diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch')
-rw-r--r-- | poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch deleted file mode 100644 index 2f61ea005..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 6 Sep 2018 14:52:12 +0800 -Subject: [PATCH] seccomp: set the seccomp filter to all threads -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When using "-seccomp on", the seccomp policy is only applied to the -main thread, the vcpu worker thread and other worker threads created -after seccomp policy is applied; the seccomp policy is not applied to -e.g. the RCU thread because it is created before the seccomp policy is -applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. - -This can be verified with -for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done -Seccomp: 2 -Seccomp: 0 -Seccomp: 0 -Seccomp: 2 -Seccomp: 2 -Seccomp: 2 - -Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use -seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy -on all threads. - -libseccomp requirement was bumped to 2.2.0 in previous patch. -libseccomp should fail to set the filter if it can't honour -SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on -kernel < 3.17. - -Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Acked-by: Eduardo Otubo <otubo@redhat.com> - -Upstream-Status: Backport[https://github.com/qemu/qemu/commit/ -70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d] - -CVE: CVE-2018-15746 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - qemu-seccomp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/qemu-seccomp.c b/qemu-seccomp.c -index 9cd8eb9..ba5500a 100644 ---- a/qemu-seccomp.c -+++ b/qemu-seccomp.c -@@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts) - goto seccomp_return; - } - -+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); -+ if (rc != 0) { -+ goto seccomp_return; -+ } -+ - for (i = 0; i < ARRAY_SIZE(blacklist); i++) { - if (!(seccomp_opts & blacklist[i].set)) { - continue; --- -2.7.4 - |