qemu/hw
Christian Schoenebeck d06a9d843f 9pfs: fix regression regarding CVE-2023-2861
The released fix for this CVE:

  f6b0de53fb ("9pfs: prevent opening special files (CVE-2023-2861)")

caused a regression with security_model=passthrough. When handling a
'Tmknod' request there was a side effect that 'Tmknod' request could fail
as 9p server was trying to adjust permissions:

  #6  close_if_special_file (fd=30) at ../hw/9pfs/9p-util.h:140
  #7  openat_file (mode=<optimized out>, flags=2228224,
      name=<optimized out>, dirfd=<optimized out>) at
      ../hw/9pfs/9p-util.h:181
  #8  fchmodat_nofollow (dirfd=dirfd@entry=31,
      name=name@entry=0x5555577ea6e0 "mysocket", mode=493) at
      ../hw/9pfs/9p-local.c:360
  #9  local_set_cred_passthrough (credp=0x7ffbbc4ace10, name=0x5555577ea6e0
      "mysocket", dirfd=31, fs_ctx=0x55555811f528) at
      ../hw/9pfs/9p-local.c:457
  #10 local_mknod (fs_ctx=0x55555811f528, dir_path=<optimized out>,
      name=0x5555577ea6e0 "mysocket", credp=0x7ffbbc4ace10) at
      ../hw/9pfs/9p-local.c:702
  #11 v9fs_co_mknod (pdu=pdu@entry=0x555558121140,
      fidp=fidp@entry=0x5555574c46c0, name=name@entry=0x7ffbbc4aced0,
      uid=1000, gid=1000, dev=<optimized out>, mode=49645,
      stbuf=0x7ffbbc4acef0) at ../hw/9pfs/cofs.c:205
  #12 v9fs_mknod (opaque=0x555558121140) at ../hw/9pfs/9p.c:3711

That's because server was opening the special file to adjust permissions,
however it was using O_PATH and it would have not returned the file
descriptor to guest. So the call to close_if_special_file() on that branch
was incorrect.

Let's lift the restriction introduced by f6b0de53fb such that it would
allow to open special files on host if O_PATH flag is supplied, not only
for 9p server's own operations as described above, but also for any client
'Topen' request.

It is safe to allow opening special files with O_PATH on host, because
O_PATH only allows path based operations on the resulting file descriptor
and prevents I/O such as read() and write() on that file descriptor.

Fixes: f6b0de53fb ("9pfs: prevent opening special files (CVE-2023-2861)")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2337
Reported-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Tested-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Message-Id: <E1tJWbk-007BH4-OB@kylie.crudebyte.com>
2024-12-10 10:24:52 +01:00
..
9pfs 9pfs: fix regression regarding CVE-2023-2861 2024-12-10 10:24:52 +01:00
acpi hw/acpi: Fix size of HID in build_append_srat_acpi_device_handle() 2024-11-26 17:18:06 -05:00
adc hw/adc: Remove MAX111X device 2024-10-15 15:16:17 +01:00
alpha alpha: switch boards to "default y" 2024-05-03 15:47:47 +02:00
arm virtio,pc,pci: features, fixes, cleanups 2024-11-05 15:47:52 +00:00
audio hw/audio/hda: fix memory leak on audio setup 2024-11-18 13:45:45 +01:00
avr avr: switch boards to "default y" 2024-05-03 15:47:47 +02:00
block Misc HW patch queue 2024-11-06 17:28:45 +00:00
char hw/char/sifive_uart: Fix broken UART on big endian hosts 2024-11-07 08:16:53 +10:00
core hw/core/machine: diagnose wrapping of maxmem 2024-12-03 12:26:24 +01:00
cpu hw: Add a Kconfig switch for the TYPE_CPU_CLUSTER device 2024-04-25 12:48:12 +02:00
cxl hw/cxl: Check for zero length features in cmd_features_set_feature() 2024-11-26 17:18:06 -05:00
display hw/display/vga: Do not reset 'big_endian_fb' in vga_common_reset() 2024-12-03 12:26:24 +01:00
dma hw/dma: Remove omap_dma4 device 2024-10-01 14:58:07 +01:00
fsi hw: Use device_class_set_legacy_reset() instead of opencoding 2024-09-13 15:31:44 +01:00
gpio hw/gpio/mpc8xxx: Prefer DEFINE_TYPES() macro 2024-11-05 23:32:25 +00:00
hppa hw/char: Extract serial-mm 2024-10-03 19:33:23 +02:00
hyperv hw/hyperv: remove return after g_assert_not_reached() 2024-09-24 13:53:35 +02:00
i2c hw/i2c/smbus_eeprom: Prefer DEFINE_TYPES() macro 2024-11-05 23:32:25 +00:00
i386 amd_iommu: Fix kvm_enable_x2apic link error with clang in non-KVM builds 2024-11-28 17:59:47 +01:00
ide hw/ide: Remove DSCM-1XXXX microdrive device model 2024-10-15 15:16:17 +01:00
input hw/input: Remove lm832x device 2024-10-01 14:41:10 +01:00
intc hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() for s->isr 2024-11-19 14:14:13 +00:00
ipack hw/ipack: Constify VMState 2023-12-29 11:17:30 +11:00
ipmi hw/ipmi: Constify VMState 2023-12-29 11:17:30 +11:00
isa hw/char/serial.h: Extract serial-isa.h 2024-10-03 19:33:23 +02:00
loongarch hw/loongarch/boot: Use warn_report when no kernel filename 2024-11-02 15:20:41 +08:00
m68k next-kbd: convert to use qemu_input_handler_register() 2024-11-08 11:05:55 +01:00
mem hw/cxl/cxl-mailbox-utils: Fix for device DDR5 ECS control feature tables 2024-11-04 16:03:24 -05:00
microblaze hw/microblaze/s3adsp1800: Declare machine type using DEFINE_TYPES macro 2024-11-05 23:32:13 +00:00
mips hw/mips: Have mips_cpu_create_with_clock() take an endianness argument 2024-10-15 12:21:06 -03:00
misc hw/misc/nrf51_rng: Don't use BIT_MASK() when we mean BIT() 2024-11-18 13:36:39 +01:00
net virtio,pc,pci: bug fixes, new test 2024-11-28 10:50:20 +00:00
nubus hw/nubus/nubus-device: Range check 'slot' property 2024-09-08 11:49:49 +02:00
nvme hw/nvme: take a reference on the subsystem on vf realization 2024-12-03 07:28:27 +01:00
nvram hw: Remove unused fw_cfg_init_io 2024-10-03 17:26:06 +03:00
openrisc hw/openrisc/openrisc_sim: keep serial@90000000 as default 2024-12-03 12:26:24 +01:00
pci pcie: enable Extended tag field support 2024-11-04 16:03:25 -05:00
pci-bridge hw/pci-bridge: Make pxb_dev_realize_common() return if it succeeded 2024-11-04 16:03:25 -05:00
pci-host hw/ppc/pegasos2: Fix IRQ routing from pci.0 2024-11-27 02:49:36 +10:00
ppc hw/ppc/pegasos2: Fix IRQ routing from pci.0 2024-11-27 02:49:36 +10:00
remote remote: Remove unused remote_iohub_finalize 2024-10-03 17:26:06 +03:00
riscv hw/riscv/riscv-iommu: fix riscv_iommu_validate_process_ctx() check 2024-11-07 08:19:39 +10:00
rtc Misc HW patch queue 2024-11-06 17:28:45 +00:00
rx kconfig: express dependency of individual boards on libfdt 2024-05-10 15:45:15 +02:00
s390x hw: Add "loadparm" property to scsi disk devices for booting on s390x 2024-11-18 17:13:47 +01:00
scsi scsi: megasas: Internal cdbs have 16-byte length 2024-11-28 18:02:22 +01:00
sd hw/sd/sdhci: Fix coding style 2024-11-18 13:45:42 +01:00
sensor hw/sensor/tmp105: Convert printf() to trace event, add tracing for read/write access 2024-11-05 10:10:00 +00:00
sh4 Revert "hw/sh4/r2d: Realize IDE controller before accessing it" 2024-10-21 16:40:11 +02:00
smbios smbios: make memory device size configurable per Machine 2024-07-22 20:15:41 -04:00
sparc hw: Use device_class_set_legacy_reset() instead of opencoding 2024-09-13 15:31:44 +01:00
sparc64 hw/char: Extract serial-mm 2024-10-03 19:33:23 +02:00
ssi hw/ssi/pnv_spi: Fixes Coverity CID 1558831 2024-11-04 09:09:15 +10:00
timer hw/timer/exynos4210_mct: fix possible int overflow 2024-11-19 13:02:05 +00:00
tpm hw/tpm: remove break after g_assert_not_reached() 2024-09-24 13:53:35 +02:00
tricore hw: Use device_class_set_legacy_reset() instead of opencoding 2024-09-13 15:31:44 +01:00
ufs hw/ufs: minor bug fixes related to ufs-test 2024-09-06 18:04:16 +09:00
usb usb-hub: Fix handling port power control messages 2024-11-18 13:36:39 +01:00
vfio * Fixes & doc updates for the new "boot order" s390x bios feature 2024-11-18 20:23:59 +00:00
virtio hw/virtio: fix crash in processing balloon stats 2024-12-03 12:26:24 +01:00
watchdog hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues 2024-11-19 13:02:05 +00:00
xen hw/xen: Avoid use of uninitialized bufioreq_evtchn 2024-10-21 07:53:21 +02:00
xenpv hw/xen: Register framebuffer backend via xen_backend_init() 2024-06-04 11:53:43 +02:00
xtensa hw/xtensa/xtfpga: Remove TARGET_BIG_ENDIAN #ifdef'ry 2024-10-15 12:13:59 -03:00
Kconfig hw: Remove PCMCIA subsystem 2024-10-15 15:16:17 +01:00
meson.build hw: Remove PCMCIA subsystem 2024-10-15 15:16:17 +01:00