[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink
From: |
Greg Kurz |
Subject: |
[Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink attacks |
Date: |
Mon, 30 Jan 2017 13:09:36 +0100 |
User-agent: |
StGit/0.17.1-20-gc0b1b-dirty |
This series tries to fix CVE-2016-9602. This vulnerability affects all
accesses to the underlying filesystem in the "local" backend code.
If QEMU is started with:
-fsdev local,security_model=<passthrough|none>,path=/foo/bar
then the guest can cause QEMU to create symlinks in /foo/bar.
This causes accesses to any path /foo/bar/some/path to be unsafe, since
untrusted code within the guest (or in another guest sharing the same
virtfs folder) could change some/path to point to a random path of the
host filesystem.
The core problem is that the "local" backend relies on path-based syscalls
to access the underlying filesystem. All path-based syscalls are vulnerable
to this issue, even open(O_NOFOLLOW) or syscalls that explicitly don't
dereference symlinks, since the kernel only checks the rightmost element of
the path. Depending on the privilege level of the QEMU process, a guest can
end up opening, renaming, changing ACLs, unlinking... files on the host
filesystem.
A possible fix is to always walk paths manually with openat(O_NOFOLLOW), and
use "*at()" variants of all syscalls in the "local" backend code. This will
likely not improve performances for path-based syscalls in the guest, but I
don't see how to fix the issue without kernel support (like an O_PATHSTATIC
flag to tell the full path should not traverse any symlink for example).
A fair amount of code is shared by all security models: this series hence
starts with preparatory patches to split the code. This allows to have
patches of reasonable size, that don't affect too many code paths.
TODO:
- the accesses to metadata files of the "mapped-file" security mode also need
to be converted
---
Greg Kurz (36):
9pfs: local: move xattr security ops to 9p-xattr.c
9pfs: local: split chmod operation per security model
9pfs: local: split mknod operation per security model
9pfs: local: split mkdir operation per security model
9pfs: local: split open2 operation per security model
9pfs: local: split symlink operation per security model
9pfs: local: split mkdir operation per security model
9pfs: local: improve error handling in link op
9pfs: local: post link operation for mapped-file security
v9fs: local: improve error handling in rename op
9pfs: local: post rename operation for mapped-file security
9pfs: local: pre remove operation for mapped-file security
9pfs: local: pre unlikat operation for mapped-file security
9pfs: remove side-effects in local_init()
9pfs: remove side-effects in local_open() and local_opendir()
9pfs: introduce openat_nofollow() helper
9pfs: local: keep a file descriptor on the shared folder
9pfs: local: open/opendir: don't follow symlinks
9pfs: local: utimensat: don't follow symlinks
9pfs: local: readlink: don't follow symlinks
9pfs: local: truncate: don't follow symlinks
9pfs: local: statfs: don't follow symlinks
9pfs: local: mknod/mkdir/open2: don't follow symlinks
9pfs: local: chmod: don't follow symlinks
9pfs: local: symlink: don't follow symlinks
9pfs: local: chown: don't follow symlinks
9pfs: local: link: don't follow symlinks
9pfs: local: rename: don't follow symlinks
9pfs: local: remove: don't follow symlinks
9pfs: local: unlinkat: don't follow symlinks
9pfs: local: introduce symlink-attack safe xattr helpers
9pfs: local: lstat: don't follow symlinks
9pfs: local: lgetxattr: don't follow symlinks
9pfs: local: llistxattr: don't follow symlinks
9pfs: local: lsetxattr: don't follow symlinks
9pfs: local: lremovexattr: don't follow symlinks
hw/9pfs/9p-local.c | 1319 +++++++++++++++++++++++++++++++++--------------
hw/9pfs/9p-local.h | 22 +
hw/9pfs/9p-posix-acl.c | 48 --
hw/9pfs/9p-util.c | 69 ++
hw/9pfs/9p-util.h | 25 +
hw/9pfs/9p-xattr-user.c | 28 -
hw/9pfs/9p-xattr.c | 229 ++++++++
hw/9pfs/9p-xattr.h | 91 +--
hw/9pfs/Makefile.objs | 2
9 files changed, 1306 insertions(+), 527 deletions(-)
create mode 100644 hw/9pfs/9p-local.h
create mode 100644 hw/9pfs/9p-util.c
create mode 100644 hw/9pfs/9p-util.h
--
Greg
- [Qemu-devel] [PATCH RFC 00/36] 9pfs: local: fix vulnerability to symlink attacks,
Greg Kurz <=
- [Qemu-devel] [PATCH RFC 01/36] 9pfs: local: move xattr security ops to 9p-xattr.c, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 02/36] 9pfs: local: split chmod operation per security model, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 03/36] 9pfs: local: split mknod operation per security model, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 04/36] 9pfs: local: split mkdir operation per security model, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 05/36] 9pfs: local: split open2 operation per security model, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 08/36] 9pfs: local: improve error handling in link op, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 09/36] 9pfs: local: post link operation for mapped-file security, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 07/36] 9pfs: local: split mkdir operation per security model, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 10/36] v9fs: local: improve error handling in rename op, Greg Kurz, 2017/01/30
- [Qemu-devel] [PATCH RFC 11/36] 9pfs: local: post rename operation for mapped-file security, Greg Kurz, 2017/01/30