From: Chirantan Ekbote <chirantan@chromium.org>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Daniel Berrange <berrange@redhat.com>,
qemu-devel@nongnu.org, P J P <ppandit@redhat.com>,
virtio-fs-list <virtio-fs@redhat.com>, Greg Kurz <groug@kaod.org>,
Alex Xu <alex@alxu.ca>, Laszlo Ersek <lersek@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [Virtio-fs] [PATCH v3] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Sat, 6 Feb 2021 00:29:11 +0900 [thread overview]
Message-ID: <CAJFHJrq9Miy91T1fmb9iSTYya7U7kwPNpX3y9pvL2JHW=eav=A@mail.gmail.com> (raw)
In-Reply-To: <20210201182215.GA221556@stefanha-x1.localdomain>
On Tue, Feb 2, 2021 at 3:22 AM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> Hi Chirantan,
> I wanted to bring this CVE to your attention because the discussion has
> revealed a number of other issues (not necessarily security issues) in
> virtiofsd that may also be present in other virtio-fs daemon
> implementations.
>
Hi Stefan,
Thanks for the heads up. I'm going to summarize the thread just to
make sure I understood correctly.
The CVE seems to be that the virtio-fs daemon allows opening special
files and the short-term fix is to detect and block this in the
daemon. The long term fix is to mount the data with
nosuid,nodev,noexec. I think crosvm's virtio-fs also doesn't check
the file type before opening it but chrome os has mounted all stateful
data as nosuid,nodev,noexec as long as I can remember so I think we
got lucky there. It's probably still worth adding the check to the
server.
The other issue is that there is a race between when an entry is
created and when we look it up by name where it may be modified and
replaced by an external process. While I can see how this can be
fixed for files, it seems like there's no choice for directories.
It's not like mkdirat returns an fd for the newly created directory.
Though, it seems like every process is affected by this. I guess if
you wanted to be really paranoid you could do something like mkdtemp,
get an fd, and then rename to the real name.
Did I miss anything?
Thanks,
Chirantan
next prev parent reply other threads:[~2021-02-05 15:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 11:21 [PATCH v3] virtiofsd: prevent opening of special files (CVE-2020-35517) Stefan Hajnoczi
2021-01-27 13:01 ` Miklos Szeredi
2021-01-27 14:14 ` Stefan Hajnoczi
2021-01-27 14:27 ` Miklos Szeredi
2021-01-28 15:32 ` Stefan Hajnoczi
2021-01-27 15:23 ` Greg Kurz
2021-01-28 16:11 ` Stefan Hajnoczi
2021-01-28 17:44 ` Greg Kurz
2021-02-01 17:14 ` Stefan Hajnoczi
2021-02-01 18:22 ` [Virtio-fs] " Stefan Hajnoczi
2021-02-05 15:29 ` Chirantan Ekbote [this message]
2021-02-01 19:26 ` Greg Kurz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJFHJrq9Miy91T1fmb9iSTYya7U7kwPNpX3y9pvL2JHW=eav=A@mail.gmail.com' \
--to=chirantan@chromium.org \
--cc=alex@alxu.ca \
--cc=berrange@redhat.com \
--cc=groug@kaod.org \
--cc=lersek@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).