From 4c3b48e94915ea1e62f5364fe4261359cf99a8e7 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 29 Aug 2017 10:29:28 +0200 Subject: qemu: CVE-2017-7471 Qemu built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. References: ========== https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7471 Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=96bae145e27d4df62671b4eebd6c735f412016cf Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-devtools/qemu/qemu/CVE-2017-7471.patch | 70 ++++++++++++++++++++++++++ recipes-devtools/qemu/qemu_%.bbappend | 1 + 2 files changed, 71 insertions(+) create mode 100644 recipes-devtools/qemu/qemu/CVE-2017-7471.patch (limited to 'recipes-devtools') diff --git a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch new file mode 100644 index 0000000..af233d3 --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch @@ -0,0 +1,70 @@ +From 96bae145e27d4df62671b4eebd6c735f412016cf Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Mon, 17 Apr 2017 10:53:23 +0200 +Subject: [PATCH] 9pfs: local: set the path of the export root to "." +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The local backend was recently converted to using "at*()" syscalls in order +to ensure all accesses happen below the shared directory. This requires that +we only pass relative paths, otherwise the dirfd argument to the "at*()" +syscalls is ignored and the path is treated as an absolute path in the host. +This is actually the case for paths in all fids, with the notable exception +of the root fid, whose path is "/". This causes the following backend ops to +act on the "/" directory of the host instead of the virtfs shared directory +when the export root is involved: +- lstat +- chmod +- chown +- utimensat + +ie, chmod /9p_mount_point in the guest will be converted to chmod / in the +host for example. This could cause security issues with a privileged QEMU. + +All "*at()" syscalls are being passed an open file descriptor. In the case +of the export root, this file descriptor points to the path in the host that +was passed to -fsdev. + +The fix is thus as simple as changing the path of the export root fid to be +"." instead of "/". + +This is CVE-2017-7471. + +CVE: CVE-2017-7471 +Upstream-Status: Backport + +Cc: qemu-stable@nongnu.org +Reported-by: Léo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Signed-off-by: Peter Maydell +(cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e) +Signed-off-by: Michael Roth +Signed-off-by: Sona Sarmadi +--- + hw/9pfs/9p-local.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index 227de61..293e0dc 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -1099,8 +1099,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + { + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); +- } else { ++ } else if (strcmp(name, "/")) { + v9fs_path_sprintf(target, "%s", name); ++ } else { ++ /* We want the path of the export root to be relative, otherwise ++ * "*at()" syscalls would treat it as "/" in the host. ++ */ ++ v9fs_path_sprintf(target, "%s", "."); + } + return 0; + } +-- +1.9.1 + diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend index 96a45b8..8a73d1f 100644 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ b/recipes-devtools/qemu/qemu_%.bbappend @@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0001-CVE-2017-2620.patch \ file://0002-CVE-2017-2620.patch \ + file://CVE-2017-7471.patch \ " -- cgit v1.2.3-54-g00ecf