Bug 826042 - qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 mitigation)
qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 miti...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
16
All Linux
urgent Severity high
: ---
: ---
Assigned To: Fedora Virtualization Maintainers
Fedora Extras Quality Assurance
: Security
Depends On: 770135
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-29 09:02 EDT by Cole Robinson
Modified: 2013-01-09 19:59 EST (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 770135
Environment:
Last Closed: 2012-06-07 18:57:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Cole Robinson 2012-05-29 09:02:40 EDT
Cloning against F16

+++ This bug was initially created as a clone of Bug #770135 +++

+++ This bug was initially created as a clone of Bug #756677 +++

qemu-kvm does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only masks the feature
bit, and does not reject the command if a malicious guest disregards
the feature bits and issues a request.

(CVE-2011-4127 mitigation)

--- Additional comment from pmatouse@redhat.com on 2011-11-25 12:56:27 EST ---

How to test:

1) install guest which storage is backed by partition or LV (for example:  -drive file=/dev/VolGroup/bz756677,if=none,id=drive-virt0-0-1,format=raw,cache=none,aio=threads -device virtio-blk-pci,drive=drive-virt0-0-1,id=virt0-0-1)

2) patch and rebuild the guest kernel:
comment out following lines in virtblk_ioctl()@drivers/block/virtio_blk.c

//    if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
//            return -ENOTTY;

3) try sg_dd command in the guest with qemu-kvm command line virt-blk scsi option on / off (...id=virt0-0-1 / ...id=virt0-0-1,scsi=off)

3.1) unfixed qemu-kvm

3.1.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.1.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...

-----------------------------------------------

3.2) fixed qemu-kvm

3.2.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.2.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  INQUIRY failed on /dev/vda
  -> ... doesn't work

If the bug is fixed, you should see the behaviour as outlined in 3.2.

--- Additional comment from fedora-admin-xmlrpc@redhat.com on 2012-03-15 13:58:10 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from crobinso@redhat.com on 2012-05-29 09:01:03 EDT ---

This is fixed in F17+, but is still present in F15 + F16
Comment 1 Fedora Update System 2012-05-29 10:12:47 EDT
qemu-0.15.1-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/qemu-0.15.1-5.fc16
Comment 2 Fedora Update System 2012-05-29 17:55:26 EDT
Package qemu-0.15.1-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-0.15.1-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8592/qemu-0.15.1-5.fc16
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-06-07 18:57:21 EDT
qemu-0.15.1-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.