86ffd40d11
- Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a module to what was accepted upstream (bsc#1181103) * Patches dropped: hw-s390x-modularize-virtio-gpu-ccw.patch * Patches added: s390x-add-have_virtio_ccw.patch s390x-modularize-virtio-gpu-ccw.patch s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch - Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144, CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282) hw-sd-sd-Actually-perform-the-erase-oper.patch hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch hw-sd-sdhci-Correctly-set-the-controller.patch hw-sd-sdhci-Don-t-transfer-any-data-when.patch hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch hw-sd-sdhci-Limit-block-size-only-when-S.patch hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch hw-sd-sd-Move-the-sd_block_-read-write-a.patch hw-sd-sd-Skip-write-protect-groups-check.patch - Fix potential privilege escalation in virtiofsd tool (CVE-2021-20263, bsc#1183373) tools-virtiofsd-Replace-the-word-whiteli.patch viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch virtiofsd-extract-lo_do_open-from-lo_ope.patch virtiofsd-optionally-return-inode-pointe.patch virtiofsd-prevent-opening-of-special-fil.patch virtiofs-drop-remapped-security.capabili.patch virtiofsd-Save-error-code-early-at-the-f.patch - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) net-introduce-qemu_receive_packet.patch rtl8139-switch-to-use-qemu_receive_packe.patch - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) cadence_gem-switch-to-use-qemu_receive_p.patch dp8393x-switch-to-use-qemu_receive_packe.patch e1000-switch-to-use-qemu_receive_packet-.patch lan9118-switch-to-use-qemu_receive_packe.patch msf2-mac-switch-to-use-qemu_receive_pack.patch pcnet-switch-to-use-qemu_receive_packet-.patch sungem-switch-to-use-qemu_receive_packet.patch tx_pkt-switch-to-use-qemu_receive_packet.patch - Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686) memory-clamp-cached-translation-in-case-.patch - Include upstream patches designated as stable material and reviewed for applicability to include here hw-arm-virt-Disable-pl011-clock-migratio.patch xen-block-Fix-removal-of-backend-instanc.patch - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) OBS-URL: https://build.opensuse.org/request/show/882222 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=632
209 lines
6.8 KiB
Diff
209 lines
6.8 KiB
Diff
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
|
Date: Wed, 24 Feb 2021 19:56:25 +0000
|
|
Subject: virtiofs: drop remapped security.capability xattr as needed
|
|
|
|
Git-commit: e586edcb410543768ef009eaa22a2d9dd4a53846
|
|
References: bsc#1183373, CVE-2021-20263
|
|
|
|
On Linux, the 'security.capability' xattr holds a set of
|
|
capabilities that can change when an executable is run, giving
|
|
a limited form of privilege escalation to those programs that
|
|
the writer of the file deemed worthy.
|
|
|
|
Any write causes the 'security.capability' xattr to be dropped,
|
|
stopping anyone from gaining privilege by modifying a blessed
|
|
file.
|
|
|
|
Fuse relies on the daemon to do this dropping, and in turn the
|
|
daemon relies on the host kernel to drop the xattr for it. However,
|
|
with the addition of -o xattrmap, the xattr that the guest
|
|
stores its capabilities in is now not the same as the one that
|
|
the host kernel automatically clears.
|
|
|
|
Where the mapping changes 'security.capability', explicitly clear
|
|
the remapped name to preserve the same behaviour.
|
|
|
|
This bug is assigned CVE-2021-20263.
|
|
|
|
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
docs/tools/virtiofsd.rst | 4 ++
|
|
tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
|
|
2 files changed, 80 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
|
|
index 866b7db3eed36302bc96bbef8184..00554c75bd75785689e08a16086d 100644
|
|
--- a/docs/tools/virtiofsd.rst
|
|
+++ b/docs/tools/virtiofsd.rst
|
|
@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
|
|
to the matched **key** (or all attributes if **key** is empty).
|
|
There may be at most one 'map' rule and it must be the last rule in the set.
|
|
|
|
+Note: When the 'security.capability' xattr is remapped, the daemon has to do
|
|
+extra work to remove it during many operations, which the host kernel normally
|
|
+does itself.
|
|
+
|
|
xattr-mapping Examples
|
|
----------------------
|
|
|
|
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
|
index f330fb72b93f24331174f52bf6b9..c18475e94635ad189f54ed400aff 100644
|
|
--- a/tools/virtiofsd/passthrough_ll.c
|
|
+++ b/tools/virtiofsd/passthrough_ll.c
|
|
@@ -160,6 +160,7 @@ struct lo_data {
|
|
int posix_lock;
|
|
int xattr;
|
|
char *xattrmap;
|
|
+ char *xattr_security_capability;
|
|
char *source;
|
|
char *modcaps;
|
|
double timeout;
|
|
@@ -229,6 +230,8 @@ static __thread bool cap_loaded = 0;
|
|
|
|
static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
|
|
uint64_t mnt_id);
|
|
+static int xattr_map_client(const struct lo_data *lo, const char *client_name,
|
|
+ char **out_name);
|
|
|
|
static int is_dot_or_dotdot(const char *name)
|
|
{
|
|
@@ -368,6 +371,37 @@ out:
|
|
return ret;
|
|
}
|
|
|
|
+/*
|
|
+ * The host kernel normally drops security.capability xattr's on
|
|
+ * any write, however if we're remapping xattr names we need to drop
|
|
+ * whatever the clients security.capability is actually stored as.
|
|
+ */
|
|
+static int drop_security_capability(const struct lo_data *lo, int fd)
|
|
+{
|
|
+ if (!lo->xattr_security_capability) {
|
|
+ /* We didn't remap the name, let the host kernel do it */
|
|
+ return 0;
|
|
+ }
|
|
+ if (!fremovexattr(fd, lo->xattr_security_capability)) {
|
|
+ /* All good */
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ switch (errno) {
|
|
+ case ENODATA:
|
|
+ /* Attribute didn't exist, that's fine */
|
|
+ return 0;
|
|
+
|
|
+ case ENOTSUP:
|
|
+ /* FS didn't support attribute anyway, also fine */
|
|
+ return 0;
|
|
+
|
|
+ default:
|
|
+ /* Hmm other error */
|
|
+ return errno;
|
|
+ }
|
|
+}
|
|
+
|
|
static void lo_map_init(struct lo_map *map)
|
|
{
|
|
map->elems = NULL;
|
|
@@ -749,6 +783,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
|
|
uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
|
|
gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
|
|
|
|
+ saverr = drop_security_capability(lo, ifd);
|
|
+ if (saverr) {
|
|
+ goto out_err;
|
|
+ }
|
|
+
|
|
res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
|
|
if (res == -1) {
|
|
saverr = errno;
|
|
@@ -771,6 +810,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
|
|
}
|
|
}
|
|
|
|
+ saverr = drop_security_capability(lo, truncfd);
|
|
+ if (saverr) {
|
|
+ if (!fi) {
|
|
+ close(truncfd);
|
|
+ }
|
|
+ goto out_err;
|
|
+ }
|
|
+
|
|
if (kill_suidgid) {
|
|
res = drop_effective_cap("FSETID", &cap_fsetid_dropped);
|
|
if (res != 0) {
|
|
@@ -1794,6 +1841,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
|
|
if (fd < 0) {
|
|
return -fd;
|
|
}
|
|
+ if (fi->flags & (O_TRUNC)) {
|
|
+ int err = drop_security_capability(lo, fd);
|
|
+ if (err) {
|
|
+ close(fd);
|
|
+ return err;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
pthread_mutex_lock(&lo->mutex);
|
|
@@ -2182,6 +2236,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
|
|
"lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu kill_priv=%d)\n",
|
|
ino, out_buf.buf[0].size, (unsigned long)off, fi->kill_priv);
|
|
|
|
+ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
|
|
+ if (res) {
|
|
+ fuse_reply_err(req, res);
|
|
+ return;
|
|
+ }
|
|
+
|
|
/*
|
|
* If kill_priv is set, drop CAP_FSETID which should lead to kernel
|
|
* clearing setuid/setgid on file. Note, for WRITE, we need to do
|
|
@@ -2423,6 +2483,7 @@ static void parse_xattrmap(struct lo_data *lo)
|
|
{
|
|
const char *map = lo->xattrmap;
|
|
const char *tmp;
|
|
+ int ret;
|
|
|
|
lo->xattr_map_nentries = 0;
|
|
while (*map) {
|
|
@@ -2453,7 +2514,7 @@ static void parse_xattrmap(struct lo_data *lo)
|
|
* the last entry.
|
|
*/
|
|
parse_xattrmap_map(lo, map, sep);
|
|
- return;
|
|
+ break;
|
|
} else {
|
|
fuse_log(FUSE_LOG_ERR,
|
|
"%s: Unexpected type;"
|
|
@@ -2522,6 +2583,19 @@ static void parse_xattrmap(struct lo_data *lo)
|
|
fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
|
|
exit(1);
|
|
}
|
|
+
|
|
+ ret = xattr_map_client(lo, "security.capability",
|
|
+ &lo->xattr_security_capability);
|
|
+ if (ret) {
|
|
+ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
|
|
+ strerror(ret));
|
|
+ exit(1);
|
|
+ }
|
|
+ if (!strcmp(lo->xattr_security_capability, "security.capability")) {
|
|
+ /* 1-1 mapping, don't need to do anything */
|
|
+ free(lo->xattr_security_capability);
|
|
+ lo->xattr_security_capability = NULL;
|
|
+ }
|
|
}
|
|
|
|
/*
|
|
@@ -3550,6 +3624,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
|
|
|
|
free(lo->xattrmap);
|
|
free_xattrmap(lo);
|
|
+ free(lo->xattr_security_capability);
|
|
free(lo->source);
|
|
}
|
|
|