From patchwork Thu Feb 4 15:02:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 12067513 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47CC0C433E0 for ; Thu, 4 Feb 2021 15:06:32 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D5F2064DE7 for ; Thu, 4 Feb 2021 15:06:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D5F2064DE7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:60060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l7gDG-0007Al-SR for qemu-devel@archiver.kernel.org; Thu, 04 Feb 2021 10:06:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40394) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l7g9J-0002i7-Jw for qemu-devel@nongnu.org; Thu, 04 Feb 2021 10:02:25 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:29697) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1l7g9H-0002MA-PT for qemu-devel@nongnu.org; Thu, 04 Feb 2021 10:02:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1612450943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1RYL/3GqlVG6CoX21NwDjulrW7es6gx7ouOpyvdwnss=; b=VeasSrwvX4KNSI48xuLaa7hzLd7ii9YsXxyJW5bl+/wrRQW46SgGdeSqdYlaQT44kQZJJU 4qdNjvK/vrlVYs0oDUN3Bg76x3xpZ0qnPYXamrvYjQSpqjoTfoy9sPXS3WLXwr47Ucr1+B j/XlLPOqkCWvjFNdyROMP91Qqt6oBEc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-363-ibJth5jpM963yL_unPCSgA-1; Thu, 04 Feb 2021 10:02:21 -0500 X-MC-Unique: ibJth5jpM963yL_unPCSgA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 32F0D8143F7; Thu, 4 Feb 2021 15:02:20 +0000 (UTC) Received: from localhost (ovpn-115-89.ams2.redhat.com [10.36.115.89]) by smtp.corp.redhat.com (Postfix) with ESMTP id E597E5C257; Thu, 4 Feb 2021 15:02:09 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v5 0/3] virtiofsd: prevent opening of special files (CVE-2020-35517) Date: Thu, 4 Feb 2021 15:02:05 +0000 Message-Id: <20210204150208.367837-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.351, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mszeredi@redhat.com, Daniel Berrange , slp@redhat.com, Greg Kurz , P J P , virtio-fs@redhat.com, Alex Xu , vgoyal@redhat.com, Stefan Hajnoczi , Laszlo Ersek , "Dr. David Alan Gilbert" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" v4: * Patch 1: Return positive errno if openat(2) fails in lo_do_open() [Greg] * Patch 3: Return -fd instead or -errno after lo_inode_open() in lo_do_open() [Greg] * Patch 3: Use De Morgan's Law to simplify the boolean expression in lo_create() [Vivek] * Patch 3: Add missing errno = -truncfd after lo_inode_open() call in lo_setattr v3: * Restructure lo_create() to handle externally-created files (we need to allocate an inode for them) [Greg] * Patch 1 & 2 refactor the code so that Patch 3 can implement the CVE fix v3: * Protect lo_create() [Greg] v2: * Add doc comment clarifying that symlinks are traversed client-side [Daniel] A well-behaved FUSE client does not attempt to open special files with FUSE_OPEN because they are handled on the client side (e.g. device nodes are handled by client-side device drivers). The check to prevent virtiofsd from opening special files is missing in a few cases, most notably FUSE_OPEN. A malicious client can cause virtiofsd to open a device node, potentially allowing the guest to escape. This can be exploited by a modified guest device driver. It is not exploitable from guest userspace since the guest kernel will handle special files inside the guest instead of sending FUSE requests. This patch series fixes this issue by introducing the lo_inode_open() function to check the file type before opening it. This is a short-term solution because it does not prevent a compromised virtiofsd process from opening device nodes on the host. This issue was diagnosed on public IRC and is therefore already known and not embargoed. Reported-by: Alex Xu Fixes: CVE-2020-35517 Stefan Hajnoczi (3): virtiofsd: extract lo_do_open() from lo_open() virtiofsd: optionally return inode pointer from lo_do_lookup() virtiofsd: prevent opening of special files (CVE-2020-35517) tools/virtiofsd/passthrough_ll.c | 224 ++++++++++++++++++++----------- 1 file changed, 148 insertions(+), 76 deletions(-)