diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch new file mode 100644 index 0000000000..f818eb3bf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Hajnoczi <stefanha@redhat.com> | ||
3 | Date: Tue, 6 Oct 2020 10:58:26 +0100 | ||
4 | Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir | ||
5 | |||
6 | In order to prevent /proc/self/fd escapes a temporary directory is | ||
7 | created where /proc/self/fd is bind-mounted. This doesn't work on | ||
8 | read-only file systems. | ||
9 | |||
10 | Avoid the temporary directory by bind-mounting /proc/self/fd over /proc. | ||
11 | This does not affect other processes since we remounted / with MS_REC | | ||
12 | MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to | ||
13 | do this. | ||
14 | |||
15 | Path traversal can be tested with the following function: | ||
16 | |||
17 | static void test_proc_fd_escape(struct lo_data *lo) | ||
18 | { | ||
19 | int fd; | ||
20 | int level = 0; | ||
21 | ino_t last_ino = 0; | ||
22 | |||
23 | fd = lo->proc_self_fd; | ||
24 | for (;;) { | ||
25 | struct stat st; | ||
26 | |||
27 | if (fstat(fd, &st) != 0) { | ||
28 | perror("fstat"); | ||
29 | return; | ||
30 | } | ||
31 | if (last_ino && st.st_ino == last_ino) { | ||
32 | fprintf(stderr, "inode number unchanged, stopping\n"); | ||
33 | return; | ||
34 | } | ||
35 | last_ino = st.st_ino; | ||
36 | |||
37 | fprintf(stderr, "Level %d dev %lu ino %lu\n", level, | ||
38 | (unsigned long)st.st_dev, | ||
39 | (unsigned long)last_ino); | ||
40 | fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW); | ||
41 | level++; | ||
42 | } | ||
43 | } | ||
44 | |||
45 | Before and after this patch only Level 0 is displayed. Without | ||
46 | /proc/self/fd bind-mount protection it is possible to traverse parent | ||
47 | directories. | ||
48 | |||
49 | Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd") | ||
50 | Cc: Miklos Szeredi <mszeredi@redhat.com> | ||
51 | Cc: Jens Freimann <jfreimann@redhat.com> | ||
52 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
53 | Message-Id: <20201006095826.59813-1-stefanha@redhat.com> | ||
54 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
55 | Tested-by: Jens Freimann <jfreimann@redhat.com> | ||
56 | Reviewed-by: Jens Freimann <jfreimann@redhat.com> | ||
57 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
58 | |||
59 | |||
60 | Upstream-Status: Backport | ||
61 | [https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c] | ||
62 | CVE: CVE-2020-35517 | ||
63 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
64 | |||
65 | --- | ||
66 | tools/virtiofsd/passthrough_ll.c | 34 +++++++++++--------------------- | ||
67 | 1 file changed, 11 insertions(+), 23 deletions(-) | ||
68 | |||
69 | diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c | ||
70 | index 477e6ee0b53..ff53df44510 100644 | ||
71 | --- a/tools/virtiofsd/passthrough_ll.c | ||
72 | +++ b/tools/virtiofsd/passthrough_ll.c | ||
73 | @@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void) | ||
74 | static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) | ||
75 | { | ||
76 | pid_t child; | ||
77 | - char template[] = "virtiofsd-XXXXXX"; | ||
78 | - char *tmpdir; | ||
79 | |||
80 | /* | ||
81 | * Create a new pid namespace for *child* processes. We'll have to | ||
82 | @@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) | ||
83 | exit(1); | ||
84 | } | ||
85 | |||
86 | - tmpdir = mkdtemp(template); | ||
87 | - if (!tmpdir) { | ||
88 | - fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template); | ||
89 | - exit(1); | ||
90 | - } | ||
91 | - | ||
92 | - if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) { | ||
93 | - fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n", | ||
94 | - tmpdir); | ||
95 | + /* | ||
96 | + * We only need /proc/self/fd. Prevent ".." from accessing parent | ||
97 | + * directories of /proc/self/fd by bind-mounting it over /proc. Since / was | ||
98 | + * previously remounted with MS_REC | MS_SLAVE this mount change only | ||
99 | + * affects our process. | ||
100 | + */ | ||
101 | + if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) { | ||
102 | + fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n"); | ||
103 | exit(1); | ||
104 | } | ||
105 | |||
106 | - /* Now we can get our /proc/self/fd directory file descriptor */ | ||
107 | - lo->proc_self_fd = open(tmpdir, O_PATH); | ||
108 | + /* Get the /proc (actually /proc/self/fd, see above) file descriptor */ | ||
109 | + lo->proc_self_fd = open("/proc", O_PATH); | ||
110 | if (lo->proc_self_fd == -1) { | ||
111 | - fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir); | ||
112 | + fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n"); | ||
113 | exit(1); | ||
114 | } | ||
115 | - | ||
116 | - if (umount2(tmpdir, MNT_DETACH) < 0) { | ||
117 | - fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir); | ||
118 | - exit(1); | ||
119 | - } | ||
120 | - | ||
121 | - if (rmdir(tmpdir) < 0) { | ||
122 | - fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir); | ||
123 | - } | ||
124 | } | ||
125 | |||
126 | /* | ||