[Libguestfs] [PATCH] Security: Mitigate possible privilege escalation via SG_IO ioctl (CVE-2011-4127, RHBZ#757071)

Thu Dec 22 18:14:07 UTC 2011

From: "Richard W.M. Jones" <rjones at redhat.com>

CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.

http://seclists.org/oss-sec/2011/q4/536

An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing.  These ioctls allow raw sectors from the
underlying host device to be read and written.  Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest.  For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector.  Exploits through LVs passed to the guest are also possible,
with some limitations.  File-backed virtual block devices are not
vulnerable.  Non-virtio block devices are not vulnerable.

This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu.  Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.

Note that this is just mitigation for libguestfs.  Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.

The following versions of libguestfs (will/have) this patch applied.

  libguestfs >= 1.15.13
  libguestfs >= 1.14.8
  libguestfs >= 1.12.11
  libguestfs >= 1.10.12
  libguestfs >= 1.8.16

Earlier versions may be vulnerable unless a downstream packager has
applied this patch.

Cc: Hilko Bengen <bengen at hilluzination.de>
---
 src/launch.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/src/launch.c b/src/launch.c
index 7b3372c..9add092 100644
--- a/src/launch.c
+++ b/src/launch.c
@@ -564,6 +564,16 @@ launch_appliance (guestfs_h *g)
     alloc_cmdline (g);
     g->cmdline[0] = g->qemu;
 
+    /* CVE-2011-4127 mitigation: Disable SCSI ioctls on virtio-blk
+     * devices.  The -global option must exist, but you can pass any
+     * strings to it so we don't need to check for the specific virtio
+     * feature.
+     */
+    if (qemu_supports (g, "-global")) {
+      add_cmdline (g, "-global");
+      add_cmdline (g, "virtio-blk-pci.scsi=off");
+    }
+
     /* Add drives */
     struct drive *drv = g->drives;
     while (drv != NULL) {
-- 
1.7.6


