Richard W.M. Jones
2011-Dec-22 18:14 UTC
[Libguestfs] [PATCH] Security: Mitigate possible privilege escalation via SG_IO ioctl (CVE-2011-4127, RHBZ#757071)
From: "Richard W.M. Jones" <rjones at redhat.com> CVE-2011-4127 is a serious qemu & kernel privilege escalation bug found by Paolo Bonzini. http://seclists.org/oss-sec/2011/q4/536 An untrusted guest kernel is able to issue special SG_IO ioctls on virtio devices which qemu passes through to the host kernel without filtering or sanitizing. These ioctls allow raw sectors from the underlying host device to be read and written. Significantly, neither qemu nor the host kernel checks that the range of sectors is within the partition / LV assigned to the guest. For example, if the guest is assigned host partition /dev/sda3, it would be able to read or write any part of /dev/sda including other partitions and the boot sector. Exploits through LVs passed to the guest are also possible, with some limitations. File-backed virtual block devices are not vulnerable. Non-virtio block devices are not vulnerable. This patch mitigates the problem by disabling the SG_IO ioctl passthrough in qemu. Thus if libguestfs is examining an untrusted guest and the libguestfs appliance/daemon is compromised (eg. by executing guest commands, or through some other compromise), then the compromised appliance will not be able to issue the above SG_IO ioctls and exploit the host. Note that this is just mitigation for libguestfs. Users will still want to fully update their host kernel, qemu/KVM and libvirt, in order to prevent other (non-libguestfs) routes to compromise. The following versions of libguestfs (will/have) this patch applied. libguestfs >= 1.15.13 libguestfs >= 1.14.8 libguestfs >= 1.12.11 libguestfs >= 1.10.12 libguestfs >= 1.8.16 Earlier versions may be vulnerable unless a downstream packager has applied this patch. Cc: Hilko Bengen <bengen at hilluzination.de> --- src/launch.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/src/launch.c b/src/launch.c index 7b3372c..9add092 100644 --- a/src/launch.c +++ b/src/launch.c @@ -564,6 +564,16 @@ launch_appliance (guestfs_h *g) alloc_cmdline (g); g->cmdline[0] = g->qemu; + /* CVE-2011-4127 mitigation: Disable SCSI ioctls on virtio-blk + * devices. The -global option must exist, but you can pass any + * strings to it so we don't need to check for the specific virtio + * feature. + */ + if (qemu_supports (g, "-global")) { + add_cmdline (g, "-global"); + add_cmdline (g, "virtio-blk-pci.scsi=off"); + } + /* Add drives */ struct drive *drv = g->drives; while (drv != NULL) { -- 1.7.6
Reasonably Related Threads
- [PATCH] launch: appliance: Add custom parameters last.
- [PATCH 15/24] compat_ioctl: scsi: move ioctl handling into drivers
- [PATCH 15/24] compat_ioctl: scsi: move ioctl handling into drivers
- [PATCH 15/24] compat_ioctl: scsi: move ioctl handling into drivers
- [PATCH v3 13/22] compat_ioctl: scsi: move ioctl handling into drivers