Emulation/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2025-04-02 11:11:48 -04:00
Code Issues Projects Releases Packages Wiki Activity
xemu/hw/9pfs/9p-util.h
Christian Schoenebeck 361f29fe1b 9pfs: fix regression regarding CVE-2023-2861 
The released fix for this CVE:

  f6b0de53fb ("9pfs: prevent opening special files (CVE-2023-2861)")

caused a regression with security_model=passthrough. When handling a
'Tmknod' request there was a side effect that 'Tmknod' request could fail
as 9p server was trying to adjust permissions:

  #6  close_if_special_file (fd=30) at ../hw/9pfs/9p-util.h:140
  #7  openat_file (mode=<optimized out>, flags=2228224,
      name=<optimized out>, dirfd=<optimized out>) at
      ../hw/9pfs/9p-util.h:181
  #8  fchmodat_nofollow (dirfd=dirfd@entry=31,
      name=name@entry=0x5555577ea6e0 "mysocket", mode=493) at
      ../hw/9pfs/9p-local.c:360
  #9  local_set_cred_passthrough (credp=0x7ffbbc4ace10, name=0x5555577ea6e0
      "mysocket", dirfd=31, fs_ctx=0x55555811f528) at
      ../hw/9pfs/9p-local.c:457
  #10 local_mknod (fs_ctx=0x55555811f528, dir_path=<optimized out>,
      name=0x5555577ea6e0 "mysocket", credp=0x7ffbbc4ace10) at
      ../hw/9pfs/9p-local.c:702
  #11 v9fs_co_mknod (pdu=pdu@entry=0x555558121140,
      fidp=fidp@entry=0x5555574c46c0, name=name@entry=0x7ffbbc4aced0,
      uid=1000, gid=1000, dev=<optimized out>, mode=49645,
      stbuf=0x7ffbbc4acef0) at ../hw/9pfs/cofs.c:205
  #12 v9fs_mknod (opaque=0x555558121140) at ../hw/9pfs/9p.c:3711

That's because server was opening the special file to adjust permissions,
however it was using O_PATH and it would have not returned the file
descriptor to guest. So the call to close_if_special_file() on that branch
was incorrect.

Let's lift the restriction introduced by f6b0de53fb such that it would
allow to open special files on host if O_PATH flag is supplied, not only
for 9p server's own operations as described above, but also for any client
'Topen' request.

It is safe to allow opening special files with O_PATH on host, because
O_PATH only allows path based operations on the resulting file descriptor
and prevents I/O such as read() and write() on that file descriptor.

Fixes: f6b0de53fb ("9pfs: prevent opening special files (CVE-2023-2861)")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2337
Reported-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Tested-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Message-Id: <E1tJWbk-007BH4-OB@kylie.crudebyte.com>
(cherry picked from commit d06a9d843fb65351e0e4dc42ba0c404f01ea92b3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-12-13 00:21:17 +03:00

270 lines
8 KiB
C
Raw Blame History

/*
* 9p utilities
*
* Copyright IBM, Corp. 2017
*
* Authors:
* Greg Kurz <groug@kaod.org>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#ifndef QEMU_9P_UTIL_H
#define QEMU_9P_UTIL_H
#include "qemu/error-report.h"
#ifdef O_PATH
#define O_PATH_9P_UTIL O_PATH
#else
#define O_PATH_9P_UTIL 0
#endif
#if !defined(CONFIG_LINUX)
/*
* Generates a Linux device number (a.k.a. dev_t) for given device major
* and minor numbers.
*
* To be more precise: it generates a device number in glibc's format
* (MMMM_Mmmm_mmmM_MMmm, 64 bits) actually, which is compatible with
* Linux's format (mmmM_MMmm, 32 bits), as described in <bits/sysmacros.h>.
*/
static inline uint64_t makedev_dotl(uint32_t dev_major, uint32_t dev_minor)
{
uint64_t dev;
// from glibc sysmacros.h:
dev = (((uint64_t) (dev_major & 0x00000fffu)) << 8);
dev |= (((uint64_t) (dev_major & 0xfffff000u)) << 32);
dev |= (((uint64_t) (dev_minor & 0x000000ffu)) << 0);
dev |= (((uint64_t) (dev_minor & 0xffffff00u)) << 12);
return dev;
}
#endif
/*
* Converts given device number from host's device number format to Linux
* device number format. As both the size of type dev_t and encoding of
* dev_t is system dependent, we have to convert them for Linux guests if
* host is not running Linux.
*/
static inline uint64_t host_dev_to_dotl_dev(dev_t dev)
{
#ifdef CONFIG_LINUX
return dev;
#else
return makedev_dotl(major(dev), minor(dev));
#endif
}
/* Translates errno from host -> Linux if needed */
static inline int errno_to_dotl(int err) {
#if defined(CONFIG_LINUX)
/* nothing to translate (Linux -> Linux) */
#elif defined(CONFIG_DARWIN)
/*
* translation mandatory for macOS hosts
*
* FIXME: Only most important errnos translated here yet, this should be
* extended to as many errnos being translated as possible in future.
*/
if (err == ENAMETOOLONG) {
err = 36; /* ==ENAMETOOLONG on Linux */
} else if (err == ENOTEMPTY) {
err = 39; /* ==ENOTEMPTY on Linux */
} else if (err == ELOOP) {
err = 40; /* ==ELOOP on Linux */
} else if (err == ENOATTR) {
err = 61; /* ==ENODATA on Linux */
} else if (err == ENOTSUP) {
err = 95; /* ==EOPNOTSUPP on Linux */
} else if (err == EOPNOTSUPP) {
err = 95; /* ==EOPNOTSUPP on Linux */
}
#else
#error Missing errno translation to Linux for this host system
#endif
return err;
}
#ifdef CONFIG_DARWIN
#define qemu_fgetxattr(...) fgetxattr(__VA_ARGS__, 0, 0)
#else
#define qemu_fgetxattr fgetxattr
#endif
#define qemu_openat openat
#define qemu_fstat fstat
#define qemu_fstatat fstatat
#define qemu_mkdirat mkdirat
#define qemu_renameat renameat
#define qemu_utimensat utimensat
#define qemu_unlinkat unlinkat
static inline void close_preserve_errno(int fd)
{
int serrno = errno;
close(fd);
errno = serrno;
}
/**
* close_if_special_file() - Close @fd if neither regular file nor directory.
*
* @fd: file descriptor of open file
* Return: 0 on regular file or directory, -1 otherwise
*
* CVE-2023-2861: Prohibit opening any special file directly on host
* (especially device files), as a compromised client could potentially gain
* access outside exported tree under certain, unsafe setups. We expect
* client to handle I/O on special files exclusively on guest side.
*/
static inline int close_if_special_file(int fd)
{
struct stat stbuf;
if (qemu_fstat(fd, &stbuf) < 0) {
close_preserve_errno(fd);
return -1;
}
if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
error_report_once(
"9p: broken or compromised client detected; attempt to open "
"special file (i.e. neither regular file, nor directory)"
);
close(fd);
errno = ENXIO;
return -1;
}
return 0;
}
static inline int openat_dir(int dirfd, const char *name)
{
return qemu_openat(dirfd, name,
O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_PATH_9P_UTIL);
}
static inline int openat_file(int dirfd, const char *name, int flags,
mode_t mode)
{
int fd, serrno, ret;
#ifndef CONFIG_DARWIN
again:
#endif
fd = qemu_openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
mode);
if (fd == -1) {
#ifndef CONFIG_DARWIN
if (errno == EPERM && (flags & O_NOATIME)) {
/*
* The client passed O_NOATIME but we lack permissions to honor it.
* Rather than failing the open, fall back without O_NOATIME. This
* doesn't break the semantics on the client side, as the Linux
* open(2) man page notes that O_NOATIME "may not be effective on
* all filesystems". In particular, NFS and other network
* filesystems ignore it entirely.
*/
flags &= ~O_NOATIME;
goto again;
}
#endif
return -1;
}
/* Only if O_PATH is not set ... */
if (!(flags & O_PATH_9P_UTIL)) {
/*
* Prevent I/O on special files (device files, etc.) on host side,
* however it is safe and required to allow opening them with O_PATH,
* as this is limited to (required) path based operations only.
*/
if (close_if_special_file(fd) < 0) {
return -1;
}
serrno = errno;
/*
* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
* do that with O_PATH since fcntl(F_SETFL) isn't supported, and
* openat() ignored it anyway.
*/
ret = fcntl(fd, F_SETFL, flags);
assert(!ret);
errno = serrno;
}
return fd;
}
ssize_t fgetxattrat_nofollow(int dirfd, const char *path, const char *name,
void *value, size_t size);
int fsetxattrat_nofollow(int dirfd, const char *path, const char *name,
void *value, size_t size, int flags);
ssize_t flistxattrat_nofollow(int dirfd, const char *filename,
char *list, size_t size);
ssize_t fremovexattrat_nofollow(int dirfd, const char *filename,
const char *name);
/*
* Darwin has d_seekoff, which appears to function similarly to d_off.
* However, it does not appear to be supported on all file systems,
* so ensure it is manually injected earlier and call here when
* needed.
*/
static inline off_t qemu_dirent_off(struct dirent *dent)
{
#ifdef CONFIG_DARWIN
return dent->d_seekoff;
#else
return dent->d_off;
#endif
}
/**
* qemu_dirent_dup() - Duplicate directory entry @dent.
*
* @dent: original directory entry to be duplicated
* Return: duplicated directory entry which should be freed with g_free()
*
* It is highly recommended to use this function instead of open coding
* duplication of dirent objects, because the actual struct dirent
* size may be bigger or shorter than sizeof(struct dirent) and correct
* handling is platform specific (see gitlab issue #841).
*/
static inline struct dirent *qemu_dirent_dup(struct dirent *dent)
{
size_t sz = 0;
#if defined _DIRENT_HAVE_D_RECLEN
/* Avoid use of strlen() if platform supports d_reclen. */
sz = dent->d_reclen;
#endif
/*
* Test sz for zero even if d_reclen is available
* because some drivers may set d_reclen to zero.
*/
if (sz == 0) {
/* Fallback to the most portable way. */
sz = offsetof(struct dirent, d_name) +
strlen(dent->d_name) + 1;
}
return g_memdup(dent, sz);
}
/*
* As long as mknodat is not available on macOS, this workaround
* using pthread_fchdir_np is needed. qemu_mknodat is defined in
* os-posix.c. pthread_fchdir_np is weakly linked here as a guard
* in case it disappears in future macOS versions, because it is
* is a private API.
*/
#if defined CONFIG_DARWIN && defined CONFIG_PTHREAD_FCHDIR_NP
int pthread_fchdir_np(int fd) __attribute__((weak_import));
#endif
int qemu_mknodat(int dirfd, const char *filename, mode_t mode, dev_t dev);
#endif
Reference in a new issue View git blame Copy permalink