From nobody Sun May 5 13:04:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1494916209441574.8757051615075; Mon, 15 May 2017 23:30:09 -0700 (PDT) Received: from localhost ([::1]:40059 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dAVzj-0007Ds-Sm for importer@patchew.org; Tue, 16 May 2017 02:30:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34420) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dAVyY-0006cU-Ti for qemu-devel@nongnu.org; Tue, 16 May 2017 02:28:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dAVyV-00006U-JH for qemu-devel@nongnu.org; Tue, 16 May 2017 02:28:54 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40654 helo=mx0a-001b2d01.pphosted.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dAVyV-00006Q-Dp for qemu-devel@nongnu.org; Tue, 16 May 2017 02:28:51 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v4G6NfBK121202 for ; Tue, 16 May 2017 02:28:50 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 2afe8h3mw7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 16 May 2017 02:28:50 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 16 May 2017 07:28:48 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 16 May 2017 07:28:45 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v4G6SiFK20644138; Tue, 16 May 2017 06:28:44 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1FA0F11C04A; Tue, 16 May 2017 07:27:19 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D68A11C04C; Tue, 16 May 2017 07:27:19 +0100 (BST) Received: from smtp.lab.toulouse-stg.fr.ibm.com (unknown [9.101.4.1]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 16 May 2017 07:27:19 +0100 (BST) Received: from bahia.lan (icon-9-164-146-104.megacenter.de.ibm.com [9.164.146.104]) by smtp.lab.toulouse-stg.fr.ibm.com (Postfix) with ESMTP id 0C6E022016C; Tue, 16 May 2017 08:28:43 +0200 (CEST) From: Greg Kurz To: qemu-devel@nongnu.org Date: Tue, 16 May 2017 08:28:23 +0200 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494916103-32207-1-git-send-email-groug@kaod.org> References: <1494916103-32207-1-git-send-email-groug@kaod.org> X-TM-AS-GCONF: 00 x-cbid: 17051606-0008-0000-0000-00000448C611 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17051606-0009-0000-0000-00001DB071A0 Message-Id: <1494916103-32207-2-git-send-email-groug@kaod.org> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-16_02:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=4 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705160055 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.158.5 Subject: [Qemu-devel] [PULL] 9pfs: local: forbid client access to metadata (CVE-2017-7493) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Greg Kurz , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When using the mapped-file security mode, we shouldn't let the client mess with the metadata. The current code already tries to hide the metadata dir from the client by skipping it in local_readdir(). But the client can still access or modify it through several other operations. This can be used to escalate privileges in the guest. Affected backend operations are: - local_mknod() - local_mkdir() - local_open2() - local_symlink() - local_link() - local_unlinkat() - local_renameat() - local_rename() - local_name_to_path() Other operations are safe because they are only passed a fid path, which is computed internally in local_name_to_path(). This patch converts all the functions listed above to fail and return EINVAL when being passed the name of the metadata dir. This may look like a poor choice for errno, but there's no such thing as an illegal path name on Linux and I could not think of anything better. This fixes CVE-2017-7493. Reported-by: Leo Gaspard Signed-off-by: Greg Kurz Reviewed-by: Eric Blake --- hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++= ++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index f3ebca4f7a56..a2486566afb7 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpen= State *fs) return telldir(fs->dir.stream); } =20 +static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *n= ame) +{ + return !strcmp(name, VIRTFS_META_DIR); +} + static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) { struct dirent *entry; @@ -465,8 +470,8 @@ again: if (ctx->export_flags & V9FS_SM_MAPPED) { entry->d_type =3D DT_UNKNOWN; } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { - if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { - /* skp the meta data directory */ + if (local_is_mapped_file_metadata(ctx, entry->d_name)) { + /* skip the meta data directory */ goto again; } entry->d_type =3D DT_UNKNOWN; @@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *di= r_path, int err =3D -1; int dirfd; =20 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno =3D EINVAL; + return -1; + } + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd =3D=3D -1) { return -1; @@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *di= r_path, int err =3D -1; int dirfd; =20 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno =3D EINVAL; + return -1; + } + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd =3D=3D -1) { return -1; @@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *di= r_path, const char *name, int err =3D -1; int dirfd; =20 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno =3D EINVAL; + return -1; + } + /* * Mark all the open to not follow symlinks */ @@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char= *oldpath, int err =3D -1; int dirfd; =20 + if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(fs_ctx, name)) { + errno =3D EINVAL; + return -1; + } + dirfd =3D local_opendir_nofollow(fs_ctx, dir_path->data); if (dirfd =3D=3D -1) { return -1; @@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpat= h, int ret =3D -1; int odirfd, ndirfd; =20 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(ctx, name)) { + errno =3D EINVAL; + return -1; + } + odirfd =3D local_opendir_nofollow(ctx, odirpath); if (odirfd =3D=3D -1) { goto out; @@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPa= th *fs_path, static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, const char *name, V9fsPath *target) { + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(ctx, name)) { + errno =3D EINVAL; + return -1; + } + if (dir_path) { v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); } else if (strcmp(name, "/")) { @@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *= olddir, int ret; int odirfd, ndirfd; =20 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + (local_is_mapped_file_metadata(ctx, old_name) || + local_is_mapped_file_metadata(ctx, new_name))) { + errno =3D EINVAL; + return -1; + } + odirfd =3D local_opendir_nofollow(ctx, olddir->data); if (odirfd =3D=3D -1) { return -1; @@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *= dir, int ret; int dirfd; =20 + if (ctx->export_flags & V9FS_SM_MAPPED_FILE && + local_is_mapped_file_metadata(ctx, name)) { + errno =3D EINVAL; + return -1; + } + dirfd =3D local_opendir_nofollow(ctx, dir->data); if (dirfd =3D=3D -1) { return -1; --=20 2.7.4