| Message ID | 20181213122511.13853-1-kraxel@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | usb-mtp: use O_NOFOLLOW and O_CLOEXEC. | expand |
On Thu, Dec 13, 2018 at 01:25:11PM +0100, Gerd Hoffmann wrote: > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. > While being at it also add O_CLOEXEC. > > usb-mtp only handles regular files and directories and ignores > everything else, so users should not see a difference. > > Because qemu ignores symlinks carrying out an successfull symlink attack > requires swapping an existing file or directory below rootdir for a > symlink and winning the race against the inotify notification to qemu. > > Note that the impact of this bug is rather low when qemu is managed by > libvirt due to qemu running sandboxed, so there isn't much you can gain > access to that way. It is almost non-existant because libvirt doesn't support the MTP device at all yet, so no guest will have it unless the user tried CLI arg passthrough in libvirt :-) > > Fixes: CVE-2018-pjp-please-get-one > Cc: Prasad J Pandit <ppandit@redhat.com> > Cc: Bandan Das <bsd@redhat.com> > Reported-by: Michael Hanselmann <public@hansmi.ch> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/usb/dev-mtp.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c > index 100b7171f4..36c43b8c20 100644 > --- a/hw/usb/dev-mtp.c > +++ b/hw/usb/dev-mtp.c > @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) > { > struct dirent *entry; > DIR *dir; > + int fd; > > if (o->have_children) { > return; > } > o->have_children = true; > > - dir = opendir(o->path); > + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); > + if (fd < 0) { > + return; > + } > + dir = fdopendir(fd); > if (!dir) { > return; > } > @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, > > trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); > > - d->fd = open(o->path, O_RDONLY); > + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); > if (d->fd == -1) { > usb_mtp_data_free(d); > return NULL; > @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, > c->argv[1], c->argv[2]); > > d = usb_mtp_data_alloc(c); > - d->fd = open(o->path, O_RDONLY); > + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); > if (d->fd == -1) { > usb_mtp_data_free(d); > return NULL; > @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) > 0, 0, 0, 0); > goto done; > } > - d->fd = open(path, O_CREAT | O_WRONLY, mask); > + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); > if (d->fd == -1) { > usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, > 0, 0, 0, 0); > -- > 2.9.3 > > Regards, Daniel
On 13.12.18 13:25, Gerd Hoffmann wrote: > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. > While being at it also add O_CLOEXEC. > > usb-mtp only handles regular files and directories and ignores > everything else, so users should not see a difference. > > Because qemu ignores symlinks carrying out an successfull symlink attack Minor typo: s/successfull/successful/ > requires swapping an existing file or directory below rootdir for a > symlink and winning the race against the inotify notification to qemu. > > Note that the impact of this bug is rather low when qemu is managed by > libvirt due to qemu running sandboxed, so there isn't much you can gain > access to that way. > > Fixes: CVE-2018-pjp-please-get-one > Cc: Prasad J Pandit <ppandit@redhat.com> > Cc: Bandan Das <bsd@redhat.com> > Reported-by: Michael Hanselmann <public@hansmi.ch> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Thanks for the patch! Reviewed-by: Michael Hanselmann <public@hansmi.ch> Best regards, Michael
Gerd Hoffmann <kraxel@redhat.com> writes: > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. > While being at it also add O_CLOEXEC. > > usb-mtp only handles regular files and directories and ignores > everything else, so users should not see a difference. > > Because qemu ignores symlinks carrying out an successfull symlink attack > requires swapping an existing file or directory below rootdir for a > symlink and winning the race against the inotify notification to qemu. > > Note that the impact of this bug is rather low when qemu is managed by > libvirt due to qemu running sandboxed, so there isn't much you can gain > access to that way. > > Fixes: CVE-2018-pjp-please-get-one Ah, looks like we've run out of numbers. > Cc: Prasad J Pandit <ppandit@redhat.com> > Cc: Bandan Das <bsd@redhat.com> > Reported-by: Michael Hanselmann <public@hansmi.ch> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Hello Gerd, +-- On Thu, 13 Dec 2018, Markus Armbruster wrote --+ | Gerd Hoffmann <kraxel@redhat.com> writes: | > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | > While being at it also add O_CLOEXEC. | > | > usb-mtp only handles regular files and directories and ignores | > everything else, so users should not see a difference. | > | > Because qemu ignores symlinks carrying out an successfull symlink attack symlinks, carrying out a successful ... | > requires swapping an existing file or directory below rootdir for a | > symlink and winning the race against the inotify notification to qemu. | > | > Note that the impact of this bug is rather low when qemu is managed by | > libvirt due to qemu running sandboxed, so there isn't much you can gain | > access to that way. | > | > Fixes: CVE-2018-pjp-please-get-one | | Ah, looks like we've run out of numbers. Heh..:) It's CVE-2018-16872. Thank you so much for the fix patch. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 100b7171f4..36c43b8c20 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) { struct dirent *entry; DIR *dir; + int fd; if (o->have_children) { return; } o->have_children = true; - dir = opendir(o->path); + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); + if (fd < 0) { + return; + } + dir = fdopendir(fd); if (!dir) { return; } @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL; @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, c->argv[1], c->argv[2]); d = usb_mtp_data_alloc(c); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL; @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) 0, 0, 0, 0); goto done; } - d->fd = open(path, O_CREAT | O_WRONLY, mask); + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); if (d->fd == -1) { usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, 0, 0, 0, 0);
Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks carrying out an successfull symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Note that the impact of this bug is rather low when qemu is managed by libvirt due to qemu running sandboxed, so there isn't much you can gain access to that way. Fixes: CVE-2018-pjp-please-get-one Cc: Prasad J Pandit <ppandit@redhat.com> Cc: Bandan Das <bsd@redhat.com> Reported-by: Michael Hanselmann <public@hansmi.ch> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/usb/dev-mtp.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)