using QEMU_MODULE_DIR and CONFIG_MODULE_UPGRADES at the same time can crash qemu

Bug #1871830 reported by Christian Ehrhardt  on 2020-04-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
Critical
Christian Ehrhardt 

Bug Description

[Impact]

 * Back-porting an upstream fix for an array growing out of its allocated
   size.

[Test Case]

 * Full virt regression tests were run before the upload.
   Details are in the linked Merge Proposals.

[Regression Potential]

 * The fix just increases an array size by one.
   This is a char pointer and exists once per qemu, I see no other drawback
   than the size consumption and that is negligible.

[Other Info]

 * This isn't technically an SRU, but I have learned that filling these
   templates helps the release Team to accept changes while in 20.04 Freeze
   time.

---

Need to bump
  char *dirs[4];
in util/module.c
to reflect the new max size.

Related branches

CVE References

Changed in qemu (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
status: New → Triaged
Changed in qemu (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Test:
QEMU_MODULE_DIR="/tmp/" qemu-system-x86_64 -cdrom localhost::/foo
qemu-system-x86_64: /build/qemu-oknQD6/qemu-4.2/util/module.c:211: module_load_one: Assertion `n_dirs <= ARRAY_SIZE(dirs)' failed.
Aborted (core dumped)

With fix:
EMU_MODULE_DIR="/tmp/" qemu-system-x86_64 -cdrom localhost::/foo
Unable to init server: Could not connect: Connection refused
qemu-system-x86_64: -cdrom localhost::/foo: Unknown protocol 'localhost'

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

While prepping my submission I found that on Friday a fix for it already landed.
https://git.qemu.org/?p=qemu.git;a=commit;h=267514b33ffa3f315adc26fc14d89f92e90840f5

Adding that to Focals qemu (and any related backports).

Changed in qemu (Ubuntu):
status: Triaged → In Progress
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:4.2-3ubuntu5

---------------
qemu (1:4.2-3ubuntu5) focal; urgency=medium

  * d/p/ubuntu/lp-1871830-*: avoid crash when using QEMU_MODULE_DIR
    (LP: #1871830)
  * Security and packaging fixes (LP: #1872937)
    - arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch
    - net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
      CVE-2020-10702
      CVE-2020-11102
    - fix external spice UI
      + install ui-spice-app.so in qemu-system-common
      + install ui-spice-app.so only if built, spice is optional
    - switch binfmt registration to use update-binfmts --[un]import (#866756)
    - qemu-system-gui: Multi-Arch=same, not foreign (#956763)
    - qemu-system-data: s/highcolor/hicolor/ (#955741)
  * d/p/ubuntu/lp-1872107*: fix migration while rebooting guests (LP: #1872107)

 -- Christian Ehrhardt <email address hidden> Wed, 15 Apr 2020 11:26:44 +0200

Changed in qemu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers