From nobody Sun Dec 14 01:53:45 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1544704100644497.5144497624053; Thu, 13 Dec 2018 04:28:20 -0800 (PST) Received: from localhost ([::1]:52081 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXQ6B-0004Cw-Ib for importer@patchew.org; Thu, 13 Dec 2018 07:28:15 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42178) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXQ3X-0002Eh-Ho for qemu-devel@nongnu.org; Thu, 13 Dec 2018 07:25:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXQ3T-0004Nn-VK for qemu-devel@nongnu.org; Thu, 13 Dec 2018 07:25:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54242) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXQ3T-0002kr-IS for qemu-devel@nongnu.org; Thu, 13 Dec 2018 07:25:27 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CC39B312E9F0; Thu, 13 Dec 2018 12:25:16 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4E9123793; Thu, 13 Dec 2018 12:25:12 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5BCCC16E29; Thu, 13 Dec 2018 13:25:11 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 13 Dec 2018 13:25:11 +0100 Message-Id: <20181213122511.13853-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 13 Dec 2018 12:25:17 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bandan Das , public@hansmi.ch, Gerd Hoffmann , Prasad J Pandit Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks carrying out an successfull symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Note that the impact of this bug is rather low when qemu is managed by libvirt due to qemu running sandboxed, so there isn't much you can gain access to that way. Fixes: CVE-2018-pjp-please-get-one Cc: Prasad J Pandit Cc: Bandan Das Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Michael Hanselmann --- hw/usb/dev-mtp.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 100b7171f4..36c43b8c20 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPOb= ject *o) { struct dirent *entry; DIR *dir; + int fd; =20 if (o->have_children) { return; } o->have_children =3D true; =20 - dir =3D opendir(o->path); + fd =3D open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); + if (fd < 0) { + return; + } + dir =3D fdopendir(fd); if (!dir) { return; } @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPCo= ntrol *c, =20 trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); =20 - d->fd =3D open(o->path, O_RDONLY); + d->fd =3D open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd =3D=3D -1) { usb_mtp_data_free(d); return NULL; @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *= s, MTPControl *c, c->argv[1], c->argv[2]); =20 d =3D usb_mtp_data_alloc(c); - d->fd =3D open(o->path, O_RDONLY); + d->fd =3D open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd =3D=3D -1) { usb_mtp_data_free(d); return NULL; @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) 0, 0, 0, 0); goto done; } - d->fd =3D open(path, O_CREAT | O_WRONLY, mask); + d->fd =3D open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, = mask); if (d->fd =3D=3D -1) { usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, 0, 0, 0, 0); --=20 2.9.3