From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Eric Blake <eblake@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-block@nongnu.org, rjones@redhat.com,
Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Subject: Re: [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD server
Date: Fri, 2 Aug 2024 23:41:35 +0200 [thread overview]
Message-ID: <ac870295-4fe0-4c46-a5f1-36eb2945a5dd@linaro.org> (raw)
In-Reply-To: <20240802194156.2131519-6-eblake@redhat.com>
On 2/8/24 21:26, Eric Blake wrote:
> Error messages from an NBD server must be treated as untrusted; a
> malicious server can inject escape sequences to try and trigger RCE
> flaws via escape sequences to whatever terminal happens to be running
> qemu-img. The easiest solution is to sanitize the output with the
> same code we use to produce sanitized (pseudo-)JSON over QMP.
>
> Rich Jones originally pointed this flaw out at:
> https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/2NXA23G2V3HPWJYAO726PLNBEAAEUJAU/
>
> With this patch, and a malicious server run with nbdkit 1.40 as:
>
> $ nbdkit --log=null eval open=' printf \
> "EPERM x\\r mess up the output \e[31mmess up the output\e[m mess up" >&2; \
> exit 1 ' get_size=' echo 0 ' --run 'qemu-img info "$uri"'
>
> we now get:
>
> qemu-img: Could not open 'nbd://localhost': Requested export not available
> server reported: /tmp/nbdkitOZHOKB/open: x\r mess up the output \u001B[31mmess up the output\u001B[m mess up
>
> instead of an attempt to hide the name of the Unix socket and forcing
> the terminal to render part of the text red.
>
> Note that I did _not_ sanitize the string being sent through
> trace-events in trace_nbd_server_error_msg; this is because I assume
> that our trace engines already treat all string strings as untrusted
> input and apply their own escaping as needed.
>
> Reported-by: "Richard W.M. Jones" <rjones@redhat.com>
> Signed-off-by: Eric Blake <eblake@redhat.com>
>
> ---
>
> If my assumption about allowing raw escape bytes through to trace_
> calls is wrong (such as when tracing to stderr), let me know. That's
> a much bigger audit to determine which trace points, if any, should
> sanitize data before tracing, and/or change the trace engines to
> sanitize all strings (with possible knock-on effects if trace output
> changes unexpectedly for a tool expecting something unsanitized).
I doubt the trace core layer sanitizes, but it feels it is the
trace backend responsibility, since core layer might just pass
pointer to the backends.
> ---
> nbd/client.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
next prev parent reply other threads:[~2024-08-02 21:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 19:26 [PATCH for-9.1 0/2] NBD: don't print raw server error text to terminal Eric Blake
2024-08-02 19:26 ` [PATCH 1/2] util: Refactor json-writer's string sanitizer to be public Eric Blake
2024-08-02 21:00 ` Richard W.M. Jones
2024-08-02 21:38 ` Philippe Mathieu-Daudé
2024-08-07 18:49 ` Daniel P. Berrangé
2024-08-08 7:57 ` Markus Armbruster
2024-08-08 7:54 ` Markus Armbruster
2024-08-08 14:02 ` Eric Blake
2024-08-02 19:26 ` [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD server Eric Blake
2024-08-02 21:03 ` Richard W.M. Jones
2024-08-07 18:45 ` Daniel P. Berrangé
2024-08-02 21:41 ` Philippe Mathieu-Daudé [this message]
2024-08-07 13:43 ` Stefan Hajnoczi
2024-08-02 22:01 ` Richard W.M. Jones
2024-08-03 8:20 ` Richard W.M. Jones
2024-08-05 18:48 ` [PATCH for-9.1 0/2] NBD: don't print raw server error text to terminal Eric Blake
2024-08-05 19:11 ` Richard W.M. Jones
2024-08-07 17:51 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac870295-4fe0-4c46-a5f1-36eb2945a5dd@linaro.org \
--to=philmd@linaro.org \
--cc=eblake@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
--cc=vsementsov@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).