qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink


From: Greg Kurz
Subject: [Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink attacks
Date: Mon, 30 Jan 2017 13:09:36 +0100
User-agent: StGit/0.17.1-20-gc0b1b-dirty

This series tries to fix CVE-2016-9602. This vulnerability affects all
accesses to the underlying filesystem in the "local" backend code.

If QEMU is started with:

-fsdev local,security_model=<passthrough|none>,path=/foo/bar

then the guest can cause QEMU to create symlinks in /foo/bar.

This causes accesses to any path /foo/bar/some/path to be unsafe, since
untrusted code within the guest (or in another guest sharing the same
virtfs folder) could change some/path to point to a random path of the
host filesystem.

The core problem is that the "local" backend relies on path-based syscalls
to access the underlying filesystem. All path-based syscalls are vulnerable
to this issue, even open(O_NOFOLLOW) or syscalls that explicitly don't
dereference symlinks, since the kernel only checks the rightmost element of
the path. Depending on the privilege level of the QEMU process, a guest can
end up opening, renaming, changing ACLs, unlinking... files on the host
filesystem.

A possible fix is to always walk paths manually with openat(O_NOFOLLOW), and
use "*at()" variants of all syscalls in the "local" backend code. This will
likely not improve performances for path-based syscalls in the guest, but I
don't see how to fix the issue without kernel support (like an O_PATHSTATIC
flag to tell the full path should not traverse any symlink for example).

A fair amount of code is shared by all security models: this series hence
starts with preparatory patches to split the code. This allows to have
patches of reasonable size, that don't affect too many code paths.

TODO:
- the accesses to metadata files of the "mapped-file" security mode also need
  to be converted

---

Greg Kurz (36):
      9pfs: local: move xattr security ops to 9p-xattr.c
      9pfs: local: split chmod operation per security model
      9pfs: local: split mknod operation per security model
      9pfs: local: split mkdir operation per security model
      9pfs: local: split open2 operation per security model
      9pfs: local: split symlink operation per security model
      9pfs: local: split mkdir operation per security model
      9pfs: local: improve error handling in link op
      9pfs: local: post link operation for mapped-file security
      v9fs: local: improve error handling in rename op
      9pfs: local: post rename operation for mapped-file security
      9pfs: local: pre remove operation for mapped-file security
      9pfs: local: pre unlikat operation for mapped-file security
      9pfs: remove side-effects in local_init()
      9pfs: remove side-effects in local_open() and local_opendir()
      9pfs: introduce openat_nofollow() helper
      9pfs: local: keep a file descriptor on the shared folder
      9pfs: local: open/opendir: don't follow symlinks
      9pfs: local: utimensat: don't follow symlinks
      9pfs: local: readlink: don't follow symlinks
      9pfs: local: truncate: don't follow symlinks
      9pfs: local: statfs: don't follow symlinks
      9pfs: local: mknod/mkdir/open2: don't follow symlinks
      9pfs: local: chmod: don't follow symlinks
      9pfs: local: symlink: don't follow symlinks
      9pfs: local: chown: don't follow symlinks
      9pfs: local: link: don't follow symlinks
      9pfs: local: rename: don't follow symlinks
      9pfs: local: remove: don't follow symlinks
      9pfs: local: unlinkat: don't follow symlinks
      9pfs: local: introduce symlink-attack safe xattr helpers
      9pfs: local: lstat: don't follow symlinks
      9pfs: local: lgetxattr: don't follow symlinks
      9pfs: local: llistxattr: don't follow symlinks
      9pfs: local: lsetxattr: don't follow symlinks
      9pfs: local: lremovexattr: don't follow symlinks


 hw/9pfs/9p-local.c      | 1319 +++++++++++++++++++++++++++++++++--------------
 hw/9pfs/9p-local.h      |   22 +
 hw/9pfs/9p-posix-acl.c  |   48 --
 hw/9pfs/9p-util.c       |   69 ++
 hw/9pfs/9p-util.h       |   25 +
 hw/9pfs/9p-xattr-user.c |   28 -
 hw/9pfs/9p-xattr.c      |  229 ++++++++
 hw/9pfs/9p-xattr.h      |   91 +--
 hw/9pfs/Makefile.objs   |    2 
 9 files changed, 1306 insertions(+), 527 deletions(-)
 create mode 100644 hw/9pfs/9p-local.h
 create mode 100644 hw/9pfs/9p-util.c
 create mode 100644 hw/9pfs/9p-util.h

--
Greg




reply via email to

[Prev in Thread] Current Thread [Next in Thread]