[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 449e81: virtiofsd: Drop membership of all sup
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] 449e81: virtiofsd: Drop membership of all supplementary gr... |
Date: |
Wed, 26 Jan 2022 06:57:23 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 449e8171f96a6a944d1f3b7d3627ae059eae21ca
https://github.com/qemu/qemu/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
Author: Vivek Goyal <vgoyal@redhat.com>
Date: 2022-01-26 (Wed, 26 Jan 2022)
Changed paths:
M tools/virtiofsd/passthrough_ll.c
Log Message:
-----------
virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
At the start, drop membership of all supplementary groups. This is
not required.
If we have membership of "root" supplementary group and when we switch
uid/gid using setresuid/setsgid, we still retain membership of existing
supplemntary groups. And that can allow some operations which are not
normally allowed.
For example, if root in guest creates a dir as follows.
$ mkdir -m 03777 test_dir
This sets SGID on dir as well as allows unprivileged users to write into
this dir.
And now as unprivileged user open file as follows.
$ su test
$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
This will create SGID set executable in test_dir/.
And that's a problem because now an unpriviliged user can execute it,
get egid=0 and get access to resources owned by "root" group. This is
privilege escalation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Fixes: CVE-2022-0358
Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YfBGoriS38eBQrAb@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
dgilbert: Fixed missing {}'s style nit
Commit: 48302d4eb628ff0bea4d7e92cbf6b726410eb4c3
https://github.com/qemu/qemu/commit/48302d4eb628ff0bea4d7e92cbf6b726410eb4c3
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2022-01-26 (Wed, 26 Jan 2022)
Changed paths:
M tools/virtiofsd/passthrough_ll.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/dgilbert-gitlab/tags/pull-virtiofs-20220126' into staging
virtiofsd: Security fix
Fixes: CVE-2022-0358
# gpg: Signature made Wed 26 Jan 2022 10:46:44 GMT
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>"
[full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert-gitlab/tags/pull-virtiofs-20220126:
virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/aeb0ae95b7f1...48302d4eb628