[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] f6b0de: 9pfs: prevent opening special files (

From: Richard Henderson
Subject: [Qemu-commits] [qemu/qemu] f6b0de: 9pfs: prevent opening special files (CVE-2023-2861)
Date: Thu, 08 Jun 2023 13:31:16 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: f6b0de53fb87ddefed348a39284c8e2f28dc4eda
  Author: Christian Schoenebeck <qemu_oss@crudebyte.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M fsdev/virtfs-proxy-helper.c
    M hw/9pfs/9p-util.h

  Log Message:
  9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.


  - Using 9p 'proxy' fs driver (which is running its helper daemon as

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>

  Commit: 5f9dd6a8ce3961db4ce47411ed2097ad88bdf5fc
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M fsdev/virtfs-proxy-helper.c
    M hw/9pfs/9p-util.h

  Log Message:
  Merge tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu into 

* Fix for CVE-2023-2861.

# QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5XykxAAzQb+d2clDVyj3Y3UqcB/YS7X
# ijxoZph9ObweyPiP2IThjsAcvNPnVR2Bc8bgEpihRkpEYGNLicw5BSk1SjqOgZvg
# buDRc8bOvOOrKqvYEBXbzaS/OHVIdozn8h+WNjX0jSsdUd4uq9vcwX+uqshkPwl+
# L4Ipx7ChzmHpaEigkVLh1biQEkLPRCTplny5JK/ZzvAmGVaqYb1usbSx//OVu7k+
# gBuBALmvJQst3iz/1e+bmVg+JhyxRqcHfCJuuWxaOLIyiZME3ZhTn7tp+2ilivRj
# n4/AGglTAv+yaVwRi6XEca7GND23HqFs26RPGgZrIhsAkFV03Iz3IT/BJ3Psy3Qv
# uu4LWnbSToNgfNxBXaMk3vHA0SzWxJl7zBi53GVRvn8ciiTkAPVIoZLf0W8jE47X
# 5nkzfTpNdjnQJlaKAfDx+YcAyBUPxiknJjAJmjF/mquAtW8c9XbsCVJpyUgS4Lna
# GNfRoCUHQ6+6ui+/zM0=
# =6Vxp
# gpg: Signature made Thu 08 Jun 2023 08:09:23 AM PDT
# gpg:                using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg:                issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" 
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38  4926 30DB 47C3 A012 D5F4
#      Subkey fingerprint: 96D8 D110 CF7A F808 4F88  5901 34C2 B587 65A4 7395

* tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu:
  9pfs: prevent opening special files (CVE-2023-2861)

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Compare: https://github.com/qemu/qemu/compare/45ae97993a75...5f9dd6a8ce39

reply via email to

[Prev in Thread] Current Thread [Next in Thread]