Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212351 - app-emulation/qemu-softmmu <= 0.9.1-r1 insufficient block device address range checking (CVE-2008-0928)
Summary: app-emulation/qemu-softmmu <= 0.9.1-r1 insufficient block device address rang...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://marc.info/?l=debian-security&m...
Whiteboard: B2 [glsa]
Keywords:
: 211442 (view as bug list)
Depends on: CVE-2008-2004
Blocks:
  Show dependency tree
 
Reported: 2008-03-05 07:55 UTC by Lars Hartmann
Modified: 2013-08-28 01:59 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (20080310-081450.log,108.52 KB, text/plain)
2008-03-10 08:15 UTC, Christian Faulhammer (RETIRED)
no flags Details
qemu-softmmu-0.9.1-r1.patch (qemu-softmmu-0.9.1-r1.patch,693 bytes, patch)
2008-03-16 10:29 UTC, Peter Volkov (RETIRED)
no flags Details | Diff
Fixing some QA things and the actual bug fix (qemu.patch,942 bytes, patch)
2008-03-16 10:52 UTC, Christian Faulhammer (RETIRED)
no flags Details | Diff
qemu-softmmu-0.9.1-r1.patch (qemu-softmmu-0.9.1-r1.patch,693 bytes, patch)
2008-03-19 10:24 UTC, Peter Volkov (RETIRED)
no flags Details | Diff
qemu-softmmu-0.9.1-r1.ebuild.patch (qemu-softmmu-0.9.1-r1.ebuild.patch,1.56 KB, patch)
2008-03-20 08:48 UTC, Peter Volkov (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-03-05 07:55:38 UTC
Ian Jackson discovered that accesses beyond end of qemu emulated disk devices
can result in accesses to emulator's virtual memory space accesses and thus can
allow user with sufficient privilege in guest (root, as this would need
modification to kernel's driver) to break out of VM.

Solution:
apply Patch: https://bugzilla.redhat.com/attachment.cgi?id=296005
Comment 1 Lars Hartmann 2008-03-05 07:56:52 UTC
maintainer - please provide an updated ebuild
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 09:49:59 UTC
also affects Xen
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 09:51:01 UTC
*** Bug 211442 has been marked as a duplicate of this bug. ***
Comment 4 Luca Barbato gentoo-dev 2008-03-05 17:58:44 UTC
updated ebuild provided, please test
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:39:02 UTC
Did you commit it, I can't see anything in CVS.
Comment 6 Luca Barbato gentoo-dev 2008-03-05 20:42:18 UTC
app-emulation/qemu-softmmu

qemu is just a meta ebuild.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:50:25 UTC
Ah, sorry, I missed that.

Arches, please test and mark stable:
=app-emulation/qemu-softmmu-0.9.1-r1
Target keywords : "amd64 ppc release x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-07 16:00:33 UTC
Luca, you use it on x86?  I don't have GCC 3 here at the moment...so a successful ok from you would be enough for me.
Comment 9 Luca Barbato gentoo-dev 2008-03-07 18:42:09 UTC
I don't have x86 around to test it properly =/

I should check a snapshot with the replaced dygen so the gcc-3 constraint would disappear.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-09 07:05:56 UTC
same for me, no gcc-3 on ppc ... luca, can you keyword this package for ppc? ;)
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-10 08:15:18 UTC
Created attachment 145714 [details]
build.log

Fails here.

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-3.4.6, glibc-2.6.1-r0, 2.6.24-gentoo-r3 i686)
=================================================================
System uname: 2.6.24-gentoo-r3 i686 AMD Athlon(tm) X2 Dual Core Processor BE-2400
Timestamp of tree: Mon, 10 Mar 2008 06:30:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors mad maildir matroska mbox midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora threads thumbnailing tiff tk toolkit-scroll-bars totem tracker truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x86 xface xft xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev fglrx"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 12 Luca Barbato gentoo-dev 2008-03-10 11:21:28 UTC
Worked on ppc
Comment 13 Luca Barbato gentoo-dev 2008-03-10 11:22:36 UTC
../softmmu_template.h:260: error: unable to find a register to spill in class `GENERAL_REGS'

x86 vs gcc vs qemu on register allocation. That is a gcc bug
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-11 07:32:36 UTC
(In reply to comment #13)
> ../softmmu_template.h:260: error: unable to find a register to spill in class
> `GENERAL_REGS'
> 
> x86 vs gcc vs qemu on register allocation. That is a gcc bug

 And now?  It is unlikely that a fixed GCC 3 release will appear.  My proposal, as GCC 3 is hard masked and needed: Mask qemu, too, until they fix their compiler problem in general.
Comment 15 Luca Barbato gentoo-dev 2008-03-11 07:36:04 UTC
just use another gcc-3.4 =/ or dekeyword it for x86 qemu builds fine on the other arches.
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-11 09:36:08 UTC
Could someone from x86 verify my failures?

Luca, normally a package that has hard-masked dependencies should not go stable.
Comment 17 Luca Barbato gentoo-dev 2008-03-11 09:41:19 UTC
qemu-softmmu builds and works apparently well enough for everybody but x86 users with the latest gcc-3.4 since the register allocation is problematic and the underlying hardware has limited registers.

Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-03-11 10:03:07 UTC
Seems my grep foo has left me, where is <gcc-4 hard masked?
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-12 07:11:08 UTC
(In reply to comment #18)
> Seems my grep foo has left me, where is <gcc-4 hard masked?

 You should have looked in my local package.mask....

Could anybody from x86 verify that it does not work?
Comment 20 Dawid Węgliński (RETIRED) gentoo-dev 2008-03-14 08:41:27 UTC
Verified:

/var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/target-i386/ops_sse.h: In function `op_psrlq_mmx':
/var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/target-i386/ops_sse.h:213: error: unable to find a register to spill in class `GENERAL_REGS'
/var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/target-i386/ops_sse.h:213: error: this is the insn:
(insn:HI 36 35 37 3 /var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/target-i386/ops_sse.h:207 (parallel [
            (set (reg:DI 63 [ <variable>.q ])
                (lshiftrt:DI (reg:DI 63 [ <variable>.q ])
                    (subreg:QI (reg/v:SI 60 [ shift ]) 0)))
            (clobber (scratch:SI))
            (clobber (reg:CC 17 flags))
        ]) 309 {lshrdi3_1} (insn_list 33 (insn_list 35 (nil)))
    (expr_list:REG_DEAD (reg/v:SI 60 [ shift ])
        (expr_list:REG_UNUSED (reg:CC 17 flags)
            (expr_list:REG_UNUSED (scratch:SI)
                (nil)))))
/var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/target-i386/ops_sse.h:213: confused by earlier errors, bailing out
make[1]: *** [op.o] Error 1
make[1]: Leaving directory `/var/tmp/paludis/app-emulation/qemu-softmmu-0.9.1-r1/work/qemu-0.9.1/i386-softmmu'
make: *** [subdir-i386-softmmu] Error 2

So what do we do? Drop x86 keyword at all?
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-03-14 12:12:18 UTC
(In reply to comment #9)
> I should check a snapshot with the replaced dygen so the gcc-3 constraint would
> disappear.

This sounds more promising for the future than dropping qemu support.
Comment 22 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-16 08:25:36 UTC
(In reply to comment #21)
> (In reply to comment #9)
> > I should check a snapshot with the replaced dygen so the gcc-3 constraint would
> > disappear.
> 
> This sounds more promising for the future than dropping qemu support.

 GCC 3.3.6 works.  Problem: Not marked stable and I am not sure if i want to do it.  People will try 3.4 when asked for GCC 3...
 Dropping stable x86 is also no desired option, so this snapshot seems to be the best solution.  Luca, your turn again. :)

Comment 23 Luca Barbato gentoo-dev 2008-03-16 09:26:03 UTC
I'll try to prepare something, then I'll need somebody to test it
Comment 24 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 09:50:48 UTC
Snapshot does has the same bugs. But, please, take a look at this thread:

http://lists.gnu.org/archive/html/qemu-devel/2008-03/msg00243.html

I'm about to suggest solution...
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-16 09:58:05 UTC
(In reply to comment #23)
> I'll try to prepare something, then I'll need somebody to test it
 
 We are here.

(In reply to comment #24)
> Snapshot does has the same bugs. But, please, take a look at this thread:
> 
> http://lists.gnu.org/archive/html/qemu-devel/2008-03/msg00243.html
> 
> I'm about to suggest solution...

 Yes?  I did not try the patch suggested there yet, BUT I don't have a march setting in my CFLAGS, so this is not the solution.
Comment 26 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 10:29:25 UTC
Created attachment 146286 [details, diff]
qemu-softmmu-0.9.1-r1.patch

Well, this patch fixes the build problem with gcc-3.4 here. Although I think that forcing -march is a good idea this is a good first approximation. BTW I've tried to build with "-no-sse{,2,3} -mfpmath=387" and this didn't worked. Also for unknown reason it fails if I don't pass OS_CFLAGS="${CFLAGS}" to emake too.

Questions remain: 1. is it possible that -02 or -g redefines -march defaults and enables sse? 2. What -march=pentium-mmx enables/disables to make compilation succeed?
Comment 27 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 10:46:16 UTC
(In reply to comment #25)
> I did not try the patch suggested there yet, BUT I don't have a march
> setting in my CFLAGS, so this is not the solution.

And to save your time: patches suggested there do not fix anything here.

Comment 28 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-16 10:52:46 UTC
Created attachment 146291 [details, diff]
Fixing some QA things and the actual bug fix

I reworked your patch (use x86 instead of querying ${ARCH}, adjusted comment), use emake install instead of plain make and a comment that econf is not possible.

Luca, this compiles, I have still to check if it works.
Comment 29 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 11:45:51 UTC
Christian, as I wrote in #26 build fails if you do not pass OS_CFLAGS="${CFLAGS}" to emake. I've checked. Build fails with your patch here.
Comment 30 Dawid Węgliński (RETIRED) gentoo-dev 2008-03-16 12:10:45 UTC
(In reply to comment #28)
> Created an attachment (id=146291) [edit]
> Fixing some QA things and the actual bug fix
> 
> I reworked your patch (use x86 instead of querying ${ARCH}, adjusted comment),
> use emake install instead of plain make and a comment that econf is not
> possible.
> 
> Luca, this compiles, I have still to check if it works.
> 
It compiles also here and it works. I could successfully boot from hard disk. So the only things left are question in the bug. :)
Comment 31 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-16 12:12:32 UTC
(In reply to comment #29)
> Christian, as I wrote in #26 build fails if you do not pass
> OS_CFLAGS="${CFLAGS}" to emake. I've checked. Build fails with your patch here.

 Are you sure you applied my patch?  As far as I can see, the OS_CFLAGS is there.

Comment 32 Peter Volkov (RETIRED) gentoo-dev 2008-03-16 13:11:16 UTC
(In reply to comment #31)
>  Are you sure you applied my patch?  As far as I can see, the OS_CFLAGS is
> there.

Ah, sure. I'm sorry. I've applied manually and I confused + with - :)

Comment 33 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-19 07:16:30 UTC
Luca, instead of -march=pentium-mmx, -march=i486 is sufficient to avoid that error.  Could you please apply the patch with that little change?  Peter confirmed that it is working on his system.
Comment 34 Peter Volkov (RETIRED) gentoo-dev 2008-03-19 10:24:45 UTC
Created attachment 146567 [details, diff]
qemu-softmmu-0.9.1-r1.patch

Small update. Seems that qemu-softmmu builds with any -march lower than pentium-mmx. I've created IMHO better patch. The ideas I've took from gcc/config.gcc so I suppose I didn't missed anything. General idea of this patch: if user forced lower march take that, if not, use CHOST to set lowest cpu.
Comment 35 Peter Volkov (RETIRED) gentoo-dev 2008-03-19 10:28:46 UTC
We are playing with gcc here, so I think it's good idea if toolchain guys review and comment our work here, before we commit anything to the tree. Thank you in advance.
Comment 36 Luca Barbato gentoo-dev 2008-03-19 11:39:16 UTC
try to force just the march flag adding more random cflags may cause other breakage
Comment 37 SpanKY gentoo-dev 2008-03-19 13:56:19 UTC
so we're clear, you're not talking about changing the gcc package, just tweaking gcc CFLAGS in the qemu ebuild
Comment 38 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-20 07:46:28 UTC
(In reply to comment #35)
> We are playing with gcc here, so I think it's good idea if toolchain guys
> review and comment our work here, before we commit anything to the tree. Thank
> you in advance.

 Peter, I think you applied the same patch again.  Or is it just me?

(In reply to comment #37)
> so we're clear, you're not talking about changing the gcc package, just
> tweaking gcc CFLAGS in the qemu ebuild

 Right-
Comment 39 Peter Volkov (RETIRED) gentoo-dev 2008-03-20 08:48:15 UTC
Created attachment 146640 [details, diff]
qemu-softmmu-0.9.1-r1.ebuild.patch

Yea, I should clean my /tmp more regulary ... Applying correct patch.
Comment 40 Peter Volkov (RETIRED) gentoo-dev 2008-03-20 18:11:16 UTC
Fixing this security issue we are getting regression: qemu does not boot with qcow2 image files:
 # qemu-img create -f qcow c.img 3G
Formatting 'c.img', fmt=qcow, size=3145728 kB
# qemu -cdrom install-x86-minimal-2007.0-r1.iso -hda ./c.img -m 256 -boot d
qemu: could not open disk image ./c.img

I've checked without patch everything works. Similar issue is reported at debian: http://bugs.debian.org/470664

qcow2 - is default and recommended format... what shall we do?
Comment 41 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-22 21:29:11 UTC
(In reply to comment #40)
> qcow2 - is default and recommended format... what shall we do?

 Most simple fix -> drop stable x86

I don't really like this, but fixing QEmu must be really hard here with an outdated GCC 3.4*.  Still people seem to know that they switch to GCC 3.3* if they have problems (according to Gentoo Wiki), so this problem is no regression.
Comment 42 Peter Volkov (RETIRED) gentoo-dev 2008-03-28 08:40:46 UTC
(In reply to comment #41)
>  Most simple fix -> drop stable x86

Dropping keyword does not fixe the problem. Also I see your point.

> I don't really like this, but fixing QEmu must be really hard here with an
> outdated GCC 3.4*.  Still people seem to know that they switch to GCC 3.3* if
> they have problems (according to Gentoo Wiki), so this problem is no
> regression.

Upstream FAQ suggests that both gcc versions are supported.

Well that's said take a look at bug, comment #22:
https://bugzilla.redhat.com/show_bug.cgi?id=433560

seems that there is new patch that fixes regression too. Luca, please, update ebuild with that patch and patch from comment #39, if you agree with that solution. BTW, I have not tested patch from redhat yet, but it's already works for one distribution so I suppose it should work for us too. Will test later.
Comment 43 Gordon Malm (RETIRED) gentoo-dev 2008-05-07 02:46:52 UTC
Hardened user came on irc today.  Couldn't use gcc 3.4 because of this bug, nor gcc 3.3 due to hitting bug 166392.  And of course gcc 4.x is not supported.
Comment 44 Peter Volkov (RETIRED) gentoo-dev 2008-05-13 00:03:58 UTC
Ok, while building with gcc-3.4 is more upstream issue, security should be fixed as much as possible so I've went ahead and commited ebuild suggested in #39 + updated security patch which avoids qcow2 regression. So I think we should re'CC ppc team and proceed stabilization...
Comment 45 Luca Barbato gentoo-dev 2008-05-13 09:22:15 UTC
thank you, sorry for being unresponsive.
Comment 46 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-14 14:50:54 UTC
x86 stable, Luca can handle PPC.
Comment 47 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 19:37:49 UTC
stabling now in bug 221943
Comment 48 Doug Goldstein gentoo-dev 2012-03-08 16:23:26 UTC
Removed from tree.
Comment 49 Doug Goldstein gentoo-dev 2012-10-20 16:49:20 UTC
(In reply to comment #48)
> Removed from tree.

Still removed from the tree. Hint: You can close.
Comment 50 Doug Goldstein gentoo-dev 2013-08-28 01:23:16 UTC
@security: 1 year follow up to the follow up ping.