Bug 433560 (CVE-2008-0928) - CVE-2008-0928 Qemu insufficient block device address range checking
Summary: CVE-2008-0928 Qemu insufficient block device address range checking
Status: CLOSED ERRATA
Alias: CVE-2008-0928
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://marc.info/?l=debian-security&m...
Whiteboard: source=vendorsec,reported=20080220,pu...
Keywords: Security
Depends On: 433561 433562 433563 433564 433565 433566 434638 434639 434750 434751
Blocks: 434978
TreeView+ depends on / blocked
 
Reported: 2008-02-20 00:33 UTC by Red Hat Product Security
Modified: 2010-12-23 16:32 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:32:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A revised version of range checking patch (7.72 KB, patch)
2008-02-27 00:06 UTC, Daniel Berrange
no flags Details | Diff
New patch, backported from upstream qemu (10.31 KB, patch)
2009-04-28 08:52 UTC, Kevin Wolf
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0194 normal SHIPPED_LIVE Important: xen security and bug fix update 2008-05-13 12:28:04 UTC

Description Lubomir Kundrak 2008-02-20 00:33:36 UTC
Ian Jackson discovered that accesses beyond end of qemu emulated disk devices
can result in accesses to emulator's virtual memory space accesses and thus can
allow user with sufficient privilege in guest (root, as this would need
modification to kernel's driver) to break out of VM.

http://marc.info/?l=debian-security&m=120343592917055&w=2

Comment 10 Fedora Update System 2008-02-23 16:30:31 UTC
qemu-0.9.0-6.fc8 has been submitted as an update for Fedora 8

Comment 11 Fedora Update System 2008-02-23 16:31:01 UTC
qemu-0.9.0-4.fc7 has been submitted as an update for Fedora 7

Comment 12 Fedora Update System 2008-02-23 16:34:27 UTC
kvm-60-2.fc8 has been submitted as an update for Fedora 8

Comment 14 Fedora Update System 2008-02-23 16:46:26 UTC
kvm-36-8.fc7 has been submitted as an update for Fedora 7

Comment 18 Fedora Update System 2008-02-26 00:26:00 UTC
kvm-36-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2008-02-26 00:27:29 UTC
kvm-60-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2008-02-26 00:27:43 UTC
qemu-0.9.0-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2008-02-26 00:27:59 UTC
qemu-0.9.0-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Daniel Berrange 2008-02-27 00:06:52 UTC
Created attachment 296005 [details]
A revised version of range checking patch

The original patch adds checks to the main  bdrv_XXX apis to validate that
the I/O operation does not exceed the bounds of the disk - ie beyond the
total_sectors count. This works correctly for bdrv_XXX calls from the IDE
driver.  With disk formats like QCow though,  bdrv_XXX is re-entrant,
because the QCow driver uses the block APIs for dealing with its underlying
file.  The problem is that QCow files are grow-on-demand, so writes will
*explicitly* be beyond the end of the file. The original patch blocks any
I/O operation which would cause the QCow file to grow, resulting it more
or less catasatrophic data loss.

Basically the bounds checking needs to distinguish between checking for
the logical disk extents, vs the physical disk extents. For raw files
these are the same so initial tests showed no problems, but for QCow
format disks they are different & thus we see a problem

What follows is a revised patch which introduces a flag BDRV_O_AUTOGROW
which can be passed to bdrv_open to indicate that the files can be allowed
to automatically extend their extents. This flag should only be used by
internal block drivers such as block-qcow2.c, block-vmdk.c  In my testing
this has fixed the qcow corruption, and still maintains the goal of Ian's
original patch which was to prevent the guest VM writing beyond the logical
disk extents.

Comment 23 Fedora Update System 2008-02-28 01:08:58 UTC
xen-3.1.2-2.fc8 has been submitted as an update for Fedora 8

Comment 24 Fedora Update System 2008-02-28 01:10:15 UTC
xen-3.1.2-2.fc7 has been submitted as an update for Fedora 7

Comment 25 Fedora Update System 2008-02-28 21:37:27 UTC
xen-3.1.2-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2008-02-28 21:40:47 UTC
xen-3.1.2-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Kevin Wolf 2009-04-27 15:04:56 UTC
During the follow-up of bug #496041 we noticed that snapshot support in qcow2 is still broken after fixing the qcow2 corruption bugs upstream. I bisected the breakage to the kvm-0013-Fix-CVE-2008-0928-insufficient-block-device-addres.patch which is the patch to address this bug.  Running the following commands creates and destroys a qcow2 image:

qemu-img create -f qcow2 test.qcow2 10M
qemu-img info test.qcow2
qemu-img snapshot -c test0 test.qcow2
qemu-img info test.qcow2

The reason this patch breaks snapshots is obvious: The VM state is saved after the end of the visible guest disk and such accesses are prevented now. I'm not sure yet why it breaks the image instead of failing gracefully.

Upstream qemu has a different fix by now, so we might consider to pull that one instead.

Comment 29 Kevin Wolf 2009-04-28 08:52:55 UTC
Created attachment 341538 [details]
New patch, backported from upstream qemu

The attached patch should be considered as a replacement for our current patch. I have completely reverted our patch which was previously rejected by upstream qemu and backported the upstream fix (which is this patch) which can handle snapshots without destroying the image.

Comment 30 Red Hat Bugzilla 2009-10-23 19:03:26 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Comment 31 Vincent Danen 2010-12-23 16:32:08 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0194)
RHEL Virtualization version 5 (RHSA-2008:0194)


Note You need to log in before you can comment on or make changes to this bug.