Bug 1791680

Summary: QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-6]
Product: Red Hat Enterprise Linux 6 Reporter: Prasad Pandit <ppandit>
Component: qemu-kvmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Quan Wenli <wquan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.10CC: jinzhao, juzhang, marcandre.lureau, mkenneth, mrezanin, mtessun, philmd, rbalakri, toneata, virt-bugs, virt-maint, wquan
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.506.el6_10.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1791679 Environment:
Last Closed: 2020-04-08 08:58:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1791677, 1791679    
Bug Blocks:    

Description Prasad Pandit 2020-01-16 11:15:23 UTC 
+++ This bug was initially created as a clone of Bug #1791679 +++

+++ This bug was initially created as a clone of Bug #1791677 +++

Description of problem:

Upstream libslirp has disabled emulation of the tcp programs like ftp/IRC etc. in user-mode SLiRP networking since v4.1.0.

 ->  https://gitlab.freedesktop.org/slirp/libslirp/commit/07c2a44b67e219ac14207f7a1b33704e1312cf91

   emu: disable by default

tcp_emu() is known to have caused several CVEs, and not useful today in most cases.

https://nvd.nist.gov/vuln/detail/CVE-2019-6778
https://nvd.nist.gov/vuln/detail/CVE-2019-9824

The feature can be still enabled by setting SlirpConfig.enable_emu to
true.

* Please include this patch in the qemu-kvm package versions of RHEL too.

* It'll probably be better to disable user-mode SLiRP networking itself in qemu-kvm.

  ie. compile qemu-kvm package with '--disable-slirp' configure option.

--- Additional comment from RHEL Program Management on 2020-01-16 11:13:22 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Comment 5 Quan Wenli 2020-03-30 07:50:46 UTC 
Hello Marc-Andre Lureau

I was using the reproduce steps from https://bugzilla.redhat.com/show_bug.cgi?id=1791677#c11, But I got the same output "1234    ,   4321 " with the old-unfix-qemu qemu-kvm-0.12.1.2-2.506.el6_10.6. could you help check my steps.

Steps:
1. boot up guest with "/usr/libexec/qemu-kvm -enable-kvm -nographic -m 2048 -net user,hostfwd=tcp::2222-:22 -net nic,model=virtio /root/rhel610-64-virtio.qcow2"
2. nc -l 127.0.0.1 113 on host
3. run on guest
nc -C 10.0.2.2 113 
1234    ,   4321 

Results:

With qemu-kvm-0.12.1.2-2.506.el6_10.6:

# nc -l 127.0.0.1 113
1234    ,   4321

With qemu-kvm-0.12.1.2-2.506.el6_10.7:
# nc -l 127.0.0.1 113
1234    ,   4321
Comment 6 Marc-Andre Lureau 2020-03-30 10:54:47 UTC 
(In reply to Quan Wenli from comment #5)
> 1. boot up guest with "/usr/libexec/qemu-kvm -enable-kvm -nographic -m 2048
> -net user,hostfwd=tcp::2222-:22 -net nic,model=virtio
> /root/rhel610-64-virtio.qcow2"
> 2. nc -l 127.0.0.1 113 on host
> 3. run on guest
> nc -C 10.0.2.2 113 
> 1234    ,   4321 
> 
> Results:
> 
> With qemu-kvm-0.12.1.2-2.506.el6_10.6:
> 
> # nc -l 127.0.0.1 113
> 1234    ,   4321
> 
> With qemu-kvm-0.12.1.2-2.506.el6_10.7:
> # nc -l 127.0.0.1 113
> 1234    ,   4321

That looks correct: the input from the guest is unchanged.
Comment 7 Quan Wenli 2020-03-31 02:46:27 UTC 
(In reply to Marc-Andre Lureau from comment #6)
> (In reply to Quan Wenli from comment #5)
> > 1. boot up guest with "/usr/libexec/qemu-kvm -enable-kvm -nographic -m 2048
> > -net user,hostfwd=tcp::2222-:22 -net nic,model=virtio
> > /root/rhel610-64-virtio.qcow2"
> > 2. nc -l 127.0.0.1 113 on host
> > 3. run on guest
> > nc -C 10.0.2.2 113 
> > 1234    ,   4321 
> > 
> > Results:
> > 
> > With qemu-kvm-0.12.1.2-2.506.el6_10.6:
> > 
> > # nc -l 127.0.0.1 113
> > 1234    ,   4321
> > 
> > With qemu-kvm-0.12.1.2-2.506.el6_10.7:
> > # nc -l 127.0.0.1 113
> > 1234    ,   4321
> 
> That looks correct: the input from the guest is unchanged.

Yes, but according to https://bugzilla.redhat.com/show_bug.cgi?id=1791677#c11, before tcp_emu was disabled, we should get on host: "1234,4321" (without spaces) but we get still "1234    ,   4321" with qemu-kvm-0.12.1.2-2.506.el6_10.6
Comment 8 Marc-Andre Lureau 2020-03-31 13:26:15 UTC 
(In reply to Quan Wenli from comment #7)
> (In reply to Marc-Andre Lureau from comment #6)
> > (In reply to Quan Wenli from comment #5)
> > > 1. boot up guest with "/usr/libexec/qemu-kvm -enable-kvm -nographic -m 2048
> > > -net user,hostfwd=tcp::2222-:22 -net nic,model=virtio
> > > /root/rhel610-64-virtio.qcow2"
> > > 2. nc -l 127.0.0.1 113 on host
> > > 3. run on guest
> > > nc -C 10.0.2.2 113 
> > > 1234    ,   4321 
> > > 
> > > Results:
> > > 
> > > With qemu-kvm-0.12.1.2-2.506.el6_10.6:
> > > 
> > > # nc -l 127.0.0.1 113
> > > 1234    ,   4321
> > > 
> > > With qemu-kvm-0.12.1.2-2.506.el6_10.7:
> > > # nc -l 127.0.0.1 113
> > > 1234    ,   4321
> > 
> > That looks correct: the input from the guest is unchanged.
> 
> Yes, but according to
> https://bugzilla.redhat.com/show_bug.cgi?id=1791677#c11, before tcp_emu was
> disabled, we should get on host: "1234,4321" (without spaces) but we get
> still "1234    ,   4321" with qemu-kvm-0.12.1.2-2.506.el6_10.6

with qemu-kvm-0.12.1.2-2.506.el6_10.6, it works for me.
Make sure you use "nc -C" on client side.
Comment 13 errata-xmlrpc 2020-04-08 08:58:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1403