<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mauro Matteo Cascella <mcascell () redhat com>
Date: Mon, 8 Mar 2021 15:35:38 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.
For the problem to happen virtiofsd needs to be running with '-o
xattr' and '-o xattrmap' (to enable and rename xattrs, respectively).
The problem only occurs if 'security.capability' is one of the xattrs
that's being renamed. Different caching modes cause different guest
behavior: '-o cache=none' makes the issue easy to reproduce. There's a
suspicion the flaw could be reproduced with the default option '-o
cache=auto' as well.
The impact of this flaw is limited by the fact that xattrmap is a
recent feature that's little used so far. Additionally, unprivileged
users shouldn't be granted write permission on privileged executables
in the first place.
Virtiofsd 'xattrmap' feature in QEMU 5.2:
https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317
Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html
This issue was reported by Dr. David Alan Gilbert (CC'd).
CVE-2021-20263 assigned by Red Hat, Inc.
Best regards.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option Mauro Matteo Cascella (Mar 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->