From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Greg Kurz <groug@kaod.org>,
Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>,
Yanwu Shen <ywsPlz@gmail.com>,
Jietao Xiao <shawtao1125@gmail.com>,
Jinku Li <jkli@xidian.edu.cn>, Wenbo Shen <shenwenbo@zju.edu.cn>,
Michael Tokarev <mjt@tls.msk.ru>
Subject: Re: [PATCH] 9pfs: fix regression regarding CVE-2023-2861
Date: Tue, 10 Dec 2024 10:57:07 +0100 [thread overview]
Message-ID: <4261493.soTQ3n66jb@silver> (raw)
In-Reply-To: <E1tJWbk-007BH4-OB@kylie.crudebyte.com>
On Friday, December 6, 2024 12:20:29 PM CET Christian Schoenebeck wrote:
> The released fix for this CVE:
>
> f6b0de53fb8 ("9pfs: prevent opening special files (CVE-2023-2861)")
>
> caused a regression with security_model=passthrough. When handling a
> 'Tmknod' request there was a side effect that 'Tmknod' request could fail
> as 9p server was trying to adjust permissions:
>
> #6 close_if_special_file (fd=30) at ../hw/9pfs/9p-util.h:140
> #7 openat_file (mode=<optimized out>, flags=2228224,
> name=<optimized out>, dirfd=<optimized out>) at
> ../hw/9pfs/9p-util.h:181
> #8 fchmodat_nofollow (dirfd=dirfd@entry=31,
> name=name@entry=0x5555577ea6e0 "mysocket", mode=493) at
> ../hw/9pfs/9p-local.c:360
> #9 local_set_cred_passthrough (credp=0x7ffbbc4ace10, name=0x5555577ea6e0
> "mysocket", dirfd=31, fs_ctx=0x55555811f528) at
> ../hw/9pfs/9p-local.c:457
> #10 local_mknod (fs_ctx=0x55555811f528, dir_path=<optimized out>,
> name=0x5555577ea6e0 "mysocket", credp=0x7ffbbc4ace10) at
> ../hw/9pfs/9p-local.c:702
> #11 v9fs_co_mknod (pdu=pdu@entry=0x555558121140,
> fidp=fidp@entry=0x5555574c46c0, name=name@entry=0x7ffbbc4aced0,
> uid=1000, gid=1000, dev=<optimized out>, mode=49645,
> stbuf=0x7ffbbc4acef0) at ../hw/9pfs/cofs.c:205
> #12 v9fs_mknod (opaque=0x555558121140) at ../hw/9pfs/9p.c:3711
>
> That's because server was opening the special file to adjust permissions,
> however it was using O_PATH and it would have not returned the file
> descriptor to guest. So the call to close_if_special_file() on that branch
> was incorrect.
>
> Let's lift the restriction introduced by f6b0de53fb8 such that it would
> allow to open special files on host if O_PATH flag is supplied, not only
> for 9p server's own operations as described above, but also for any client
> 'Topen' request.
>
> It is safe to allow opening special files with O_PATH on host, because
> O_PATH only allows path based operations on the resulting file descriptor
> and prevents I/O such as read() and write() on that file descriptor.
>
> Fixes: f6b0de53fb8 ("9pfs: prevent opening special files (CVE-2023-2861)")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2337
> Reported-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---
> hw/9pfs/9p-util.h | 27 +++++++++++++++++----------
> 1 file changed, 17 insertions(+), 10 deletions(-)
Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next
Let's see if we can still land this in 9.2.
/Christian
next prev parent reply other threads:[~2024-12-10 9:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-06 11:20 [PATCH] 9pfs: fix regression regarding CVE-2023-2861 Christian Schoenebeck
2024-12-09 7:05 ` Greg Kurz
2024-12-10 9:57 ` Christian Schoenebeck [this message]
2024-12-10 10:11 ` Peter Maydell
2024-12-10 10:35 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4261493.soTQ3n66jb@silver \
--to=qemu_oss@crudebyte.com \
--cc=d.herrendoerfer@de.ibm.com \
--cc=groug@kaod.org \
--cc=jkli@xidian.edu.cn \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=shawtao1125@gmail.com \
--cc=shenwenbo@zju.edu.cn \
--cc=ywsPlz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.