From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>,
G 3 <programmingkidx@gmail.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>,
Greg Kurz <groug@kaod.org>,
qemu-devel qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] git master build failure in 9pfs
Date: Fri, 3 Mar 2017 10:45:46 -0600 [thread overview]
Message-ID: <a93c2a39-6e10-331c-599a-81a7d8f2f52e@redhat.com> (raw)
In-Reply-To: <e7d5aa7e-46a9-efba-bcf2-934b71e3bb74@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2190 bytes --]
On 03/03/2017 10:40 AM, Eric Blake wrote:
>> Isn't the use of O_PATH required in order to fix the recent
>> security vulnerability in 9p ? If so, then defining it to
>> 0 means the QEMU is silently becoming vulnerable once again
>> which I don't think is a good idea.
>
> My understanding is that O_PATH is an optimization. It lets openat()
> succeed in some places where it would ordinarily fail (for example, it
> can be used to open a dir with mode 0000) - the resulting fd is
> limited-use (it cannot be used to read() or write(), but CAN be used as
> the relative fd for a subsequent openat(), for example). If you define
> O_PATH to 0, then attempts to traverse paths will fail where the could
> have otherwise succeeded, but failure is okay (the CVE was that we were
> succeeding at opening through a guest-controlled symlink; whether we now
> fail or guarantee that we are not going through a symlink is a quality
> of implementation, but either way, we are at least immune from
> succeeding through a symlink).
[I hit send too soon]
To put it in perspective, the 9p fixes included code for chmod() that
falls back to fchmodat() - but Linux' fchmodat() is broken (it is not
POSIX-compliant in that there is no race-free way to use
AT_SYMLINK_NOFOLLOW, at least not until Greg gets his kernel patches
approved that implement the fchmodat2() syscall [1]). The symptoms are
that we now have cases where the guest will get failures where they
could have otherwise succeeded if fchmodat() were not broken, but such
cases are limited to corners where permissions are overly-tight; in the
common case, the permissions will allow opening the file with O_RDONLY
or O_WRONLY and fchmod() can be used.
So a limited-use fix for the CVE that safely succeeds without symlinks
in the common case but fails in the corner case of tight permissions
(which is what defining O_PATH to 0 would do) is better than the pre-CVE
state of code that succeeds but risks going through a user-controlled
symlink.
[1] https://lkml.org/lkml/2017/2/28/461
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
next prev parent reply other threads:[~2017-03-03 16:45 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.56273.1488553194.22740.qemu-devel@nongnu.org>
2017-03-03 15:28 ` [Qemu-devel] git master build failure in 9pfs G 3
2017-03-03 15:44 ` Greg Kurz
2017-03-03 15:55 ` G 3
2017-03-03 15:58 ` Peter Maydell
2017-03-03 16:02 ` G 3
2017-03-03 16:14 ` Greg Kurz
2017-03-03 16:21 ` Daniel P. Berrange
2017-03-03 16:38 ` G 3
2017-03-03 16:40 ` Eric Blake
2017-03-03 16:42 ` Daniel P. Berrange
2017-03-03 16:45 ` Eric Blake [this message]
2017-03-03 16:43 ` Greg Kurz
2017-03-03 18:11 ` Eric Blake
2017-03-03 18:15 ` Greg Kurz
2017-03-03 18:28 ` Eric Blake
2017-03-04 10:57 ` Greg Kurz
[not found] <mailman.56353.1488479169.22739.qemu-devel@nongnu.org>
2017-03-03 0:30 ` Programmingkid
2017-03-02 17:28 Mark Cave-Ayland
2017-03-02 17:40 ` Daniel P. Berrange
2017-03-02 18:10 ` Peter Maydell
2017-03-03 15:41 ` Greg Kurz
2017-03-03 14:43 ` Mark Cave-Ayland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a93c2a39-6e10-331c-599a-81a7d8f2f52e@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=groug@kaod.org \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=programmingkidx@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).