Bug 826042 - qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 mitigation)
Summary: qemu-kvm: virtio-blk: refuse SG_IO requests with scsi=off (CVE-2011-4127 miti...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 16
Hardware: All
OS: Linux
urgent
high
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 770135
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-29 13:02 UTC by Cole Robinson
Modified: 2013-01-10 00:59 UTC (History)
29 users (show)

Fixed In Version:
Clone Of: 770135
Environment:
Last Closed: 2012-06-07 22:57:21 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Cole Robinson 2012-05-29 13:02:40 UTC 
Cloning against F16

+++ This bug was initially created as a clone of Bug #770135 +++

+++ This bug was initially created as a clone of Bug #756677 +++

qemu-kvm does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only masks the feature
bit, and does not reject the command if a malicious guest disregards
the feature bits and issues a request.

(CVE-2011-4127 mitigation)

--- Additional comment from pmatouse on 2011-11-25 12:56:27 EST ---

How to test:

1) install guest which storage is backed by partition or LV (for example:  -drive file=/dev/VolGroup/bz756677,if=none,id=drive-virt0-0-1,format=raw,cache=none,aio=threads -device virtio-blk-pci,drive=drive-virt0-0-1,id=virt0-0-1)

2) patch and rebuild the guest kernel:
comment out following lines in virtblk_ioctl()@drivers/block/virtio_blk.c

//    if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
//            return -ENOTTY;

3) try sg_dd command in the guest with qemu-kvm command line virt-blk scsi option on / off (...id=virt0-0-1 / ...id=virt0-0-1,scsi=off)

3.1) unfixed qemu-kvm

3.1.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.1.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...

-----------------------------------------------

3.2) fixed qemu-kvm

3.2.1) scsi option on (not off)
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  -> ... works ...
3.2.2) scsi option off
  # sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1
  INQUIRY failed on /dev/vda
  -> ... doesn't work

If the bug is fixed, you should see the behaviour as outlined in 3.2.

--- Additional comment from fedora-admin-xmlrpc on 2012-03-15 13:58:10 EDT ---

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

--- Additional comment from crobinso on 2012-05-29 09:01:03 EDT ---

This is fixed in F17+, but is still present in F15 + F16
Comment 1 Fedora Update System 2012-05-29 14:12:47 UTC 
qemu-0.15.1-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/qemu-0.15.1-5.fc16
Comment 2 Fedora Update System 2012-05-29 21:55:26 UTC 
Package qemu-0.15.1-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-0.15.1-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8592/qemu-0.15.1-5.fc16
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-06-07 22:57:21 UTC 
qemu-0.15.1-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.