[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] 9pfs: local: forbid client access to metadata (
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) |
Date: |
Mon, 15 May 2017 12:37:08 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 |
On 05/15/2017 11:07 AM, Greg Kurz wrote:
> When using the mapped-file security mode, we shouldn't let the client mess
> with the metadata. The current code already tries to hide the metadata dir
> from the client by skipping it in local_readdir(). But the client can still
> access or modify it through several other operations. This can be used to
> escalate privileges in the guest.
>
> Affected backend operations are:
> - local_mknod()
> - local_mkdir()
> - local_open2()
> - local_symlink()
> - local_link()
> - local_unlinkat()
> - local_renameat()
> - local_rename()
> - local_name_to_path()
>
> Other operations are safe because they are only passed a fid path, which
> is computed internally in local_name_to_path().
>
> This patch converts all the functions listed above to fail and return
> EINVAL when being passed the name of the metadata dir. This may look
> like a poor choice for errno, but there's no such thing as an illegal
> path name on Linux and I could not think of anything better.
>
> This fixes CVE-2017-7493.
>
> Reported-by: Leo Gaspard <address@hidden>
> Signed-off-by: Greg Kurz <address@hidden>
> ---
Reviewed-by: Eric Blake <address@hidden>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature