[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[Gerd Hoffmann]

Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.

usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.

Because qemu ignores symlinks carrying out an successfull symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.

Note that the impact of this bug is rather low when qemu is managed by
libvirt due to qemu running sandboxed, so there isn't much you can gain
access to that way.

Fixes: CVE-2018-pjp-please-get-one
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-mtp.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..36c43b8c20 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
 {
     struct dirent *entry;
     DIR *dir;
+    int fd;
 
     if (o->have_children) {
         return;
     }
     o->have_children = true;
 
-    dir = opendir(o->path);
+    fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+    if (fd < 0) {
+        return;
+    }
+    dir = fdopendir(fd);
     if (!dir) {
         return;
     }
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
 
     trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
 
-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
     if (d->fd == -1) {
         usb_mtp_data_free(d);
         return NULL;
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
                                         c->argv[1], c->argv[2]);
 
     d = usb_mtp_data_alloc(c);
-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
     if (d->fd == -1) {
         usb_mtp_data_free(d);
         return NULL;
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
                                  0, 0, 0, 0);
             goto done;
         }
-        d->fd = open(path, O_CREAT | O_WRONLY, mask);
+        d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
         if (d->fd == -1) {
             usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
                                  0, 0, 0, 0);
-- 
2.9.3

Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[Daniel P. Berrangé]

On Thu, Dec 13, 2018 at 01:25:11PM +0100, Gerd Hoffmann wrote:
> Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
> While being at it also add O_CLOEXEC.
> 
> usb-mtp only handles regular files and directories and ignores
> everything else, so users should not see a difference.
> 
> Because qemu ignores symlinks carrying out an successfull symlink attack
> requires swapping an existing file or directory below rootdir for a
> symlink and winning the race against the inotify notification to qemu.
> 
> Note that the impact of this bug is rather low when qemu is managed by
> libvirt due to qemu running sandboxed, so there isn't much you can gain
> access to that way.

It is almost non-existant because libvirt doesn't support the MTP device
at all yet, so no guest will have it unless the user tried CLI
arg passthrough in libvirt :-)

> 
> Fixes: CVE-2018-pjp-please-get-one
> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Bandan Das <bsd@redhat.com>
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/usb/dev-mtp.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
> index 100b7171f4..36c43b8c20 100644
> --- a/hw/usb/dev-mtp.c
> +++ b/hw/usb/dev-mtp.c
> @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
>  {
>      struct dirent *entry;
>      DIR *dir;
> +    int fd;
>  
>      if (o->have_children) {
>          return;
>      }
>      o->have_children = true;
>  
> -    dir = opendir(o->path);
> +    fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
> +    if (fd < 0) {
> +        return;
> +    }
> +    dir = fdopendir(fd);
>      if (!dir) {
>          return;
>      }
> @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
>  
>      trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
>  
> -    d->fd = open(o->path, O_RDONLY);
> +    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
>      if (d->fd == -1) {
>          usb_mtp_data_free(d);
>          return NULL;
> @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
>                                          c->argv[1], c->argv[2]);
>  
>      d = usb_mtp_data_alloc(c);
> -    d->fd = open(o->path, O_RDONLY);
> +    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
>      if (d->fd == -1) {
>          usb_mtp_data_free(d);
>          return NULL;
> @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
>                                   0, 0, 0, 0);
>              goto done;
>          }
> -        d->fd = open(path, O_CREAT | O_WRONLY, mask);
> +        d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
>          if (d->fd == -1) {
>              usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
>                                   0, 0, 0, 0);
> -- 
> 2.9.3
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[Michael Hanselmann]

On 13.12.18 13:25, Gerd Hoffmann wrote:
> Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
> While being at it also add O_CLOEXEC.
> 
> usb-mtp only handles regular files and directories and ignores
> everything else, so users should not see a difference.
> 
> Because qemu ignores symlinks carrying out an successfull symlink attack

Minor typo: s/successfull/successful/

> requires swapping an existing file or directory below rootdir for a
> symlink and winning the race against the inotify notification to qemu.
> 
> Note that the impact of this bug is rather low when qemu is managed by
> libvirt due to qemu running sandboxed, so there isn't much you can gain
> access to that way.
> 
> Fixes: CVE-2018-pjp-please-get-one
> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Bandan Das <bsd@redhat.com>
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Thanks for the patch!

Reviewed-by: Michael Hanselmann <public@hansmi.ch>

Best regards,
Michael

Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[Markus Armbruster]

Gerd Hoffmann <kraxel@redhat.com> writes:

> Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
> While being at it also add O_CLOEXEC.
>
> usb-mtp only handles regular files and directories and ignores
> everything else, so users should not see a difference.
>
> Because qemu ignores symlinks carrying out an successfull symlink attack
> requires swapping an existing file or directory below rootdir for a
> symlink and winning the race against the inotify notification to qemu.
>
> Note that the impact of this bug is rather low when qemu is managed by
> libvirt due to qemu running sandboxed, so there isn't much you can gain
> access to that way.
>
> Fixes: CVE-2018-pjp-please-get-one

Ah, looks like we've run out of numbers.

> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Bandan Das <bsd@redhat.com>
> Reported-by: Michael Hanselmann <public@hansmi.ch>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

[P J P]

  Hello Gerd,

+-- On Thu, 13 Dec 2018, Markus Armbruster wrote --+
| Gerd Hoffmann <kraxel@redhat.com> writes:
| > Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
| > While being at it also add O_CLOEXEC.
| >
| > usb-mtp only handles regular files and directories and ignores
| > everything else, so users should not see a difference.
| >
| > Because qemu ignores symlinks carrying out an successfull symlink attack

   symlinks, carrying out a successful ...

| > requires swapping an existing file or directory below rootdir for a
| > symlink and winning the race against the inotify notification to qemu.
| >
| > Note that the impact of this bug is rather low when qemu is managed by
| > libvirt due to qemu running sandboxed, so there isn't much you can gain
| > access to that way.
| >
| > Fixes: CVE-2018-pjp-please-get-one
| 
| Ah, looks like we've run out of numbers.

Heh..:)

It's CVE-2018-16872. Thank you so much for the fix patch.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F