[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.

From:	Gerd Hoffmann
Subject:	[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Date:	Thu, 13 Dec 2018 13:25:11 +0100

Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.

usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.

Because qemu ignores symlinks carrying out an successfull symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.

Note that the impact of this bug is rather low when qemu is managed by
libvirt due to qemu running sandboxed, so there isn't much you can gain
access to that way.

Fixes: CVE-2018-pjp-please-get-one
Cc: Prasad J Pandit <address@hidden>
Cc: Bandan Das <address@hidden>
Reported-by: Michael Hanselmann <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/dev-mtp.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..36c43b8c20 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject 
*o)
 {
     struct dirent *entry;
     DIR *dir;
+    int fd;
 
     if (o->have_children) {
         return;
     }
     o->have_children = true;
 
-    dir = opendir(o->path);
+    fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+    if (fd < 0) {
+        return;
+    }
+    dir = fdopendir(fd);
     if (!dir) {
         return;
     }
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, 
MTPControl *c,
 
     trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
 
-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
     if (d->fd == -1) {
         usb_mtp_data_free(d);
         return NULL;
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, 
MTPControl *c,
                                         c->argv[1], c->argv[2]);
 
     d = usb_mtp_data_alloc(c);
-    d->fd = open(o->path, O_RDONLY);
+    d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
     if (d->fd == -1) {
         usb_mtp_data_free(d);
         return NULL;
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
                                  0, 0, 0, 0);
             goto done;
         }
-        d->fd = open(path, O_CREAT | O_WRONLY, mask);
+        d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
         if (d->fd == -1) {
             usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
                                  0, 0, 0, 0);
-- 
2.9.3

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Gerd Hoffmann <=
- Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Daniel P . Berrangé, 2018/12/13
- Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Michael Hanselmann, 2018/12/13
- Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., Markus Armbruster, 2018/12/13
  - Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC., P J P, 2018/12/13

Prev by Date: Re: [Qemu-devel] [PATCH v2 2/7] blockdev: n-ary bitmap merge
Next by Date: Re: [Qemu-devel] [PATCH] util: check the return value of fcntl in qemu_set_{block, noblock}
Previous by thread: [Qemu-devel] [PATCH v2] hw/s390/ccw.c: Don't take address of packed members
Next by thread: Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Index(es):
- Date
- Thread