qemu-e2k/fsdev
Christian Schoenebeck f6b0de53fb 9pfs: prevent opening special files (CVE-2023-2861)
The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.

or

  - Using 9p 'proxy' fs driver (which is running its helper daemon as
    root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
2023-06-08 17:04:58 +02:00
..
9p-iov-marshal.c
9p-iov-marshal.h
9p-marshal.c Replace GCC_FMT_ATTR with G_GNUC_PRINTF 2022-03-22 14:40:51 +04:00
9p-marshal.h 9pfs: make V9fsString usable via P9Array API 2021-10-27 14:45:22 +02:00
file-op-9p.h 9p: linux: Fix a couple Linux assumptions 2022-03-07 11:49:30 +01:00
meson.build 9p: darwin: meson: Allow VirtFS on Darwin 2022-03-07 11:49:31 +01:00
p9array.h Don't include headers already included by qemu/osdep.h 2023-02-08 07:28:05 +01:00
qemu-fsdev-dummy.c
qemu-fsdev-opts.c
qemu-fsdev-throttle.c
qemu-fsdev-throttle.h
qemu-fsdev.c
qemu-fsdev.h
virtfs-proxy-helper.c 9pfs: prevent opening special files (CVE-2023-2861) 2023-06-08 17:04:58 +02:00