[libvirt] [BUG,RFC] directory traversal vulnerability / qemu: name→uuid

Philipp Hahn hahn at univention.de
Thu Sep 8 06:54:57 UTC 2011


Hello Eric,

On Wednesday 07 September 2011 16:02:51 Eric Blake wrote:
> On 09/07/2011 11:12 AM, Philipp Hahn wrote:
> > I just tried the following command  with libvirt-0.9.5git:
> > # virsh snapshot-create "$VM" /dev/stdin
> > <<<'<domainsnapshot><name>../../../../../../etc/passwd</name></domainsnap
> >shot>'
> >
> > "Luckily" it adds a .xml suffix, but this still looks like a security
> > problem to me, because you can overwrite any .xml-file with libvirt
> > gibberish. Actually this was found by a user trying to create a snapshot
> > with an embedded /, which didn't work, because the sub-directory didn't
> > exist. I know SELinux can solve this, but I really would prefer the Qemu
> > driver to reject such names.
>
> Qemu won't reject names with /, but I agree with your thought that
> libvirt needs to prevent such names, particularly since it creates
> several other file names (such as log files, managed save, snapshots,
> and even the monitor file) all based on the domain name.

For Qemu the name is just a C-string, but libvirt make the error to use those 
bits as something else, namely a UNIX/Windows/whatever path name, which has 
additional constraints. So if libvirt wants to use the name as a path, it 
must add an additional constraint on the naming to make it safe, or at lease 
use some escaping when translating the name to a path name.

>   You are also missing:
> /var/log/libvirt/qemu/$VM.log

Yes, which is compilcated by logrotate replacing and renaming those files.

> > Would it be possible and feasible to convert the Qemu driver to use the
> > UUID instead for file and directory naming?
>
> Maybe, but I prefer seeing files by name rather than by UUID when
> browsing through the libvirt internal directories.  If we supported
> renaming, and properly altered the name of all affected files, then I
> see no reason to keep the files by name instead of uuid.

Yes, names are definitly nicer than UUIDs, but they make renaming harder (I 
hope nobody want's to change the UUID) and have the meta-character problem. 
With UUID we are sure, that they always consists of safe characters and have 
a finit length.

Sincerely
Philipp
-- 
Philipp Hahn           Open Source Software Engineer      hahn at univention.de
Univention GmbH        Linux for Your Business        fon: +49 421 22 232- 0
Mary-Somerville-Str.1  D-28359 Bremen                 fax: +49 421 22 232-99
                                                   http://www.univention.de/
----------------------------------------------------------------------------
Treffen Sie Univention auf der IT&Business vom 20. bis 22. September 2011
auf dem Gemeinschaftsstand der Open Source Business Alliance in Stuttgart in
Halle 3 Stand 3D27-7.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110908/b374971f/attachment-0001.sig>


More information about the libvir-list mailing list