297 lines
9.7 KiB
Diff
297 lines
9.7 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||
|
Date: Thu, 4 Feb 2021 18:34:37 +0000
|
||
|
Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
|
||
|
|
||
|
A well-behaved FUSE client does not attempt to open special files with
|
||
|
FUSE_OPEN because they are handled on the client side (e.g. device nodes
|
||
|
are handled by client-side device drivers).
|
||
|
|
||
|
The check to prevent virtiofsd from opening special files is missing in
|
||
|
a few cases, most notably FUSE_OPEN. A malicious client can cause
|
||
|
virtiofsd to open a device node, potentially allowing the guest to
|
||
|
escape. This can be exploited by a modified guest device driver. It is
|
||
|
not exploitable from guest userspace since the guest kernel will handle
|
||
|
special files inside the guest instead of sending FUSE requests.
|
||
|
|
||
|
This patch fixes this issue by introducing the lo_inode_open() function
|
||
|
to check the file type before opening it. This is a short-term solution
|
||
|
because it does not prevent a compromised virtiofsd process from opening
|
||
|
device nodes on the host.
|
||
|
|
||
|
Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
|
||
|
| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
|
||
|
necessary here. If the file exists and the user did not specify O_EXCL,
|
||
|
open it via lo_do_open().
|
||
|
|
||
|
Reported-by: Alex Xu <alex@alxu.ca>
|
||
|
Fixes: CVE-2020-35517
|
||
|
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||
|
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
|
||
|
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||
|
Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
|
||
|
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||
|
---
|
||
|
tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
|
||
|
1 file changed, 92 insertions(+), 52 deletions(-)
|
||
|
|
||
|
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
||
|
index 2bd050b620..03c5e0d13c 100644
|
||
|
--- a/tools/virtiofsd/passthrough_ll.c
|
||
|
+++ b/tools/virtiofsd/passthrough_ll.c
|
||
|
@@ -567,6 +567,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
|
||
|
return fd;
|
||
|
}
|
||
|
|
||
|
+/*
|
||
|
+ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
|
||
|
+ * regular file or a directory.
|
||
|
+ *
|
||
|
+ * Use this helper function instead of raw openat(2) to prevent security issues
|
||
|
+ * when a malicious client opens special files such as block device nodes.
|
||
|
+ * Symlink inodes are also rejected since symlinks must already have been
|
||
|
+ * traversed on the client side.
|
||
|
+ */
|
||
|
+static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
|
||
|
+ int open_flags)
|
||
|
+{
|
||
|
+ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
|
||
|
+ int fd;
|
||
|
+
|
||
|
+ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
|
||
|
+ return -EBADF;
|
||
|
+ }
|
||
|
+
|
||
|
+ /*
|
||
|
+ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
|
||
|
+ * that the inode is not a special file but if an external process races
|
||
|
+ * with us then symlinks are traversed here. It is not possible to escape
|
||
|
+ * the shared directory since it is mounted as "/" though.
|
||
|
+ */
|
||
|
+ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
|
||
|
+ if (fd < 0) {
|
||
|
+ return -errno;
|
||
|
+ }
|
||
|
+ return fd;
|
||
|
+}
|
||
|
+
|
||
|
static void lo_init(void *userdata, struct fuse_conn_info *conn)
|
||
|
{
|
||
|
struct lo_data *lo = (struct lo_data *)userdata;
|
||
|
@@ -696,9 +728,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
|
||
|
if (fi) {
|
||
|
truncfd = fd;
|
||
|
} else {
|
||
|
- sprintf(procname, "%i", ifd);
|
||
|
- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
|
||
|
+ truncfd = lo_inode_open(lo, inode, O_RDWR);
|
||
|
if (truncfd < 0) {
|
||
|
+ errno = -truncfd;
|
||
|
goto out_err;
|
||
|
}
|
||
|
}
|
||
|
@@ -860,7 +892,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||
|
struct lo_inode *dir = lo_inode(req, parent);
|
||
|
|
||
|
if (inodep) {
|
||
|
- *inodep = NULL;
|
||
|
+ *inodep = NULL; /* in case there is an error */
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
@@ -1674,19 +1706,26 @@ static void update_open_flags(int writeback, int allow_direct_io,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+/*
|
||
|
+ * Open a regular file, set up an fd mapping, and fill out the struct
|
||
|
+ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
|
||
|
+ * opening a new one. Takes ownership of existing_fd.
|
||
|
+ *
|
||
|
+ * Returns 0 on success or a positive errno.
|
||
|
+ */
|
||
|
static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
||
|
- struct fuse_file_info *fi)
|
||
|
+ int existing_fd, struct fuse_file_info *fi)
|
||
|
{
|
||
|
- char buf[64];
|
||
|
ssize_t fh;
|
||
|
- int fd;
|
||
|
+ int fd = existing_fd;
|
||
|
|
||
|
update_open_flags(lo->writeback, lo->allow_direct_io, fi);
|
||
|
|
||
|
- sprintf(buf, "%i", inode->fd);
|
||
|
- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
|
||
|
- if (fd == -1) {
|
||
|
- return errno;
|
||
|
+ if (fd < 0) {
|
||
|
+ fd = lo_inode_open(lo, inode, fi->flags);
|
||
|
+ if (fd < 0) {
|
||
|
+ return -fd;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
pthread_mutex_lock(&lo->mutex);
|
||
|
@@ -1709,9 +1748,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
||
|
static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||
|
mode_t mode, struct fuse_file_info *fi)
|
||
|
{
|
||
|
- int fd;
|
||
|
+ int fd = -1;
|
||
|
struct lo_data *lo = lo_data(req);
|
||
|
struct lo_inode *parent_inode;
|
||
|
+ struct lo_inode *inode = NULL;
|
||
|
struct fuse_entry_param e;
|
||
|
int err;
|
||
|
struct lo_cred old = {};
|
||
|
@@ -1737,36 +1777,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
||
|
|
||
|
update_open_flags(lo->writeback, lo->allow_direct_io, fi);
|
||
|
|
||
|
- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
|
||
|
- mode);
|
||
|
+ /* Try to create a new file but don't open existing files */
|
||
|
+ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
|
||
|
err = fd == -1 ? errno : 0;
|
||
|
- lo_restore_cred(&old);
|
||
|
|
||
|
- if (!err) {
|
||
|
- ssize_t fh;
|
||
|
+ lo_restore_cred(&old);
|
||
|
|
||
|
- pthread_mutex_lock(&lo->mutex);
|
||
|
- fh = lo_add_fd_mapping(lo, fd);
|
||
|
- pthread_mutex_unlock(&lo->mutex);
|
||
|
- if (fh == -1) {
|
||
|
- close(fd);
|
||
|
- err = ENOMEM;
|
||
|
- goto out;
|
||
|
- }
|
||
|
+ /* Ignore the error if file exists and O_EXCL was not given */
|
||
|
+ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
|
||
|
- fi->fh = fh;
|
||
|
- err = lo_do_lookup(req, parent, name, &e, NULL);
|
||
|
+ err = lo_do_lookup(req, parent, name, &e, &inode);
|
||
|
+ if (err) {
|
||
|
+ goto out;
|
||
|
}
|
||
|
- if (lo->cache == CACHE_NONE) {
|
||
|
- fi->direct_io = 1;
|
||
|
- } else if (lo->cache == CACHE_ALWAYS) {
|
||
|
- fi->keep_cache = 1;
|
||
|
+
|
||
|
+ err = lo_do_open(lo, inode, fd, fi);
|
||
|
+ fd = -1; /* lo_do_open() takes ownership of fd */
|
||
|
+ if (err) {
|
||
|
+ /* Undo lo_do_lookup() nlookup ref */
|
||
|
+ unref_inode_lolocked(lo, inode, 1);
|
||
|
}
|
||
|
|
||
|
out:
|
||
|
+ lo_inode_put(lo, &inode);
|
||
|
lo_inode_put(lo, &parent_inode);
|
||
|
|
||
|
if (err) {
|
||
|
+ if (fd >= 0) {
|
||
|
+ close(fd);
|
||
|
+ }
|
||
|
+
|
||
|
fuse_reply_err(req, err);
|
||
|
} else {
|
||
|
fuse_reply_create(req, &e, fi);
|
||
|
@@ -1780,7 +1822,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
|
||
|
pid_t pid, int *err)
|
||
|
{
|
||
|
struct lo_inode_plock *plock;
|
||
|
- char procname[64];
|
||
|
int fd;
|
||
|
|
||
|
plock =
|
||
|
@@ -1797,12 +1838,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
|
||
|
}
|
||
|
|
||
|
/* Open another instance of file which can be used for ofd locks. */
|
||
|
- sprintf(procname, "%i", inode->fd);
|
||
|
-
|
||
|
/* TODO: What if file is not writable? */
|
||
|
- fd = openat(lo->proc_self_fd, procname, O_RDWR);
|
||
|
- if (fd == -1) {
|
||
|
- *err = errno;
|
||
|
+ fd = lo_inode_open(lo, inode, O_RDWR);
|
||
|
+ if (fd < 0) {
|
||
|
+ *err = -fd;
|
||
|
free(plock);
|
||
|
return NULL;
|
||
|
}
|
||
|
@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
- err = lo_do_open(lo, inode, fi);
|
||
|
+ err = lo_do_open(lo, inode, -1, fi);
|
||
|
lo_inode_put(lo, &inode);
|
||
|
if (err) {
|
||
|
fuse_reply_err(req, err);
|
||
|
@@ -2005,39 +2044,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
|
||
|
static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
|
||
|
struct fuse_file_info *fi)
|
||
|
{
|
||
|
+ struct lo_inode *inode = lo_inode(req, ino);
|
||
|
+ struct lo_data *lo = lo_data(req);
|
||
|
int res;
|
||
|
int fd;
|
||
|
- char *buf;
|
||
|
|
||
|
fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
|
||
|
(void *)fi);
|
||
|
|
||
|
- if (!fi) {
|
||
|
- struct lo_data *lo = lo_data(req);
|
||
|
-
|
||
|
- res = asprintf(&buf, "%i", lo_fd(req, ino));
|
||
|
- if (res == -1) {
|
||
|
- return (void)fuse_reply_err(req, errno);
|
||
|
- }
|
||
|
+ if (!inode) {
|
||
|
+ fuse_reply_err(req, EBADF);
|
||
|
+ return;
|
||
|
+ }
|
||
|
|
||
|
- fd = openat(lo->proc_self_fd, buf, O_RDWR);
|
||
|
- free(buf);
|
||
|
- if (fd == -1) {
|
||
|
- return (void)fuse_reply_err(req, errno);
|
||
|
+ if (!fi) {
|
||
|
+ fd = lo_inode_open(lo, inode, O_RDWR);
|
||
|
+ if (fd < 0) {
|
||
|
+ res = -fd;
|
||
|
+ goto out;
|
||
|
}
|
||
|
} else {
|
||
|
fd = lo_fi_fd(req, fi);
|
||
|
}
|
||
|
|
||
|
if (datasync) {
|
||
|
- res = fdatasync(fd);
|
||
|
+ res = fdatasync(fd) == -1 ? errno : 0;
|
||
|
} else {
|
||
|
- res = fsync(fd);
|
||
|
+ res = fsync(fd) == -1 ? errno : 0;
|
||
|
}
|
||
|
if (!fi) {
|
||
|
close(fd);
|
||
|
}
|
||
|
- fuse_reply_err(req, res == -1 ? errno : 0);
|
||
|
+out:
|
||
|
+ lo_inode_put(lo, &inode);
|
||
|
+ fuse_reply_err(req, res);
|
||
|
}
|
||
|
|
||
|
static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
|