
The latter changes are sometimes enabling additional architectures, but
"enabled" and thereby potentially affected it was way more back in time.

Picking a random build log in unstable of 2014 [1] has --enable-seccomp as
well as later on the proper detection on the configure run
  seccomp support   yes

[1]:
https://buildd.debian.org/status/fetch.php?pkg=qemu&arch=amd64&ver=2.0.0%2Bdfsg-6%2Bb1&stamp=1402079442&raw=0

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

[Message part 2 (text/html, inline)]

Message #15 received at 907500@bugs.debian.org (full text, mbox, reply):

From: Christian Ehrhardt <christian.ehrhardt@canonical.com>

To: 907500@bugs.debian.org

Subject: Further details on seccomp enablement

Date: Wed, 29 Aug 2018 07:49:39 +0200

[Message part 1 (text/plain, inline)]

In my former mail I outlined when the feature was "available and built in".
But used by default it was only much later.

IIRC qemu 2.11 (1bd6152a) switched from a huge whitelist to a blacklist and
being filtering by default.

Furthermore since lbvirt 4.3 (3527f9dd) libvirt will enable more of the
modular blacklists by default if >=qemu 2.11 is detected.

But even being default off people could switch it on all the time per
command-line or via lbivirt per seccomp_sandbox= in /etc/libvirt/qemu.conf



-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

[Message part 2 (text/html, inline)]

Message #20 received at 907500@bugs.debian.org (full text, mbox, reply):

From: Christian Ehrhardt <christian.ehrhardt@canonical.com>

To: 907500@bugs.debian.org

Subject: checked: default on >=2.12 and available earlier

Date: Wed, 29 Aug 2018 08:36:38 +0200

[Message part 1 (text/plain, inline)]

To summarize my checks, by default it only is on since the further reworks
in qemu 2.12.
I checked manual calls and libvirt spawned qemu with earlier versions and
they had not used the sandbox feature.

Although as mentioned per the config in /etc/libvirt/qemu.conf or via the
-sandbox switch this could have been used way back in older releases.

There is a useful one line check for the bug without the need to spawn
anything via libvirt or such:

qemu-system-x86_64 -sandbox on -nographic & pid=$!; sleep 2s; echo PID
$pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done;
kill -9 $pid

Will report like:
PID 23230
Seccomp:        2
Seccomp:        0

And the two lines should match

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

[Message part 2 (text/html, inline)]

Message #25 received at 907500@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Christian Ehrhardt <christian.ehrhardt@canonical.com>, 907500@bugs.debian.org

Subject: Re: Bug#907500: Seccomp enabled much earlier

Date: Wed, 29 Aug 2018 09:20:17 +0200

Hi Christian,

On Wed, Aug 29, 2018 at 07:26:56AM +0200, Christian Ehrhardt wrote:
> Hi,
> quote:
> "seccomp support is enabled for the Debian builds only starting from
> 1:2.12+dfsg-2, issue would be present already before source-wise, but going
> to mark the issue as no-dsa for older versions"
> 
> IMHO I'd think it is enabled since 1.3.0+dfsg-2exp quite a while back.
> The latter changes are sometimes enabling additional architectures, but
> "enabled" and thereby potentially affected it was way more back in time.

Yes you are right, that my initial triaging was not correct. Still not
sure if we want to treat this as DSA, or postpone it, but I have at
least now reverted the wrong comment in the security-tracker.

Thanks for spotting my mistake, corrected!

Salvatore

Message #32 received at 907500-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 907500-close@bugs.debian.org

Subject: Bug#907500: fixed in qemu 1:3.1+dfsg-1

Date: Wed, 12 Dec 2018 09:16:37 +0000

Source: qemu
Source-Version: 1:3.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Dec 2018 19:10:27 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator, dummy package
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-data - QEMU full system emulation (data files)
 qemu-system-gui - QEMU full system emulation binaries (user interface and audio sup
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 795486 813658 901017 902501 902725 907500 908682 910431 911468 911469 911470 911499 912535 914599 914604 914727 915884
Changes:
 qemu (1:3.1+dfsg-1) unstable; urgency=medium
 .
   * new upstream release (3.1)
   * Security bugs fixed by upstream:
     Closes: #910431, CVE-2018-10839:
      integer overflow leads to buffer overflow issue
     Closes: #911468, CVE-2018-17962
      pcnet: integer overflow leads to buffer overflow
     Closes: #911469, CVE-2018-17963
      net: ignore packets with large size
     Closes: #908682, CVE-2018-3639
      qemu should be able to pass the ssbd cpu flag
     Closes: #901017, CVE-2018-11806
      m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow
      via incoming fragmented datagrams
     Closes: #902725, CVE-2018-12617
      qmp_guest_file_read in qemu-ga has an integer overflow
     Closes: #907500, CVE-2018-15746
      qemu-seccomp might allow local OS guest users to cause a denial of service
     Closes: #915884, CVE-2018-16867
      dev-mtp: path traversal in usb_mtp_write_data of the MTP
     Closes: #911499, CVE-2018-17958
      Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c
      because an incorrect integer data type is used
     Closes: #911470, CVE-2018-18438
      integer overflows because IOReadHandler and its associated functions
      use a signed integer data type for a size value
     Closes: #912535, CVE-2018-18849
      lsi53c895a: OOB msg buffer access leads to DoS
     Closes: #914604, CVE-2018-18954
      pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
      allows out-of-bounds write or read access to PowerNV memory
     Closes: #914599, CVE-2018-19364
      Use-after-free due to race condition while updating fid path
     Closes: #914727, CVE-2018-19489
      9pfs: crash due to race condition in renaming files
   * remove patches which were applied upstream
   * add new manpage qemu-cpu-models.7
   * qemu-system-ppcemb is gone, use qemu-system-ppc[64]
   * do-not-link-everything-with-xen.patch (trivial)
   * get-orig-source: handle 3.x and 4.x, and remove roms again, as
     upstream wants us to use separate source packages for that stuff
   * move generated data from qemu-system-data back to qemu-system-common
   * d/control: enable spice on arm64 (Closes: #902501)
     (probably should enable on all)
   * d/control: change git@salsa urls to https
   * add qemu-guest-agent.service (Closes: #795486)
   * enable opengl support and virglrenderer (Closes: #813658)
   * simplify d/rules just a little bit
   * build-depend on libudev-dev, for qga
Checksums-Sha1:
 a65a31436ea02a77c21bff8f7afa02ae05938a26 5967 qemu_3.1+dfsg-1.dsc
 b6a6c31d146b13e14af253d6dc25f16ccad7d060 8705368 qemu_3.1+dfsg.orig.tar.xz
 a07b0298ac2fe6be7ee5e9540fd6fc6d9c1b20ee 72160 qemu_3.1+dfsg-1.debian.tar.xz
 2233f07915fcbb0daa421fca2674a139941f832b 16084 qemu_3.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 c1b9ec8e25ff07877505291d8c0ef235f7b81117a9a706bdf76deba857c09484 5967 qemu_3.1+dfsg-1.dsc
 2f277942759dd3eed21f7e00edfeab52b4f58d6f2f22d4f7e1a8aa4dc54c80d7 8705368 qemu_3.1+dfsg.orig.tar.xz
 62ccd57796c3a43d99aac37ffac4b24b7188216f719ff50b0e1ce84f058ccca5 72160 qemu_3.1+dfsg-1.debian.tar.xz
 4f53f5acac8637a3716dbd1ea4380d7c08a8c1d15a1de581095963b1e76b560b 16084 qemu_3.1+dfsg-1_source.buildinfo
Files:
 059657635379ae27ba846df240e16b54 5967 otherosfs optional qemu_3.1+dfsg-1.dsc
 b17f33786c89d547150490811a40f0b2 8705368 otherosfs optional qemu_3.1+dfsg.orig.tar.xz
 62ef7391f798ccbd2b4d5f7928033522 72160 otherosfs optional qemu_3.1+dfsg-1.debian.tar.xz
 13fd8a8bb95fc80a05de9f1cb33a50ce 16084 otherosfs optional qemu_3.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlwQzGwPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z+zUH/1AG3gTlCfodSE7V0FW8268LUMpsJS7mpZ/p
4K8GUdAXtH6TWN1n4vfbUeCaO+dJYHT2g0dTFqwKhJoLElhcCFH8F2pcVQPJfPQQ
YLYQIR/5Mijs+cHIpbzc7KO4Jj2umLOe0GZtEnmbXvBNGRf9/KImb8nRzSitVJSX
qlRSLsr5tLVIgBxGJynPCWYLzwAnvv6chSNBT7e/1vBvo87B1l3gL7ibRdIF3CFJ
s4mYqyYQvIwlEgOE1UKswSunQjcbjZY2ATy0DAxZw5E0ec8etX3cl/tCH8Hq6aSZ
lpDOsBZu/rRukrF3Rt7GSSPCsoLXwWUYa9mRnEsTBWzcw0pJKmc=
=1I7Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.