Bug 770135 - qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 mitigation) [rhel-6.3]
qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 miti...
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
All Linux
urgent Severity high
: ---
: ---
Assigned To: Fedora Virtualization Maintainers
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 826042
  Show dependency treegraph
Reported: 2011-12-23 09:42 EST by Paolo Bonzini
Modified: 2013-01-09 19:38 EST (History)
28 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 756677
: 826042 (view as bug list)
Last Closed: 2012-06-07 19:06:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paolo Bonzini 2011-12-23 09:42:13 EST
+++ This bug was initially created as a clone of Bug #756677 +++

qemu-kvm does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only masks the feature
bit, and does not reject the command if a malicious guest disregards
the feature bits and issues a request.

(CVE-2011-4127 mitigation)

--- Additional comment from pmatouse@redhat.com on 2011-11-25 12:56:27 EST ---

How to test:

1) install guest which storage is backed by partition or LV (for example:  -drive file=/dev/VolGroup/bz756677,if=none,id=drive-virt0-0-1,format=raw,cache=none,aio=threads -device virtio-blk-pci,drive=drive-virt0-0-1,id=virt0-0-1)

2) patch and rebuild the guest kernel:
comment out following lines in virtblk_ioctl()@drivers/block/virtio_blk.c

//    if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
//            return -ENOTTY;

3) try sg_dd command in the guest with qemu-kvm command line virt-blk scsi option on / off (...id=virt0-0-1 / ...id=virt0-0-1,scsi=off)

3.1) unfixed qemu-kvm

3.1.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.1.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...


3.2) fixed qemu-kvm

3.2.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.2.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  INQUIRY failed on /dev/vda
  -> ... doesn't work

If the bug is fixed, you should see the behaviour as outlined in 3.2.
Comment 1 Fedora Admin XMLRPC Client 2012-03-15 13:58:10 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Cole Robinson 2012-05-29 09:01:03 EDT
This is fixed in F17+, but is still present in F15 + F16
Comment 3 Fedora Update System 2012-05-29 11:00:00 EDT
qemu-0.14.0-9.fc15 has been submitted as an update for Fedora 15.
Comment 4 Fedora Update System 2012-05-29 17:58:09 EDT
Package qemu-0.14.0-9.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-0.14.0-9.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-06-07 19:06:21 EDT
qemu-0.14.0-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.