From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47CC0C433E0 for ; Thu, 4 Feb 2021 15:06:32 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D5F2064DE7 for ; Thu, 4 Feb 2021 15:06:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D5F2064DE7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:60060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l7gDG-0007Al-SR for qemu-devel@archiver.kernel.org; Thu, 04 Feb 2021 10:06:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40394) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l7g9J-0002i7-Jw for qemu-devel@nongnu.org; Thu, 04 Feb 2021 10:02:25 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:29697) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1l7g9H-0002MA-PT for qemu-devel@nongnu.org; Thu, 04 Feb 2021 10:02:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1612450943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1RYL/3GqlVG6CoX21NwDjulrW7es6gx7ouOpyvdwnss=; b=VeasSrwvX4KNSI48xuLaa7hzLd7ii9YsXxyJW5bl+/wrRQW46SgGdeSqdYlaQT44kQZJJU 4qdNjvK/vrlVYs0oDUN3Bg76x3xpZ0qnPYXamrvYjQSpqjoTfoy9sPXS3WLXwr47Ucr1+B j/XlLPOqkCWvjFNdyROMP91Qqt6oBEc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-363-ibJth5jpM963yL_unPCSgA-1; Thu, 04 Feb 2021 10:02:21 -0500 X-MC-Unique: ibJth5jpM963yL_unPCSgA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 32F0D8143F7; Thu, 4 Feb 2021 15:02:20 +0000 (UTC) Received: from localhost (ovpn-115-89.ams2.redhat.com [10.36.115.89]) by smtp.corp.redhat.com (Postfix) with ESMTP id E597E5C257; Thu, 4 Feb 2021 15:02:09 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517) Date: Thu, 4 Feb 2021 15:02:05 +0000 Message-Id: <20210204150208.367837-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.351, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mszeredi@redhat.com, Daniel Berrange , slp@redhat.com, Greg Kurz , P J P , virtio-fs@redhat.com, Alex Xu , vgoyal@redhat.com, Stefan Hajnoczi , Laszlo Ersek , "Dr. David Alan Gilbert" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" djQ6DQogKiBQYXRjaCAxOiBSZXR1cm4gcG9zaXRpdmUgZXJybm8gaWYgb3BlbmF0KDIpIGZhaWxz IGluIGxvX2RvX29wZW4oKSBbR3JlZ10NCiAqIFBhdGNoIDM6IFJldHVybiAtZmQgaW5zdGVhZCBv ciAtZXJybm8gYWZ0ZXIgbG9faW5vZGVfb3BlbigpIGluIGxvX2RvX29wZW4oKSBbR3JlZ10NCiAq IFBhdGNoIDM6IFVzZSBEZSBNb3JnYW4ncyBMYXcgdG8gc2ltcGxpZnkgdGhlIGJvb2xlYW4gZXhw cmVzc2lvbiBpbiBsb19jcmVhdGUoKSBbVml2ZWtdDQogKiBQYXRjaCAzOiBBZGQgbWlzc2luZyBl cnJubyA9IC10cnVuY2ZkIGFmdGVyIGxvX2lub2RlX29wZW4oKSBjYWxsIGluIGxvX3NldGF0dHIN CnYzOg0KICogUmVzdHJ1Y3R1cmUgbG9fY3JlYXRlKCkgdG8gaGFuZGxlIGV4dGVybmFsbHktY3Jl YXRlZCBmaWxlcyAod2UgbmVlZA0KICAgdG8gYWxsb2NhdGUgYW4gaW5vZGUgZm9yIHRoZW0pIFtH cmVnXQ0KICogUGF0Y2ggMSAmIDIgcmVmYWN0b3IgdGhlIGNvZGUgc28gdGhhdCBQYXRjaCAzIGNh biBpbXBsZW1lbnQgdGhlIENWRSBmaXgNCnYzOg0KICogUHJvdGVjdCBsb19jcmVhdGUoKSBbR3Jl Z10NCnYyOg0KICogQWRkIGRvYyBjb21tZW50IGNsYXJpZnlpbmcgdGhhdCBzeW1saW5rcyBhcmUg dHJhdmVyc2VkIGNsaWVudC1zaWRlDQogICBbRGFuaWVsXQ0KDQpBIHdlbGwtYmVoYXZlZCBGVVNF IGNsaWVudCBkb2VzIG5vdCBhdHRlbXB0IHRvIG9wZW4gc3BlY2lhbCBmaWxlcyB3aXRoDQpGVVNF X09QRU4gYmVjYXVzZSB0aGV5IGFyZSBoYW5kbGVkIG9uIHRoZSBjbGllbnQgc2lkZSAoZS5nLiBk ZXZpY2Ugbm9kZXMNCmFyZSBoYW5kbGVkIGJ5IGNsaWVudC1zaWRlIGRldmljZSBkcml2ZXJzKS4N Cg0KVGhlIGNoZWNrIHRvIHByZXZlbnQgdmlydGlvZnNkIGZyb20gb3BlbmluZyBzcGVjaWFsIGZp bGVzIGlzIG1pc3NpbmcgaW4NCmEgZmV3IGNhc2VzLCBtb3N0IG5vdGFibHkgRlVTRV9PUEVOLiBB IG1hbGljaW91cyBjbGllbnQgY2FuIGNhdXNlDQp2aXJ0aW9mc2QgdG8gb3BlbiBhIGRldmljZSBu b2RlLCBwb3RlbnRpYWxseSBhbGxvd2luZyB0aGUgZ3Vlc3QgdG8NCmVzY2FwZS4gVGhpcyBjYW4g YmUgZXhwbG9pdGVkIGJ5IGEgbW9kaWZpZWQgZ3Vlc3QgZGV2aWNlIGRyaXZlci4gSXQgaXMNCm5v dCBleHBsb2l0YWJsZSBmcm9tIGd1ZXN0IHVzZXJzcGFjZSBzaW5jZSB0aGUgZ3Vlc3Qga2VybmVs IHdpbGwgaGFuZGxlDQpzcGVjaWFsIGZpbGVzIGluc2lkZSB0aGUgZ3Vlc3QgaW5zdGVhZCBvZiBz ZW5kaW5nIEZVU0UgcmVxdWVzdHMuDQoNClRoaXMgcGF0Y2ggc2VyaWVzIGZpeGVzIHRoaXMgaXNz dWUgYnkgaW50cm9kdWNpbmcgdGhlIGxvX2lub2RlX29wZW4oKSBmdW5jdGlvbg0KdG8gY2hlY2sg dGhlIGZpbGUgdHlwZSBiZWZvcmUgb3BlbmluZyBpdC4gVGhpcyBpcyBhIHNob3J0LXRlcm0gc29s dXRpb24gYmVjYXVzZQ0KaXQgZG9lcyBub3QgcHJldmVudCBhIGNvbXByb21pc2VkIHZpcnRpb2Zz ZCBwcm9jZXNzIGZyb20gb3BlbmluZyBkZXZpY2Ugbm9kZXMNCm9uIHRoZSBob3N0Lg0KDQpUaGlz IGlzc3VlIHdhcyBkaWFnbm9zZWQgb24gcHVibGljIElSQyBhbmQgaXMgdGhlcmVmb3JlIGFscmVh ZHkga25vd24NCmFuZCBub3QgZW1iYXJnb2VkLg0KDQpSZXBvcnRlZC1ieTogQWxleCBYdSA8YWxl eEBhbHh1LmNhPg0KRml4ZXM6IENWRS0yMDIwLTM1NTE3DQoNClN0ZWZhbiBIYWpub2N6aSAoMyk6 DQogIHZpcnRpb2ZzZDogZXh0cmFjdCBsb19kb19vcGVuKCkgZnJvbSBsb19vcGVuKCkNCiAgdmly dGlvZnNkOiBvcHRpb25hbGx5IHJldHVybiBpbm9kZSBwb2ludGVyIGZyb20gbG9fZG9fbG9va3Vw KCkNCiAgdmlydGlvZnNkOiBwcmV2ZW50IG9wZW5pbmcgb2Ygc3BlY2lhbCBmaWxlcyAoQ1ZFLTIw MjAtMzU1MTcpDQoNCiB0b29scy92aXJ0aW9mc2QvcGFzc3Rocm91Z2hfbGwuYyB8IDIyNCArKysr KysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tDQogMSBmaWxlIGNoYW5nZWQsIDE0OCBpbnNlcnRp b25zKCspLCA3NiBkZWxldGlvbnMoLSkNCg0KLS0gDQoyLjI5LjINCg0K From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Hajnoczi Date: Thu, 4 Feb 2021 15:02:05 +0000 Message-Id: <20210204150208.367837-1-stefanha@redhat.com> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Virtio-fs] [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517) List-Id: Development discussions about virtio-fs List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Daniel Berrange , P J P , virtio-fs@redhat.com, Alex Xu , vgoyal@redhat.com, Laszlo Ersek v4: * Patch 1: Return positive errno if openat(2) fails in lo_do_open() [Greg] * Patch 3: Return -fd instead or -errno after lo_inode_open() in lo_do_open() [Greg] * Patch 3: Use De Morgan's Law to simplify the boolean expression in lo_create() [Vivek] * Patch 3: Add missing errno = -truncfd after lo_inode_open() call in lo_setattr v3: * Restructure lo_create() to handle externally-created files (we need to allocate an inode for them) [Greg] * Patch 1 & 2 refactor the code so that Patch 3 can implement the CVE fix v3: * Protect lo_create() [Greg] v2: * Add doc comment clarifying that symlinks are traversed client-side [Daniel] A well-behaved FUSE client does not attempt to open special files with FUSE_OPEN because they are handled on the client side (e.g. device nodes are handled by client-side device drivers). The check to prevent virtiofsd from opening special files is missing in a few cases, most notably FUSE_OPEN. A malicious client can cause virtiofsd to open a device node, potentially allowing the guest to escape. This can be exploited by a modified guest device driver. It is not exploitable from guest userspace since the guest kernel will handle special files inside the guest instead of sending FUSE requests. This patch series fixes this issue by introducing the lo_inode_open() function to check the file type before opening it. This is a short-term solution because it does not prevent a compromised virtiofsd process from opening device nodes on the host. This issue was diagnosed on public IRC and is therefore already known and not embargoed. Reported-by: Alex Xu Fixes: CVE-2020-35517 Stefan Hajnoczi (3): virtiofsd: extract lo_do_open() from lo_open() virtiofsd: optionally return inode pointer from lo_do_lookup() virtiofsd: prevent opening of special files (CVE-2020-35517) tools/virtiofsd/passthrough_ll.c | 224 ++++++++++++++++++++----------- 1 file changed, 148 insertions(+), 76 deletions(-) -- 2.29.2