@@ -1,14 +1,16 @@
-From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
+From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed Jun 7 18:29:33 2023 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
- protocol does not specifically define how server shall behave when client
- tries to open a special file, however from security POV it does make sense
- for 9p server to prohibit opening any special file on host side in general. A
- sane Linux 9p client for instance would never attempt to open a special file
- on host side, it would always handle those exclusively on its guest side. A
- malicious client however could potentially escape from the exported 9p tree
- by creating and opening a device file on host side.
+Date: Wed, 7 Jun 2023 18:29:33 +0200
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
+
+The 9p protocol does not specifically define how server shall behave when
+client tries to open a special file, however from security POV it does
+make sense for 9p server to prohibit opening any special file on host side
+in general. A sane Linux 9p client for instance would never attempt to
+open a special file on host side, it would always handle those exclusively
+on its guest side. A malicious client however could potentially escape
+from the exported 9p tree by creating and opening a device file on host
+side.
With QEMU this could only be exploited in the following unsafe setups:
@@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de5)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
-
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
CVE: CVE-2023-2861
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- fsdev/virtfs-proxy-helper.c | 27 ++++++++++++++++++++++++--
- hw/9pfs/9p-util.h | 38 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+), 2 deletions(-)
+ fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
+ hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 15c0e79b0..f9e4669a5 100644
@@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644
#include "hw/9pfs/9p-proxy.h"
+#include "hw/9pfs/9p-util.h"
#include "fsdev/9p-iov-marshal.h"
-
+
#define PROGNAME "virtfs-proxy-helper"
@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
}
}
-
+
+/*
+ * Open regular file or directory. Attempts to open any special file are
+ * rejected.
@@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644
ret = -errno;
}
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
-index 546f46dc7..54e270ac6 100644
+index 546f46dc7..23000e917 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
+@@ -13,12 +13,16 @@
#ifndef QEMU_9P_UTIL_H
#define QEMU_9P_UTIL_H
-
+
+#include "qemu/error-report.h"
+
#ifdef O_PATH
#define O_PATH_9P_UTIL O_PATH
#else
-@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
+ #define O_PATH_9P_UTIL 0
+ #endif
+
++#define qemu_fstat fstat
++
+ static inline void close_preserve_errno(int fd)
+ {
+ int serrno = errno;
+@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
errno = serrno;
}
-
+
+/**
+ * close_if_special_file() - Close @fd if neither regular file nor directory.
+ *
@@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644
static inline int openat_dir(int dirfd, const char *name)
{
return openat(dirfd, name,
-@@ -56,6 +90,10 @@ again:
+@@ -56,6 +92,10 @@ again:
return -1;
}
-
+
+ if (close_if_special_file(fd) < 0) {
+ return -1;
+ }
@@ -168,5 +175,6 @@ index 546f46dc7..54e270ac6 100644
serrno = errno;
/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
---
-2.40.0
+--
+2.35.7
+