qemu/hw/9pfs
Christian Schoenebeck 10fad73a2b 9pfs: prevent opening special files (CVE-2023-2861)
The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.

or

  - Using 9p 'proxy' fs driver (which is running its helper daemon as
    root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
(cherry picked from commit f6b0de53fb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
2023-06-08 23:52:29 +03:00
..
9p-local.c 9p: darwin: Implement compatibility for mknodat 2022-03-07 11:49:31 +01:00
9p-local.h 9pfs: local: open/opendir: don't follow symlinks 2017-02-28 11:21:15 +01:00
9p-posix-acl.c 9pfs: fix removing non-existent POSIX ACL xattr on macOS host 2022-05-01 14:07:03 +02:00
9p-proxy.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
9p-proxy.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
9p-synth.c 9pfs: fix inode sequencing in 'synth' driver 2022-04-30 13:11:47 +02:00
9p-synth.h 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread 2022-02-17 16:57:58 +01:00
9p-util-darwin.c 9pfs: fix qemu_mknodat() to always return -1 on error on macOS host 2022-05-01 14:07:03 +02:00
9p-util-linux.c 9p: darwin: Implement compatibility for mknodat 2022-03-07 11:49:31 +01:00
9p-util.h 9pfs: prevent opening special files (CVE-2023-2861) 2023-06-08 23:52:29 +03:00
9p-xattr-user.c trivial typos: namesapce 2022-06-28 11:06:44 +02:00
9p-xattr.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
9p-xattr.h 9pfs: fix XattrOperations typedef 2018-01-08 11:18:22 +01:00
9p.c Pull request 2022-10-25 11:37:17 -04:00
9p.h 9pfs: use GHashTable for fid table 2022-10-24 12:24:32 +02:00
codir.c 9pfs: Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
cofile.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
cofs.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
coth.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
coth.h 9pfs/coth.h: drop Doxygen format on v9fs_co_run_in_worker() 2022-03-07 11:49:31 +01:00
coxattr.c 9pfs: add link to 9p developer docs 2021-07-05 13:03:16 +02:00
Kconfig hw/9pfs: Fix Kconfig dependency problem between 9pfs and Xen 2020-11-05 15:21:11 +01:00
meson.build 9p: darwin: *xattr_nofollow implementations 2022-03-07 11:49:31 +01:00
trace-events 9pfs/xen: Fix segfault on shutdown 2023-05-18 21:09:59 +03:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
virtio-9p-device.c virtio: drop name parameter for virtio_init() 2022-05-16 04:38:40 -04:00
virtio-9p.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
xen-9p-backend.c 9pfs/xen: Fix segfault on shutdown 2023-05-18 21:09:59 +03:00
xen-9pfs.h xen: Import other xen/io/*.h 2019-06-24 10:42:30 +01:00