Bug 826042

Summary: qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 mitigation)
Product: [Fedora] Fedora Reporter: Cole Robinson <crobinso>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: urgent    
Version: 16CC: agk, amit.shah, bazanluis20, berrange, briang, cfergeau, crobinso, dougsland, dwmw2, ehabkost, itamar, jaswinder, jforbes, jpallich, juzhang, knoel, lcapitulino, michen, minovotn, mtosatti, pbonzini, pmatouse, scottt.tw, security-response-team, shuang, tburke, virt-maint, wnefal+redhatbugzilla, xfu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 770135 Environment:
Last Closed: 2012-06-07 18:57:21 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 770135    
Bug Blocks:    

Description Cole Robinson 2012-05-29 09:02:40 EDT
Cloning against F16

+++ This bug was initially created as a clone of Bug #770135 +++

+++ This bug was initially created as a clone of Bug #756677 +++

qemu-kvm does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only masks the feature
bit, and does not reject the command if a malicious guest disregards
the feature bits and issues a request.

(CVE-2011-4127 mitigation)

--- Additional comment from pmatouse@redhat.com on 2011-11-25 12:56:27 EST ---

How to test:

1) install guest which storage is backed by partition or LV (for example:  -drive file=/dev/VolGroup/bz756677,if=none,id=drive-virt0-0-1,format=raw,cache=none,aio=threads -device virtio-blk-pci,drive=drive-virt0-0-1,id=virt0-0-1)

2) patch and rebuild the guest kernel:
comment out following lines in virtblk_ioctl()@drivers/block/virtio_blk.c

//    if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
//            return -ENOTTY;

3) try sg_dd command in the guest with qemu-kvm command line virt-blk scsi option on / off (...id=virt0-0-1 / ...id=virt0-0-1,scsi=off)

3.1) unfixed qemu-kvm

3.1.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.1.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...


3.2) fixed qemu-kvm

3.2.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.2.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  INQUIRY failed on /dev/vda
  -> ... doesn't work

If the bug is fixed, you should see the behaviour as outlined in 3.2.

--- Additional comment from fedora-admin-xmlrpc@redhat.com on 2012-03-15 13:58:10 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from crobinso@redhat.com on 2012-05-29 09:01:03 EDT ---

This is fixed in F17+, but is still present in F15 + F16
Comment 1 Fedora Update System 2012-05-29 10:12:47 EDT
qemu-0.15.1-5.fc16 has been submitted as an update for Fedora 16.
Comment 2 Fedora Update System 2012-05-29 17:55:26 EDT
Package qemu-0.15.1-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-0.15.1-5.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-06-07 18:57:21 EDT
qemu-0.15.1-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.