Ubuntu
qemu package

using QEMU_MODULE_DIR and CONFIG_MODULE_UPGRADES at the same time can crash qemu

Bug #1871830 reported by Christian Ehrhardt 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
Fix Released
Critical
Christian Ehrhardt 

Bug Description

[Impact]

 * Back-porting an upstream fix for an array growing out of its allocated
   size.

[Test Case]

 * Full virt regression tests were run before the upload.
   Details are in the linked Merge Proposals.

[Regression Potential]

 * The fix just increases an array size by one.
   This is a char pointer and exists once per qemu, I see no other drawback
   than the size consumption and that is negligible.

[Other Info]

 * This isn't technically an SRU, but I have learned that filling these
   templates helps the release Team to accept changes while in 20.04 Freeze
   time.

---

Need to bump
  char *dirs[4];
in util/module.c
to reflect the new max size.

See original description

Related branches

~paelzer/ubuntu/+source/qemu:lp-1871830-modules-lp-1872937-CVEs-FOCAL
Rafael David Tinoco (community): Approve
Canonical Server: Pending requested
Canonical Server packageset reviewers: Pending requested
Diff: 606 lines (+418/-48)
11 files modified
debian/binfmt-install (+46/-37)
debian/changelog (+19/-0)
debian/control (+1/-1)
debian/control-in (+1/-1)
debian/patches/arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch (+48/-0)
debian/patches/net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch (+145/-0)
debian/patches/series (+4/-0)
debian/patches/ubuntu/lp-1871830-module-increase-dirs-array-size-by-one.patch (+38/-0)
debian/patches/ubuntu/lp-1872107-kvm-Reallocate-dirty_bmap-when-we-change-a-slot.patch (+103/-0)
debian/qemu-system-data.install (+1/-1)
debian/rules (+12/-8)

CVE References

Christian Ehrhardt  (paelzer)
Changed in qemu (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
status: New → Triaged
Christian Ehrhardt  (paelzer)
Changed in qemu (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4015
MP: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/382001

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Test:
QEMU_MODULE_DIR="/tmp/" qemu-system-x86_64 -cdrom localhost::/foo
qemu-system-x86_64: /build/qemu-oknQD6/qemu-4.2/util/module.c:211: module_load_one: Assertion `n_dirs <= ARRAY_SIZE(dirs)' failed.
Aborted (core dumped)

With fix:
EMU_MODULE_DIR="/tmp/" qemu-system-x86_64 -cdrom localhost::/foo
Unable to init server: Could not connect: Connection refused
qemu-system-x86_64: -cdrom localhost::/foo: Unknown protocol 'localhost'

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While prepping my submission I found that on Friday a fix for it already landed.
https://git.qemu.org/?p=qemu.git;a=commit;h=267514b33ffa3f315adc26fc14d89f92e90840f5

Adding that to Focals qemu (and any related backports).

Changed in qemu (Ubuntu):
status: Triaged → In Progress
Christian Ehrhardt  (paelzer)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:4.2-3ubuntu5

---------------
qemu (1:4.2-3ubuntu5) focal; urgency=medium

  * d/p/ubuntu/lp-1871830-*: avoid crash when using QEMU_MODULE_DIR
    (LP: #1871830)
  * Security and packaging fixes (LP: #1872937)
    - arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch
    - net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
      CVE-2020-10702
      CVE-2020-11102
    - fix external spice UI
      + install ui-spice-app.so in qemu-system-common
      + install ui-spice-app.so only if built, spice is optional
    - switch binfmt registration to use update-binfmts --[un]import (#866756)
    - qemu-system-gui: Multi-Arch=same, not foreign (#956763)
    - qemu-system-data: s/highcolor/hicolor/ (#955741)
  * d/p/ubuntu/lp-1872107*: fix migration while rebooting guests (LP: #1872107)

 -- Christian Ehrhardt <email address hidden> Wed, 15 Apr 2020 11:26:44 +0200

Changed in qemu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.