From: Greg Kurz <groug@kaod.org>
To: Miklos Szeredi <mszeredi@redhat.com>
Cc: Daniel Berrange <berrange@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
P J P <ppandit@redhat.com>, virtio-fs-list <virtio-fs@redhat.com>,
Alex Xu <alex@alxu.ca>, Stefan Hajnoczi <stefanha@redhat.com>,
Laszlo Ersek <lersek@redhat.com>, Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [Virtio-fs] [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Thu, 28 Jan 2021 15:26:41 +0100 [thread overview]
Message-ID: <20210128152641.0e9d5fa0@bahia.lan> (raw)
In-Reply-To: <CAOssrKff8FyC0i+Q1MY0paEiXdARp2=vkSnTwNHZxpntyV7oxA@mail.gmail.com>
On Thu, 28 Jan 2021 15:00:58 +0100
Miklos Szeredi <mszeredi@redhat.com> wrote:
> On Thu, Jan 28, 2021 at 1:15 PM Greg Kurz <groug@kaod.org> wrote:
> >
> > On Wed, 27 Jan 2021 16:52:56 +0100
> > Miklos Szeredi <mszeredi@redhat.com> wrote:
> >
> > > On Wed, Jan 27, 2021 at 4:47 PM Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > >
> > > > On Wed, Jan 27, 2021 at 4:35 PM Greg Kurz <groug@kaod.org> wrote:
> > > > >
> > > > > On Wed, 27 Jan 2021 16:22:49 +0100
> > > > > Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > > >
> > > > > > On Wed, Jan 27, 2021 at 4:09 PM Greg Kurz <groug@kaod.org> wrote:
> > > > > > >
> > > > > > > On Wed, 27 Jan 2021 15:09:50 +0100
> > > > > > > Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > > > > > > The semantics of O_CREATE are that it can fail neither because the
> > > > > > > > file exists nor because it doesn't. This doesn't matter if the
> > > > > > > > exported tree is not modified outside of a single guest, because of
> > > > > > > > locking provided by the guest kernel.
> > > > > > > >
> > > > > > >
> > > > > > > Wrong. O_CREAT can legitimately fail with ENOENT if one element
> > > > > >
> > > > > > Let me make my statement more precise:
> > > > > >
> > > > > > O_CREAT cannot fail with ENOENT if parent directory exists throughout
> > > > > > the operation.
> > > > > >
> > > > >
> > > > > True, but I still don't see what guarantees guest userspace that the
> > > > > parent directory doesn't go away... I must have missed something.
> > > > > Please elaborate.
> > > >
> > > > Generally there's no guarantee, however there can be certain
> > > > situations where the caller can indeed rely on the existence of the
> > > > parent (e.g. /tmp).
> > >
> > > Example from the virtiofs repo:
> > >
> > > https://gitlab.com/virtio-fs/ireg/-/blob/master/ireg.c#L315
> > > https://gitlab.com/virtio-fs/ireg/-/blob/master/ireg.c#L382
> > >
> > > In that case breaking O_CREAT would be harmless, since no two
> > > instances are allowed anyway, so it would just give a confusing error.
> > > But it is breakage and it probably wouldn't be hard to find much worse
> > > breakage in real life applications.
> > >
> >
> > Ok, I get your point : a guest userspace application can't expect
> > to hit ENOENT when doing open("/some_dir/foo", O_CREAT) even if
> > someone else is doing unlink("/some_dir/foo"), which is a different
> > case than somebody doing rmdir("/some_dir").
> >
> > But we still have a TOCTOU : the open(O_CREAT|O_EXCL) acts as
> > the check to use open(O_PATH) and retry+timeout can't fix it
> > reliably.
>
> Right.
>
> > A possible fix for the case where the race comes from the
> > client itself would be to serialize FUSE requests that
> > create/remove paths in the same directory. I don't know
> > enough the code yet to assess if it's doable though.
> >
> > Then this would leave the case where something else on
> > the host is racing with virtiofsd. IMHO this belongs to
> > the broader family of "bad things the host can do
> > in our back". This requires a bigger hammer than
> > adding band-aids here and there IMHO. So in the
> > scope of this patch, I don't think we should retry
> > and timeout, but just return whatever errno that
> > makes sense.
>
> I never suggested a timeout, that would indeed be nonsense.
>
Yeah sorry for that, by timeout I was lazily expressing "retry
a bit and bail out if it doesn't work".
> Just do a simple retry loop with a counter. I'd set counter to a
> small number (5 or whatever), so that basically any accidental races
> are cared for, and the only case that would trigger the EIO is if the
> file was constantly removed and recreated (and even in that case it
> would be pretty difficult to trigger). This would add only minimal
> complexity or overhead.
>
I still don't like the counter thing very much but I can't think of
anything better that _works_ in all cases in the short term... so be
it.
> The proper solution might be adding O_REGULAR, and it actually would
> be useful for other O_CREAT users, since it's probably what they want
> anyway (but existing semantics can't be changed).
>
Yeah only the kernel can handle this race gracefully and O_REGULAR
would be great, but it might take some time until this percolates
up to QEMU.
> Thanks,
> Miklos
>
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kurz <groug@kaod.org>
To: Miklos Szeredi <mszeredi@redhat.com>
Cc: Daniel Berrange <berrange@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
P J P <ppandit@redhat.com>, virtio-fs-list <virtio-fs@redhat.com>,
Alex Xu <alex@alxu.ca>, Laszlo Ersek <lersek@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [Virtio-fs] [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Thu, 28 Jan 2021 15:26:41 +0100 [thread overview]
Message-ID: <20210128152641.0e9d5fa0@bahia.lan> (raw)
In-Reply-To: <CAOssrKff8FyC0i+Q1MY0paEiXdARp2=vkSnTwNHZxpntyV7oxA@mail.gmail.com>
On Thu, 28 Jan 2021 15:00:58 +0100
Miklos Szeredi <mszeredi@redhat.com> wrote:
> On Thu, Jan 28, 2021 at 1:15 PM Greg Kurz <groug@kaod.org> wrote:
> >
> > On Wed, 27 Jan 2021 16:52:56 +0100
> > Miklos Szeredi <mszeredi@redhat.com> wrote:
> >
> > > On Wed, Jan 27, 2021 at 4:47 PM Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > >
> > > > On Wed, Jan 27, 2021 at 4:35 PM Greg Kurz <groug@kaod.org> wrote:
> > > > >
> > > > > On Wed, 27 Jan 2021 16:22:49 +0100
> > > > > Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > > >
> > > > > > On Wed, Jan 27, 2021 at 4:09 PM Greg Kurz <groug@kaod.org> wrote:
> > > > > > >
> > > > > > > On Wed, 27 Jan 2021 15:09:50 +0100
> > > > > > > Miklos Szeredi <mszeredi@redhat.com> wrote:
> > > > > > > > The semantics of O_CREATE are that it can fail neither because the
> > > > > > > > file exists nor because it doesn't. This doesn't matter if the
> > > > > > > > exported tree is not modified outside of a single guest, because of
> > > > > > > > locking provided by the guest kernel.
> > > > > > > >
> > > > > > >
> > > > > > > Wrong. O_CREAT can legitimately fail with ENOENT if one element
> > > > > >
> > > > > > Let me make my statement more precise:
> > > > > >
> > > > > > O_CREAT cannot fail with ENOENT if parent directory exists throughout
> > > > > > the operation.
> > > > > >
> > > > >
> > > > > True, but I still don't see what guarantees guest userspace that the
> > > > > parent directory doesn't go away... I must have missed something.
> > > > > Please elaborate.
> > > >
> > > > Generally there's no guarantee, however there can be certain
> > > > situations where the caller can indeed rely on the existence of the
> > > > parent (e.g. /tmp).
> > >
> > > Example from the virtiofs repo:
> > >
> > > https://gitlab.com/virtio-fs/ireg/-/blob/master/ireg.c#L315
> > > https://gitlab.com/virtio-fs/ireg/-/blob/master/ireg.c#L382
> > >
> > > In that case breaking O_CREAT would be harmless, since no two
> > > instances are allowed anyway, so it would just give a confusing error.
> > > But it is breakage and it probably wouldn't be hard to find much worse
> > > breakage in real life applications.
> > >
> >
> > Ok, I get your point : a guest userspace application can't expect
> > to hit ENOENT when doing open("/some_dir/foo", O_CREAT) even if
> > someone else is doing unlink("/some_dir/foo"), which is a different
> > case than somebody doing rmdir("/some_dir").
> >
> > But we still have a TOCTOU : the open(O_CREAT|O_EXCL) acts as
> > the check to use open(O_PATH) and retry+timeout can't fix it
> > reliably.
>
> Right.
>
> > A possible fix for the case where the race comes from the
> > client itself would be to serialize FUSE requests that
> > create/remove paths in the same directory. I don't know
> > enough the code yet to assess if it's doable though.
> >
> > Then this would leave the case where something else on
> > the host is racing with virtiofsd. IMHO this belongs to
> > the broader family of "bad things the host can do
> > in our back". This requires a bigger hammer than
> > adding band-aids here and there IMHO. So in the
> > scope of this patch, I don't think we should retry
> > and timeout, but just return whatever errno that
> > makes sense.
>
> I never suggested a timeout, that would indeed be nonsense.
>
Yeah sorry for that, by timeout I was lazily expressing "retry
a bit and bail out if it doesn't work".
> Just do a simple retry loop with a counter. I'd set counter to a
> small number (5 or whatever), so that basically any accidental races
> are cared for, and the only case that would trigger the EIO is if the
> file was constantly removed and recreated (and even in that case it
> would be pretty difficult to trigger). This would add only minimal
> complexity or overhead.
>
I still don't like the counter thing very much but I can't think of
anything better that _works_ in all cases in the short term... so be
it.
> The proper solution might be adding O_REGULAR, and it actually would
> be useful for other O_CREAT users, since it's probably what they want
> anyway (but existing semantics can't be changed).
>
Yeah only the kernel can handle this race gracefully and O_REGULAR
would be great, but it might take some time until this percolates
up to QEMU.
> Thanks,
> Miklos
>
next prev parent reply other threads:[~2021-01-28 14:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 10:35 [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517) Stefan Hajnoczi
2021-01-26 10:35 ` [Virtio-fs] " Stefan Hajnoczi
2021-01-26 10:36 ` Daniel P. Berrangé
2021-01-26 10:36 ` [Virtio-fs] " Daniel P. Berrangé
2021-01-26 10:47 ` Liam Merwick
2021-01-26 17:16 ` Greg Kurz
2021-01-27 9:25 ` Miklos Szeredi
2021-01-27 9:25 ` Miklos Szeredi
2021-01-27 10:20 ` Greg Kurz
2021-01-27 10:20 ` Greg Kurz
2021-01-27 10:34 ` Miklos Szeredi
2021-01-27 10:34 ` Miklos Szeredi
2021-01-27 13:49 ` Greg Kurz
2021-01-27 13:49 ` Greg Kurz
2021-01-27 14:09 ` Miklos Szeredi
2021-01-27 14:09 ` Miklos Szeredi
2021-01-27 15:09 ` Greg Kurz
2021-01-27 15:09 ` Greg Kurz
2021-01-27 15:22 ` Miklos Szeredi
2021-01-27 15:22 ` Miklos Szeredi
2021-01-27 15:35 ` Greg Kurz
2021-01-27 15:35 ` Greg Kurz
2021-01-27 15:47 ` Miklos Szeredi
2021-01-27 15:47 ` Miklos Szeredi
2021-01-27 15:52 ` Miklos Szeredi
2021-01-27 15:52 ` Miklos Szeredi
2021-01-28 12:14 ` Greg Kurz
2021-01-28 12:14 ` Greg Kurz
2021-01-28 14:00 ` Miklos Szeredi
2021-01-28 14:00 ` Miklos Szeredi
2021-01-28 14:26 ` Greg Kurz [this message]
2021-01-28 14:26 ` Greg Kurz
2021-01-27 10:18 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210128152641.0e9d5fa0@bahia.lan \
--to=groug@kaod.org \
--cc=alex@alxu.ca \
--cc=berrange@redhat.com \
--cc=lersek@redhat.com \
--cc=mszeredi@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.