[PULL 0/1] virtiofs queue

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PULL 0/1] virtiofs queue
@ 2022-01-26 10:51 Dr. David Alan Gilbert (git)
  2022-01-26 10:51 ` [PULL 1/1] virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) Dr. David Alan Gilbert (git)
  2022-01-26 14:57 ` [PULL 0/1] virtiofs queue Peter Maydell
  0 siblings, 2 replies; 3+ messages in thread
From: Dr. David Alan Gilbert (git) @ 2022-01-26 10:51 UTC (permalink / raw)
  To: qemu-devel, shawtao1125, vgoyal
  Cc: mszeredi, mcascell, slp, virtio-fs, stefanha, pj.pandit

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

The following changes since commit aeb0ae95b7f18c66158792641cb6ba0cde5789ab:

  Merge remote-tracking branch 'remotes/jsnow-gitlab/tags/python-pull-request' into staging (2022-01-22 12:03:22 +0000)

are available in the Git repository at:

  https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20220126

for you to fetch changes up to 449e8171f96a6a944d1f3b7d3627ae059eae21ca:

  virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) (2022-01-26 10:32:05 +0000)

----------------------------------------------------------------
virtiofsd: Security fix

Fixes: CVE-2022-0358

----------------------------------------------------------------
Vivek Goyal (1):
      virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)

 tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PULL 1/1] virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
  2022-01-26 10:51 [PULL 0/1] virtiofs queue Dr. David Alan Gilbert (git)
@ 2022-01-26 10:51 ` Dr. David Alan Gilbert (git)
  2022-01-26 14:57 ` [PULL 0/1] virtiofs queue Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Dr. David Alan Gilbert (git) @ 2022-01-26 10:51 UTC (permalink / raw)
  To: qemu-devel, shawtao1125, vgoyal
  Cc: mszeredi, mcascell, slp, virtio-fs, stefanha, pj.pandit

From: Vivek Goyal <vgoyal@redhat.com>

At the start, drop membership of all supplementary groups. This is
not required.

If we have membership of "root" supplementary group and when we switch
uid/gid using setresuid/setsgid, we still retain membership of existing
supplemntary groups. And that can allow some operations which are not
normally allowed.

For example, if root in guest creates a dir as follows.

$ mkdir -m 03777 test_dir

This sets SGID on dir as well as allows unprivileged users to write into
this dir.

And now as unprivileged user open file as follows.

$ su test
$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);

This will create SGID set executable in test_dir/.

And that's a problem because now an unpriviliged user can execute it,
get egid=0 and get access to resources owned by "root" group. This is
privilege escalation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Fixes: CVE-2022-0358
Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YfBGoriS38eBQrAb@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  dgilbert: Fixed missing {}'s style nit
---
 tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 64b5b4fbb1..b3d0674f6d 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -54,6 +54,7 @@
 #include <sys/wait.h>
 #include <sys/xattr.h>
 #include <syslog.h>
+#include <grp.h>

 #include "qemu/cutils.h"
 #include "passthrough_helpers.h"
@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
 #define OURSYS_setresuid SYS_setresuid
 #endif

+static void drop_supplementary_groups(void)
+{
+    int ret;
+
+    ret = getgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+
+    if (!ret) {
+        return;
+    }
+
+    /* Drop all supplementary groups. We should not need it */
+    ret = setgroups(0, NULL);
+    if (ret == -1) {
+        fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+                 errno, strerror(errno));
+        exit(1);
+    }
+}
+
 /*
  * Change to uid/gid of caller so that file is created with
  * ownership of caller.
@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])

     qemu_init_exec_dir(argv[0]);

+    drop_supplementary_groups();
+
     pthread_mutex_init(&lo.mutex, NULL);
     lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
     lo.root.fd = -1;
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PULL 0/1] virtiofs queue
  2022-01-26 10:51 [PULL 0/1] virtiofs queue Dr. David Alan Gilbert (git)
  2022-01-26 10:51 ` [PULL 1/1] virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) Dr. David Alan Gilbert (git)
@ 2022-01-26 14:57 ` Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2022-01-26 14:57 UTC (permalink / raw)
  To: Dr. David Alan Gilbert (git)
  Cc: mszeredi, mcascell, slp, qemu-devel, shawtao1125, stefanha,
	pj.pandit, virtio-fs, vgoyal

On Wed, 26 Jan 2022 at 10:54, Dr. David Alan Gilbert (git)
<dgilbert@redhat.com> wrote:
>
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
>
> The following changes since commit aeb0ae95b7f18c66158792641cb6ba0cde5789ab:
>
>   Merge remote-tracking branch 'remotes/jsnow-gitlab/tags/python-pull-request' into staging (2022-01-22 12:03:22 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20220126
>
> for you to fetch changes up to 449e8171f96a6a944d1f3b7d3627ae059eae21ca:
>
>   virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) (2022-01-26 10:32:05 +0000)
>
> ----------------------------------------------------------------
> virtiofsd: Security fix
>
> Fixes: CVE-2022-0358
>
> ----------------------------------------------------------------
> Vivek Goyal (1):
>       virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/7.0
for any user-visible changes.

-- PMM


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-01-26 15:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-26 10:51 [PULL 0/1] virtiofs queue Dr. David Alan Gilbert (git)
2022-01-26 10:51 ` [PULL 1/1] virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) Dr. David Alan Gilbert (git)
2022-01-26 14:57 ` [PULL 0/1] virtiofs queue Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).