[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Virtio-fs] [PATCH v3] virtiofsd: prevent opening of special files (
|
From: |
Chirantan Ekbote |
|
Subject: |
Re: [Virtio-fs] [PATCH v3] virtiofsd: prevent opening of special files (CVE-2020-35517) |
|
Date: |
Sat, 6 Feb 2021 00:29:11 +0900 |
On Tue, Feb 2, 2021 at 3:22 AM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> Hi Chirantan,
> I wanted to bring this CVE to your attention because the discussion has
> revealed a number of other issues (not necessarily security issues) in
> virtiofsd that may also be present in other virtio-fs daemon
> implementations.
>
Hi Stefan,
Thanks for the heads up. I'm going to summarize the thread just to
make sure I understood correctly.
The CVE seems to be that the virtio-fs daemon allows opening special
files and the short-term fix is to detect and block this in the
daemon. The long term fix is to mount the data with
nosuid,nodev,noexec. I think crosvm's virtio-fs also doesn't check
the file type before opening it but chrome os has mounted all stateful
data as nosuid,nodev,noexec as long as I can remember so I think we
got lucky there. It's probably still worth adding the check to the
server.
The other issue is that there is a race between when an entry is
created and when we look it up by name where it may be modified and
replaced by an external process. While I can see how this can be
fixed for files, it seems like there's no choice for directories.
It's not like mkdirat returns an fd for the newly created directory.
Though, it seems like every process is affected by this. I guess if
you wanted to be really paranoid you could do something like mkdtemp,
get an fd, and then rename to the real name.
Did I miss anything?
Thanks,
Chirantan