qemu: fix CVE-2023-2861

9pfs: prevent opening special files References: https://nvd.nist.gov/vuln/detail/CVE-2023-2861 Upstream patches: https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 (From OE-Core rev: 9bd4ddeb4b5efc65b0514d50d6991211271924c1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-08-01 04:20:03 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-08-07 04:40:43 -1000
commit: ae7992e3b7b688e1e06b20c92aaa60af01f6bbbb (patch)
tree: 9fa51c37576bd886e87090b763002c1f341ba209
parent: 76f6267368fa6e3475b5ee94f00c188624ae5236 (diff)
download: poky-ae7992e3b7b688e1e06b20c92aaa60af01f6bbbb.tar.gz
2 files changed, 173 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 83959f3c68..96a1cc93a5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -96,6 +96,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2023-0330.patch \
           file://CVE-2023-3301.patch \
           file://CVE-2023-3255.patch \
+           file://CVE-2023-2861.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
new file mode 100644
index 0000000000..48f51f5d03
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,172 @@
+From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
+From: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Date: Wed Jun 7 18:29:33 2023 +0200
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
+ protocol does not specifically define how server shall behave when client
+ tries to open a special file, however from security POV it does make sense
+ for 9p server to prohibit opening any special file on host side in general. A
+ sane Linux 9p client for instance would never attempt to open a special file
+ on host side, it would always handle those exclusively on its guest side. A
+ malicious client however could potentially escape from the exported 9p tree
+ by creating and opening a device file on host side.
+With QEMU this could only be exploited in the following unsafe setups:
+  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
+    security model.
+or
+  - Using 9p 'proxy' fs driver (which is running its helper daemon as
+    root).
+These setups were already discouraged for safety reasons before,
+however for obvious reasons we are now tightening behaviour on this.
+Fixes: CVE-2023-2861
+Reported-by: Yanwu Shen <ywsPlz@gmail.com>
+Reported-by: Jietao Xiao <shawtao1125@gmail.com>
+Reported-by: Jinku Li <jkli@xidian.edu.cn>
+Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
+Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
+(cherry picked from commit f6b0de5)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+CVE: CVE-2023-2861
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ fsdev/virtfs-proxy-helper.c | 27 ++++++++++++++++++++++++--
+ hw/9pfs/9p-util.h           | 38 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 2 deletions(-)
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 15c0e79b0..f9e4669a5 100644
+--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
+@@ -26,6 +26,7 @@
+ #include "qemu/xattr.h"
+ #include "9p-iov-marshal.h"
+ #include "hw/9pfs/9p-proxy.h"
+#include "hw/9pfs/9p-util.h"
+ #include "fsdev/9p-iov-marshal.h"
+ #define PROGNAME "virtfs-proxy-helper"
+@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
+     }
+ }
+/*
+ * Open regular file or directory. Attempts to open any special file are
+ * rejected.
+ *
+ * returns file descriptor or -1 on error
+ */
+static int open_regular(const char *pathname, int flags, mode_t mode)
+{
+    int fd;
+
+    fd = open(pathname, flags, mode);
+    if (fd < 0) {
+        return fd;
+    }
+
+    if (close_if_special_file(fd) < 0) {
+        return -1;
+    }
+
+    return fd;
+}
+
+ /*
+  * send response in two parts
+  * 1) ProxyHeader
+@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
+     if (ret < 0) {
+         goto unmarshal_err_out;
+     }
+-    ret = open(path.data, flags, mode);
+    ret = open_regular(path.data, flags, mode);
+     if (ret < 0) {
+         ret = -errno;
+     }
+@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
+     if (ret < 0) {
+         goto err_out;
+     }
+-    ret = open(path.data, flags);
+    ret = open_regular(path.data, flags, 0);
+     if (ret < 0) {
+         ret = -errno;
+     }
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 546f46dc7..54e270ac6 100644
+--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
+@@ -13,6 +13,8 @@
+ #ifndef QEMU_9P_UTIL_H
+ #define QEMU_9P_UTIL_H
+#include "qemu/error-report.h"
+
+ #ifdef O_PATH
+ #define O_PATH_9P_UTIL O_PATH
+ #else
+@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
+     errno = serrno;
+ }
+/**
+ * close_if_special_file() - Close @fd if neither regular file nor directory.
+ *
+ * @fd: file descriptor of open file
+ * Return: 0 on regular file or directory, -1 otherwise
+ *
+ * CVE-2023-2861: Prohibit opening any special file directly on host
+ * (especially device files), as a compromised client could potentially gain
+ * access outside exported tree under certain, unsafe setups. We expect
+ * client to handle I/O on special files exclusively on guest side.
+ */
+static inline int close_if_special_file(int fd)
+{
+    struct stat stbuf;
+
+    if (qemu_fstat(fd, &stbuf) < 0) {
+        close_preserve_errno(fd);
+        return -1;
+    }
+    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
+        error_report_once(
+            "9p: broken or compromised client detected; attempt to open "
+            "special file (i.e. neither regular file, nor directory)"
+        );
+        close(fd);
+        errno = ENXIO;
+        return -1;
+    }
+
+    return 0;
+}
+
+ static inline int openat_dir(int dirfd, const char *name)
+ {
+     return openat(dirfd, name,
+@@ -56,6 +90,10 @@ again:
+         return -1;
+     }
+    if (close_if_special_file(fd) < 0) {
+        return -1;
+    }
+
+     serrno = errno;
+     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
+      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
+--
+2.40.0
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-08-01 04:20:03 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-08-07 04:40:43 -1000
commit	ae7992e3b7b688e1e06b20c92aaa60af01f6bbbb (patch)
tree	9fa51c37576bd886e87090b763002c1f341ba209
parent	76f6267368fa6e3475b5ee94f00c188624ae5236 (diff)
download	poky-ae7992e3b7b688e1e06b20c92aaa60af01f6bbbb.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 83959f3c68..96a1cc93a5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -96,6 +96,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
96	file://CVE-2023-0330.patch \	96	file://CVE-2023-0330.patch \
97	file://CVE-2023-3301.patch \	97	file://CVE-2023-3301.patch \
98	file://CVE-2023-3255.patch \	98	file://CVE-2023-3255.patch \
		99	file://CVE-2023-2861.patch \
99	"	100	"
100	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	101	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
101		102


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..48f51f5d03 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,172 @@
		1	From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
		2	From: Christian Schoenebeck <qemu_oss@crudebyte.com>
		3	Date: Wed Jun 7 18:29:33 2023 +0200
		4	Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
		5	protocol does not specifically define how server shall behave when client
		6	tries to open a special file, however from security POV it does make sense
		7	for 9p server to prohibit opening any special file on host side in general. A
		8	sane Linux 9p client for instance would never attempt to open a special file
		9	on host side, it would always handle those exclusively on its guest side. A
		10	malicious client however could potentially escape from the exported 9p tree
		11	by creating and opening a device file on host side.
		12
		13	With QEMU this could only be exploited in the following unsafe setups:
		14
		15	- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
		16	security model.
		17
		18	or
		19
		20	- Using 9p 'proxy' fs driver (which is running its helper daemon as
		21	root).
		22
		23	These setups were already discouraged for safety reasons before,
		24	however for obvious reasons we are now tightening behaviour on this.
		25
		26	Fixes: CVE-2023-2861
		27	Reported-by: Yanwu Shen <ywsPlz@gmail.com>
		28	Reported-by: Jietao Xiao <shawtao1125@gmail.com>
		29	Reported-by: Jinku Li <jkli@xidian.edu.cn>
		30	Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
		31	Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
		32	Reviewed-by: Greg Kurz <groug@kaod.org>
		33	Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
		34	Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
		35	(cherry picked from commit f6b0de5)
		36	Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
		37	(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
		38
		39	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
		40
		41	CVE: CVE-2023-2861
		42
		43	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		44	---
		45	fsdev/virtfs-proxy-helper.c \| 27 ++++++++++++++++++++++++--
		46	hw/9pfs/9p-util.h \| 38 +++++++++++++++++++++++++++++++++++++
		47	2 files changed, 63 insertions(+), 2 deletions(-)
		48
		49	diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
		50	index 15c0e79b0..f9e4669a5 100644
		51	--- a/fsdev/virtfs-proxy-helper.c
		52	+++ b/fsdev/virtfs-proxy-helper.c
		53	@@ -26,6 +26,7 @@
		54	#include "qemu/xattr.h"
		55	#include "9p-iov-marshal.h"
		56	#include "hw/9pfs/9p-proxy.h"
		57	+#include "hw/9pfs/9p-util.h"
		58	#include "fsdev/9p-iov-marshal.h"
		59
		60	#define PROGNAME "virtfs-proxy-helper"
		61	@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
		62	}
		63	}
		64
		65	+/*
		66	+ * Open regular file or directory. Attempts to open any special file are
		67	+ * rejected.
		68	+ *
		69	+ * returns file descriptor or -1 on error
		70	+ */
		71	+static int open_regular(const char *pathname, int flags, mode_t mode)
		72	+{
		73	+ int fd;
		74	+
		75	+ fd = open(pathname, flags, mode);
		76	+ if (fd < 0) {
		77	+ return fd;
		78	+ }
		79	+
		80	+ if (close_if_special_file(fd) < 0) {
		81	+ return -1;
		82	+ }
		83	+
		84	+ return fd;
		85	+}
		86	+
		87	/*
		88	* send response in two parts
		89	* 1) ProxyHeader
		90	@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
		91	if (ret < 0) {
		92	goto unmarshal_err_out;
		93	}
		94	- ret = open(path.data, flags, mode);
		95	+ ret = open_regular(path.data, flags, mode);
		96	if (ret < 0) {
		97	ret = -errno;
		98	}
		99	@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
		100	if (ret < 0) {
		101	goto err_out;
		102	}
		103	- ret = open(path.data, flags);
		104	+ ret = open_regular(path.data, flags, 0);
		105	if (ret < 0) {
		106	ret = -errno;
		107	}
		108	diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
		109	index 546f46dc7..54e270ac6 100644
		110	--- a/hw/9pfs/9p-util.h
		111	+++ b/hw/9pfs/9p-util.h
		112	@@ -13,6 +13,8 @@
		113	#ifndef QEMU_9P_UTIL_H
		114	#define QEMU_9P_UTIL_H
		115
		116	+#include "qemu/error-report.h"
		117	+
		118	#ifdef O_PATH
		119	#define O_PATH_9P_UTIL O_PATH
		120	#else
		121	@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
		122	errno = serrno;
		123	}
		124
		125	+/**
		126	+ * close_if_special_file() - Close @fd if neither regular file nor directory.
		127	+ *
		128	+ * @fd: file descriptor of open file
		129	+ * Return: 0 on regular file or directory, -1 otherwise
		130	+ *
		131	+ * CVE-2023-2861: Prohibit opening any special file directly on host
		132	+ * (especially device files), as a compromised client could potentially gain
		133	+ * access outside exported tree under certain, unsafe setups. We expect
		134	+ * client to handle I/O on special files exclusively on guest side.
		135	+ */
		136	+static inline int close_if_special_file(int fd)
		137	+{
		138	+ struct stat stbuf;
		139	+
		140	+ if (qemu_fstat(fd, &stbuf) < 0) {
		141	+ close_preserve_errno(fd);
		142	+ return -1;
		143	+ }
		144	+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
		145	+ error_report_once(
		146	+ "9p: broken or compromised client detected; attempt to open "
		147	+ "special file (i.e. neither regular file, nor directory)"
		148	+ );
		149	+ close(fd);
		150	+ errno = ENXIO;
		151	+ return -1;
		152	+ }
		153	+
		154	+ return 0;
		155	+}
		156	+
		157	static inline int openat_dir(int dirfd, const char *name)
		158	{
		159	return openat(dirfd, name,
		160	@@ -56,6 +90,10 @@ again:
		161	return -1;
		162	}
		163
		164	+ if (close_if_special_file(fd) < 0) {
		165	+ return -1;
		166	+ }
		167	+
		168	serrno = errno;
		169	/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
		170	* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
		171	--
		172	2.40.0