From: Greg Kurz <groug@kaod.org>
To: Miklos Szeredi <mszeredi@redhat.com>
Cc: Daniel Berrange <berrange@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
P J P <ppandit@redhat.com>, virtio-fs-list <virtio-fs@redhat.com>,
Alex Xu <alex@alxu.ca>, Stefan Hajnoczi <stefanha@redhat.com>,
Laszlo Ersek <lersek@redhat.com>, Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [Virtio-fs] [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Wed, 27 Jan 2021 14:49:09 +0100 [thread overview]
Message-ID: <20210127144909.22dd778e@bahia.lan> (raw)
In-Reply-To: <CAOssrKfezsvcECQ=mO_4T2B09e+2S4LA3=_U6TQyiTtPbE=OYg@mail.gmail.com>
On Wed, 27 Jan 2021 11:34:52 +0100
Miklos Szeredi <mszeredi@redhat.com> wrote:
> On Wed, Jan 27, 2021 at 11:20 AM Greg Kurz <groug@kaod.org> wrote:
> >
> > On Wed, 27 Jan 2021 10:25:28 +0100
> > Miklos Szeredi <mszeredi@redhat.com> wrote:
> >
> > > On Tue, Jan 26, 2021 at 6:18 PM Greg Kurz <groug@kaod.org> wrote:
> > > >
> > > > On Tue, 26 Jan 2021 10:35:02 +0000
> > > > Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > >
> > > > The patch looks pretty good to me. It just seems to be missing a change in
> > > > lo_create():
> > > >
> > > > fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
> > > > mode);
> > > >
> > > > A malicious guest could have created anything called ${name} in this directory
> > > > before calling FUSE_CREATE and we'll open it blindly, or I'm missing something ?
> > >
> > > Right, this seems like an omission.
> > >
> > > Also the "& ~O_NOFOLLOW" looks like a copy-paste bug, since unlike
> > > lo_open(), lo_create() is not opening a proc symlink.
> > >
> > > So that should be replaced with "| O_NOFOLLOW"
> > >
> >
> >
> > Yes, I've realized that later on. We should definitely enforce O_NOFOLLOW
> > to avoid symlink escapes.
> >
> > Then comes the case of special files... A well-known case is the FIFO that
> > causes openat() to block as described in my response. FWIW, we addressed
> > this one in 9P by adding O_NONBLOCK and fixing the flags to the client
> > expectation with fcntl(F_SETFL). But this is just a protection against
> > being blocked. Blindly opening a special file can lead to any kind of
> > troubles you can think of... so it really looks that the only sane way
> > to be safe from such an attack is to forbid openat() of special files at
> > the filesystem level.
>
> Another solution specifically for O_CREAT without O_EXCL would be to
> turn it into an exclusive create.
Would this added O_EXCL then appear on the client side, e.g. to
guest userspace doing fcntl(F_GETFL) ?
> If that fails with EEXIST then try
> the normal open path (open with O_PATH, fstat, open proc symlink). If
open(O_PATH | O_NOFOLLOW) + fstatat(AT_EMPTY_PATH|AT_SYMLINK_NOFOLLOW)
would indeed allow to filter out anything that isn't a directory and
to safely open the proc symlink.
> that fails with ENOENT, then retry the whole thing a certain number of
Indeed someone could have unlinked the file in the meantime, in which
case the open(O_PATH | O_NOFOLLOW) would fail, but if it succeeds then
we cannot hit ENOENT anymore AFAICT.
> times. If it still fails then somebody is definitely messing with us
> and we can fail the request with EIO.
>
Not sure what the retry+timeout is trying to mitigate here... why not
returning EIO right away ?
> Rather ugly, but I can't think of anything better.
>
> Thanks,
> Miklos
>
next prev parent reply other threads:[~2021-01-27 13:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 10:35 [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517) Stefan Hajnoczi
2021-01-26 10:36 ` Daniel P. Berrangé
2021-01-26 10:47 ` [Virtio-fs] " Liam Merwick
2021-01-26 17:16 ` Greg Kurz
2021-01-27 9:25 ` Miklos Szeredi
2021-01-27 10:20 ` Greg Kurz
2021-01-27 10:34 ` Miklos Szeredi
2021-01-27 13:49 ` Greg Kurz [this message]
2021-01-27 14:09 ` Miklos Szeredi
2021-01-27 15:09 ` Greg Kurz
2021-01-27 15:22 ` Miklos Szeredi
2021-01-27 15:35 ` Greg Kurz
2021-01-27 15:47 ` Miklos Szeredi
2021-01-27 15:52 ` Miklos Szeredi
2021-01-28 12:14 ` Greg Kurz
2021-01-28 14:00 ` Miklos Szeredi
2021-01-28 14:26 ` Greg Kurz
2021-01-27 10:18 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210127144909.22dd778e@bahia.lan \
--to=groug@kaod.org \
--cc=alex@alxu.ca \
--cc=berrange@redhat.com \
--cc=lersek@redhat.com \
--cc=mszeredi@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).