diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..70b7d6c562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
3 | Date: Wed, 7 Jun 2023 18:29:33 +0200 | ||
4 | Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) | ||
5 | |||
6 | The 9p protocol does not specifically define how server shall behave when | ||
7 | client tries to open a special file, however from security POV it does | ||
8 | make sense for 9p server to prohibit opening any special file on host side | ||
9 | in general. A sane Linux 9p client for instance would never attempt to | ||
10 | open a special file on host side, it would always handle those exclusively | ||
11 | on its guest side. A malicious client however could potentially escape | ||
12 | from the exported 9p tree by creating and opening a device file on host | ||
13 | side. | ||
14 | |||
15 | With QEMU this could only be exploited in the following unsafe setups: | ||
16 | |||
17 | - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' | ||
18 | security model. | ||
19 | |||
20 | or | ||
21 | |||
22 | - Using 9p 'proxy' fs driver (which is running its helper daemon as | ||
23 | root). | ||
24 | |||
25 | These setups were already discouraged for safety reasons before, | ||
26 | however for obvious reasons we are now tightening behaviour on this. | ||
27 | |||
28 | Fixes: CVE-2023-2861 | ||
29 | Reported-by: Yanwu Shen <ywsPlz@gmail.com> | ||
30 | Reported-by: Jietao Xiao <shawtao1125@gmail.com> | ||
31 | Reported-by: Jinku Li <jkli@xidian.edu.cn> | ||
32 | Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> | ||
33 | Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
34 | Reviewed-by: Greg Kurz <groug@kaod.org> | ||
35 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
36 | Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda] | ||
39 | CVE: CVE-2023-2861 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- | ||
43 | hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ | ||
44 | 2 files changed, 65 insertions(+), 2 deletions(-) | ||
45 | |||
46 | diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c | ||
47 | index 6f132c5f..300c9765 100644 | ||
48 | --- a/fsdev/virtfs-proxy-helper.c | ||
49 | +++ b/fsdev/virtfs-proxy-helper.c | ||
50 | @@ -26,6 +26,7 @@ | ||
51 | #include "qemu/xattr.h" | ||
52 | #include "9p-iov-marshal.h" | ||
53 | #include "hw/9pfs/9p-proxy.h" | ||
54 | +#include "hw/9pfs/9p-util.h" | ||
55 | #include "fsdev/9p-iov-marshal.h" | ||
56 | |||
57 | #define PROGNAME "virtfs-proxy-helper" | ||
58 | @@ -350,6 +351,28 @@ static void resetugid(int suid, int sgid) | ||
59 | } | ||
60 | } | ||
61 | |||
62 | +/* | ||
63 | + * Open regular file or directory. Attempts to open any special file are | ||
64 | + * rejected. | ||
65 | + * | ||
66 | + * returns file descriptor or -1 on error | ||
67 | + */ | ||
68 | +static int open_regular(const char *pathname, int flags, mode_t mode) | ||
69 | +{ | ||
70 | + int fd; | ||
71 | + | ||
72 | + fd = open(pathname, flags, mode); | ||
73 | + if (fd < 0) { | ||
74 | + return fd; | ||
75 | + } | ||
76 | + | ||
77 | + if (close_if_special_file(fd) < 0) { | ||
78 | + return -1; | ||
79 | + } | ||
80 | + | ||
81 | + return fd; | ||
82 | +} | ||
83 | + | ||
84 | /* | ||
85 | * send response in two parts | ||
86 | * 1) ProxyHeader | ||
87 | @@ -694,7 +717,7 @@ static int do_create(struct iovec *iovec) | ||
88 | if (ret < 0) { | ||
89 | goto unmarshal_err_out; | ||
90 | } | ||
91 | - ret = open(path.data, flags, mode); | ||
92 | + ret = open_regular(path.data, flags, mode); | ||
93 | if (ret < 0) { | ||
94 | ret = -errno; | ||
95 | } | ||
96 | @@ -719,7 +742,7 @@ static int do_open(struct iovec *iovec) | ||
97 | if (ret < 0) { | ||
98 | goto err_out; | ||
99 | } | ||
100 | - ret = open(path.data, flags); | ||
101 | + ret = open_regular(path.data, flags, 0); | ||
102 | if (ret < 0) { | ||
103 | ret = -errno; | ||
104 | } | ||
105 | diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h | ||
106 | index 546f46dc..79fdd2a3 100644 | ||
107 | --- a/hw/9pfs/9p-util.h | ||
108 | +++ b/hw/9pfs/9p-util.h | ||
109 | @@ -13,12 +13,16 @@ | ||
110 | #ifndef QEMU_9P_UTIL_H | ||
111 | #define QEMU_9P_UTIL_H | ||
112 | |||
113 | +#include "qemu/error-report.h" | ||
114 | + | ||
115 | #ifdef O_PATH | ||
116 | #define O_PATH_9P_UTIL O_PATH | ||
117 | #else | ||
118 | #define O_PATH_9P_UTIL 0 | ||
119 | #endif | ||
120 | |||
121 | +#define qemu_fstat fstat | ||
122 | + | ||
123 | static inline void close_preserve_errno(int fd) | ||
124 | { | ||
125 | int serrno = errno; | ||
126 | @@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) | ||
127 | errno = serrno; | ||
128 | } | ||
129 | |||
130 | +/** | ||
131 | + * close_if_special_file() - Close @fd if neither regular file nor directory. | ||
132 | + * | ||
133 | + * @fd: file descriptor of open file | ||
134 | + * Return: 0 on regular file or directory, -1 otherwise | ||
135 | + * | ||
136 | + * CVE-2023-2861: Prohibit opening any special file directly on host | ||
137 | + * (especially device files), as a compromised client could potentially gain | ||
138 | + * access outside exported tree under certain, unsafe setups. We expect | ||
139 | + * client to handle I/O on special files exclusively on guest side. | ||
140 | + */ | ||
141 | +static inline int close_if_special_file(int fd) | ||
142 | +{ | ||
143 | + struct stat stbuf; | ||
144 | + | ||
145 | + if (qemu_fstat(fd, &stbuf) < 0) { | ||
146 | + close_preserve_errno(fd); | ||
147 | + return -1; | ||
148 | + } | ||
149 | + if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { | ||
150 | + error_report_once( | ||
151 | + "9p: broken or compromised client detected; attempt to open " | ||
152 | + "special file (i.e. neither regular file, nor directory)" | ||
153 | + ); | ||
154 | + close(fd); | ||
155 | + errno = ENXIO; | ||
156 | + return -1; | ||
157 | + } | ||
158 | + | ||
159 | + return 0; | ||
160 | +} | ||
161 | + | ||
162 | static inline int openat_dir(int dirfd, const char *name) | ||
163 | { | ||
164 | return openat(dirfd, name, | ||
165 | @@ -56,6 +92,10 @@ again: | ||
166 | return -1; | ||
167 | } | ||
168 | |||
169 | + if (close_if_special_file(fd) < 0) { | ||
170 | + return -1; | ||
171 | + } | ||
172 | + | ||
173 | serrno = errno; | ||
174 | /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't | ||
175 | * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() | ||
176 | -- | ||
177 | 2.25.1 | ||
178 | |||