Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 826042 - qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 mitigation)
Summary: qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 miti...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 16
Hardware: All
OS: Linux
urgent
high
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 770135
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-29 13:02 UTC by Cole Robinson
Modified: 2013-01-10 00:59 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 770135
Environment:
Last Closed: 2012-06-07 22:57:21 UTC


Attachments (Terms of Use)

Description Cole Robinson 2012-05-29 13:02:40 UTC
Cloning against F16

+++ This bug was initially created as a clone of Bug #770135 +++

+++ This bug was initially created as a clone of Bug #756677 +++

qemu-kvm does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only masks the feature
bit, and does not reject the command if a malicious guest disregards
the feature bits and issues a request.

(CVE-2011-4127 mitigation)

--- Additional comment from pmatouse@redhat.com on 2011-11-25 12:56:27 EST ---

How to test:

1) install guest which storage is backed by partition or LV (for example:  -drive file=/dev/VolGroup/bz756677,if=none,id=drive-virt0-0-1,format=raw,cache=none,aio=threads -device virtio-blk-pci,drive=drive-virt0-0-1,id=virt0-0-1)

2) patch and rebuild the guest kernel:
comment out following lines in virtblk_ioctl()@drivers/block/virtio_blk.c

//    if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
//            return -ENOTTY;

3) try sg_dd command in the guest with qemu-kvm command line virt-blk scsi option on / off (...id=virt0-0-1 / ...id=virt0-0-1,scsi=off)

3.1) unfixed qemu-kvm

3.1.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.1.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...

-----------------------------------------------

3.2) fixed qemu-kvm

3.2.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.2.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  INQUIRY failed on /dev/vda
  -> ... doesn't work

If the bug is fixed, you should see the behaviour as outlined in 3.2.

--- Additional comment from fedora-admin-xmlrpc@redhat.com on 2012-03-15 13:58:10 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from crobinso@redhat.com on 2012-05-29 09:01:03 EDT ---

This is fixed in F17+, but is still present in F15 + F16

Comment 1 Fedora Update System 2012-05-29 14:12:47 UTC
qemu-0.15.1-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/qemu-0.15.1-5.fc16

Comment 2 Fedora Update System 2012-05-29 21:55:26 UTC
Package qemu-0.15.1-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-0.15.1-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8592/qemu-0.15.1-5.fc16
then log in and leave karma (feedback).

Comment 3 Fedora Update System 2012-06-07 22:57:21 UTC
qemu-0.15.1-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.