From nobody Sat May  4 15:20:23 2024
Delivered-To: importer2@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=crudebyte.com
ARC-Seal: i=1; a=rsa-sha256; t=1686239884; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Qizmf1Dh+ptd8bPx4JtEwPmlc/1124QhJyyAjGDq/wR+1pdehP2QO4fa2vdRwKQV7gsL2ODlUHgRXKsiG5xaFzykdASMFBSL6KXWbv+HklBL9nmfsMPWFxAP3WLTlwkyPuLBm3CZnKiKfYxcCJMnzRXlKK36UCpSZE449L2VQSU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1686239884;
 h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To;
	bh=4iDn3B02X3hDECjVovQRu6mJw6PQMKDTR92sEqgMru4=;
	b=hKhal9lWjuZiWGC/tF1YEIS9xzUDjRWC1vZgjIamnudyX3Muk6SgfZReiJ7AcdhuR+x3ygzgYhKHbja2odMRD0d9hQO7Ni4O+0FwAem/9B39LbL0EEyTup/P9YB1pDNuWAziU/nt+PUhFQmvFpH6vl8YUn2JkRWzMUKURzTzjqA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org;
	dmarc=pass header.from=<qemu_oss@crudebyte.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer2=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1686239884296952.4106830776874;
 Thu, 8 Jun 2023 08:58:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1q7I1Q-00082Q-Ll; Thu, 08 Jun 2023 11:58:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1)
 (envelope-from
 <f6b0de53fb87ddefed348a39284c8e2f28dc4eda@lizzy.crudebyte.com>)
 id 1q7I1P-000826-PI
 for qemu-devel@nongnu.org; Thu, 08 Jun 2023 11:57:59 -0400
Received: from lizzy.crudebyte.com ([91.194.90.13])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1)
 (envelope-from
 <f6b0de53fb87ddefed348a39284c8e2f28dc4eda@lizzy.crudebyte.com>)
 id 1q7I1N-0000XX-K1
 for qemu-devel@nongnu.org; Thu, 08 Jun 2023 11:57:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=crudebyte.com; s=lizzy; h=Cc:To:Subject:Date:From:References:In-Reply-To:
 Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID:
 Content-Description; bh=4iDn3B02X3hDECjVovQRu6mJw6PQMKDTR92sEqgMru4=; b=KpI28
 a7TmcbV79GZBh3TVC9b76iVneKcJ7WvdRBhb/A3xFin8gjKn0DqsNkvmylBpNeyjyxNO8L79kIghL
 dYnTYTKPDcmC/iES/zKTEhkodakgz+ARvl4/twAacSIhhbrqJ5C8+ByQwUDmNqQEAYHwxP2fnpmlP
 ZKJCqFiEVs2Yqyi2eiD3GnHfZUZobCbhJVbw36WNwUYS1lhWHja2lHU1hrqb6/PDdSjzfwqT/sYjG
 GAfj4xGBRxxnvA1r4MUn9FoE4XIRKDrkXVFkea+UTxZhArayiuoS5Y+fCDqF47jo9ZTVpJx6rI9Yv
 s7AQ2XKinrx9nefP9do2A9Hcdl2Bw==;
Message-Id: 
 <f6b0de53fb87ddefed348a39284c8e2f28dc4eda.1686236977.git.qemu_oss@crudebyte.com>
In-Reply-To: <cover.1686236977.git.qemu_oss@crudebyte.com>
References: <cover.1686236977.git.qemu_oss@crudebyte.com>
From: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date: Thu, 08 Jun 2023 17:09:37 +0200
Subject: [PULL 1/1] 9pfs: prevent opening special files (CVE-2023-2861)
To: qemu-devel@nongnu.org, Richard Henderson <richard.henderson@linaro.org>
Cc: Greg Kurz <groug@kaod.org>, Yanwu Shen <ywsPlz@gmail.com>,
 Jietao Xiao <shawtao1125@gmail.com>, Jinku Li <jkli@xidian.edu.cn>,
 Wenbo Shen <shenwenbo@zju.edu.cn>,
 Mauro Matteo Cascella <mcascell@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: none client-ip=91.194.90.13;
 envelope-from=f6b0de53fb87ddefed348a39284c8e2f28dc4eda@lizzy.crudebyte.com;
 helo=lizzy.crudebyte.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @crudebyte.com)
X-ZM-MESSAGEID: 1686239886177100001
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.

or

  - Using 9p 'proxy' fs driver (which is running its helper daemon as
    root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
---
 fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
 hw/9pfs/9p-util.h           | 39 +++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 5cafcd7703..d9511f429c 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -26,6 +26,7 @@
 #include "qemu/xattr.h"
 #include "9p-iov-marshal.h"
 #include "hw/9pfs/9p-proxy.h"
+#include "hw/9pfs/9p-util.h"
 #include "fsdev/9p-iov-marshal.h"
=20
 #define PROGNAME "virtfs-proxy-helper"
@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
     }
 }
=20
+/*
+ * Open regular file or directory. Attempts to open any special file are
+ * rejected.
+ *
+ * returns file descriptor or -1 on error
+ */
+static int open_regular(const char *pathname, int flags, mode_t mode)
+{
+    int fd;
+
+    fd =3D open(pathname, flags, mode);
+    if (fd < 0) {
+        return fd;
+    }
+
+    if (close_if_special_file(fd) < 0) {
+        return -1;
+    }
+
+    return fd;
+}
+
 /*
  * send response in two parts
  * 1) ProxyHeader
@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
     if (ret < 0) {
         goto unmarshal_err_out;
     }
-    ret =3D open(path.data, flags, mode);
+    ret =3D open_regular(path.data, flags, mode);
     if (ret < 0) {
         ret =3D -errno;
     }
@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
     if (ret < 0) {
         goto err_out;
     }
-    ret =3D open(path.data, flags);
+    ret =3D open_regular(path.data, flags, 0);
     if (ret < 0) {
         ret =3D -errno;
     }
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index c314cf381d..df1b583a5e 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -13,6 +13,8 @@
 #ifndef QEMU_9P_UTIL_H
 #define QEMU_9P_UTIL_H
=20
+#include "qemu/error-report.h"
+
 #ifdef O_PATH
 #define O_PATH_9P_UTIL O_PATH
 #else
@@ -95,6 +97,7 @@ static inline int errno_to_dotl(int err) {
 #endif
=20
 #define qemu_openat     openat
+#define qemu_fstat      fstat
 #define qemu_fstatat    fstatat
 #define qemu_mkdirat    mkdirat
 #define qemu_renameat   renameat
@@ -108,6 +111,38 @@ static inline void close_preserve_errno(int fd)
     errno =3D serrno;
 }
=20
+/**
+ * close_if_special_file() - Close @fd if neither regular file nor directo=
ry.
+ *
+ * @fd: file descriptor of open file
+ * Return: 0 on regular file or directory, -1 otherwise
+ *
+ * CVE-2023-2861: Prohibit opening any special file directly on host
+ * (especially device files), as a compromised client could potentially ga=
in
+ * access outside exported tree under certain, unsafe setups. We expect
+ * client to handle I/O on special files exclusively on guest side.
+ */
+static inline int close_if_special_file(int fd)
+{
+    struct stat stbuf;
+
+    if (qemu_fstat(fd, &stbuf) < 0) {
+        close_preserve_errno(fd);
+        return -1;
+    }
+    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
+        error_report_once(
+            "9p: broken or compromised client detected; attempt to open "
+            "special file (i.e. neither regular file, nor directory)"
+        );
+        close(fd);
+        errno =3D ENXIO;
+        return -1;
+    }
+
+    return 0;
+}
+
 static inline int openat_dir(int dirfd, const char *name)
 {
     return qemu_openat(dirfd, name,
@@ -142,6 +177,10 @@ again:
         return -1;
     }
=20
+    if (close_if_special_file(fd) < 0) {
+        return -1;
+    }
+
     serrno =3D errno;
     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and opena=
t()
--=20
2.30.2