Google Git
Sign in
android-kvm / kvmtool / 4d2c017f41533b0e51e00f689050c26190a15318
commit4d2c017f41533b0e51e00f689050c26190a15318[log] [tgz]
authorYanwu Shen <ywsplz@gmail.com>Mon Mar 04 02:36:59 2024 +0800
committerWill Deacon <will@kernel.org>Mon Mar 04 13:56:03 2024 +0000
treec49e870c8653a5bc9941d1066b1e429c1f61443d
parente73a6b29f1ebf30c44f59a0a228ebed70aa76586 [diff]
Fix 9pfs open device file security flaw

Our team found that a public QEMU's 9pfs security issue[1] also exists
in upstream kvmtool's 9pfs device. A privileged guest user can create
and access the special device file (e.g., block files) in the shared
folder, allowing the malicious user to access the host device and
acheive privilege escalation.

The virtio_p9_open function code on the 9p.c only checks file directory
attributes, but does not check special files. Special device files can
be filtered on the device through the S_IFREG and S_IFDIR flag bits.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2861
Link: https://lore.kernel.org/r/20240303183659.20656-1-ywsplz@gmail.com
Signed-off-by: Yanwu Shen <ywsPlz@gmail.com>
Signed-off-by: Will Deacon <will@kernel.org>
1 file changed
tree: c49e870c8653a5bc9941d1066b1e429c1f61443d
  1. arm/
  2. config/
  3. disk/
  4. Documentation/
  5. guest/
  6. hw/
  7. include/
  8. mips/
  9. net/
  10. powerpc/
  11. riscv/
  12. tests/
  13. ui/
  14. util/
  15. vfio/
  16. virtio/
  17. x86/
  18. .gitignore
  19. builtin-balloon.c
  20. builtin-debug.c
  21. builtin-help.c
  22. builtin-list.c
  23. builtin-pause.c
  24. builtin-resume.c
  25. builtin-run.c
  26. builtin-sandbox.c
  27. builtin-setup.c
  28. builtin-stat.c
  29. builtin-stop.c
  30. builtin-version.c
  31. code16gcc.h
  32. COPYING
  33. CREDITS-Git
  34. devices.c
  35. epoll.c
  36. framebuffer.c
  37. guest_compat.c
  38. INSTALL
  39. ioeventfd.c
  40. irq.c
  41. kvm-cmd.c
  42. kvm-cpu.c
  43. kvm-ipc.c
  44. kvm.c
  45. main.c
  46. Makefile
  47. mmio.c
  48. pci.c
  49. README
  50. symbol.c
  51. term.c