Bug 1933668 (CVE-2021-20263)

Summary: CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, dgilbert, drjones, jen, jferlan, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: qemu 5.2.50 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 09:58:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1935071, 1935089, 1936490    
Bug Blocks: 1933638, 1934073    

Description Mauro Matteo Cascella 2021-03-01 11:32:09 UTC
The new '-o xattrmap' option in virtiofsd causes some cases in which the 'security.capability' xattr in the guest isn't dropped on write, potentially leading to a modified privileged executable. For the problem to happen virtiofsd needs to be running with '-o xattr' and '-o xattrmap' (to enable and rename xattrs, respectively). The problem only occurs if 'security.capability' is one of the xattrs that is being renamed. Different caching modes cause different guest behavior: '-o cache=none' makes the issue easy to reproduce but it may also occur with '-o cache=auto' as well.

Virtiofsd 'xattrmap' feature in QEMU 5.2:

Upstream fix:

Comment 1 Mauro Matteo Cascella 2021-03-01 11:32:29 UTC

Name: David Alan Gilbert (Red Hat)

Comment 3 Dr. David Alan Gilbert 2021-03-04 10:39:51 UTC
Patch posted to qemu-devel:

and pull sent upstream.

Comment 5 Mauro Matteo Cascella 2021-03-04 11:13:33 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1935089]

Comment 6 Dr. David Alan Gilbert 2021-03-04 13:51:30 UTC
Merged upstream qemu: e586edcb410543768ef009eaa22a2d9dd4a53846

Comment 7 Mauro Matteo Cascella 2021-03-08 15:02:31 UTC
Note that the impact of this flaw is limited by the fact that xattrmap is a recent feature that's little used so far. Additionally, unprivileged users shouldn't be granted write permission on privileged executables in the first place.

Comment 8 Mauro Matteo Cascella 2021-03-08 15:05:04 UTC

This issue does not affect the versions of QEMU as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization, as they did not include support for the 'xattrmap' feature.

Comment 10 Mauro Matteo Cascella 2021-03-08 15:41:58 UTC
External References: