[Virtio-fs] [PATCH v2] virtiofsd: prevent opening of special files (CVE-2020-35517)
Miklos Szeredi
mszeredi at redhat.com
Wed Jan 27 09:25:28 UTC 2021
On Tue, Jan 26, 2021 at 6:18 PM Greg Kurz <groug at kaod.org> wrote:
>
> On Tue, 26 Jan 2021 10:35:02 +0000
> Stefan Hajnoczi <stefanha at redhat.com> wrote:
> The patch looks pretty good to me. It just seems to be missing a change in
> lo_create():
>
> fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
> mode);
>
> A malicious guest could have created anything called ${name} in this directory
> before calling FUSE_CREATE and we'll open it blindly, or I'm missing something ?
Right, this seems like an omission.
Also the "& ~O_NOFOLLOW" looks like a copy-paste bug, since unlike
lo_open(), lo_create() is not opening a proc symlink.
So that should be replaced with "| O_NOFOLLOW"
Thanks,
Miklos
More information about the Virtio-fs
mailing list