Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020

From:	Dr. David Alan Gilbert
Subject:	Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date:	Thu, 4 Feb 2021 18:14:17 +0000
User-agent:	Mutt/1.14.6 (2020-07-11)

* Stefan Hajnoczi (stefanha@redhat.com) wrote:
> v4:
>  * Patch 1: Return positive errno if openat(2) fails in lo_do_open() [Greg]
>  * Patch 3: Return -fd instead or -errno after lo_inode_open() in 
> lo_do_open() [Greg]
>  * Patch 3: Use De Morgan's Law to simplify the boolean expression in 
> lo_create() [Vivek]
>  * Patch 3: Add missing errno = -truncfd after lo_inode_open() call in 
> lo_setattr
> v3:
>  * Restructure lo_create() to handle externally-created files (we need
>    to allocate an inode for them) [Greg]
>  * Patch 1 & 2 refactor the code so that Patch 3 can implement the CVE fix
> v3:
>  * Protect lo_create() [Greg]
> v2:
>  * Add doc comment clarifying that symlinks are traversed client-side
>    [Daniel]
> 
> A well-behaved FUSE client does not attempt to open special files with
> FUSE_OPEN because they are handled on the client side (e.g. device nodes
> are handled by client-side device drivers).
> 
> The check to prevent virtiofsd from opening special files is missing in
> a few cases, most notably FUSE_OPEN. A malicious client can cause
> virtiofsd to open a device node, potentially allowing the guest to
> escape. This can be exploited by a modified guest device driver. It is
> not exploitable from guest userspace since the guest kernel will handle
> special files inside the guest instead of sending FUSE requests.
> 
> This patch series fixes this issue by introducing the lo_inode_open() function
> to check the file type before opening it. This is a short-term solution 
> because
> it does not prevent a compromised virtiofsd process from opening device nodes
> on the host.
> 
> This issue was diagnosed on public IRC and is therefore already known
> and not embargoed.
> 
> Reported-by: Alex Xu <alex@alxu.ca>
> Fixes: CVE-2020-35517

Queued

> Stefan Hajnoczi (3):
>   virtiofsd: extract lo_do_open() from lo_open()
>   virtiofsd: optionally return inode pointer from lo_do_lookup()
>   virtiofsd: prevent opening of special files (CVE-2020-35517)
> 
>  tools/virtiofsd/passthrough_ll.c | 224 ++++++++++++++++++++-----------
>  1 file changed, 148 insertions(+), 76 deletions(-)
> 
> -- 
> 2.29.2
> 
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517), Stefan Hajnoczi, 2021/02/04
- [PATCH v5 1/3] virtiofsd: extract lo_do_open() from lo_open(), Stefan Hajnoczi, 2021/02/04
  - Re: [PATCH v5 1/3] virtiofsd: extract lo_do_open() from lo_open(), Greg Kurz, 2021/02/04
- [PATCH v5 2/3] virtiofsd: optionally return inode pointer from lo_do_lookup(), Stefan Hajnoczi, 2021/02/04
- [PATCH v5 3/3] virtiofsd: prevent opening of special files (CVE-2020-35517), Stefan Hajnoczi, 2021/02/04
  - Re: [PATCH v5 3/3] virtiofsd: prevent opening of special files (CVE-2020-35517), Greg Kurz, 2021/02/04
- Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517), no-reply, 2021/02/04
  - Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517), Dr. David Alan Gilbert, 2021/02/04
- Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517), Dr. David Alan Gilbert <=

Prev by Date: [PATCH] exec/cpu-defs: Remove TCG backends dependency
Next by Date: Re: [PATCH] exec/cpu-defs: Remove TCG backends dependency
Previous by thread: Re: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517)
Next by thread: Re: TCG and MTTCG questions
Index(es):
- Date
- Thread