Bug 1933668 (CVE-2021-20263)

Summary: CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, dgilbert, drjones, jen, jferlan, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 5.2.50 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 09:58:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935071, 1935089, 1936490    
Bug Blocks: 1933638, 1934073    

Description Mauro Matteo Cascella 2021-03-01 11:32:09 UTC 
The new '-o xattrmap' option in virtiofsd causes some cases in which the 'security.capability' xattr in the guest isn't dropped on write, potentially leading to a modified privileged executable. For the problem to happen virtiofsd needs to be running with '-o xattr' and '-o xattrmap' (to enable and rename xattrs, respectively). The problem only occurs if 'security.capability' is one of the xattrs that is being renamed. Different caching modes cause different guest behavior: '-o cache=none' makes the issue easy to reproduce but it may also occur with '-o cache=auto' as well.

Virtiofsd 'xattrmap' feature in QEMU 5.2:
https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317

Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=e586edcb410543768ef009eaa22a2d9dd4a53846
Comment 1 Mauro Matteo Cascella 2021-03-01 11:32:29 UTC 
Acknowledgments:

Name: David Alan Gilbert (Red Hat)
Comment 3 Dr. David Alan Gilbert 2021-03-04 10:39:51 UTC 
Patch posted to qemu-devel:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html

and pull sent upstream.
Comment 5 Mauro Matteo Cascella 2021-03-04 11:13:33 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1935089]
Comment 6 Dr. David Alan Gilbert 2021-03-04 13:51:30 UTC 
Merged upstream qemu: e586edcb410543768ef009eaa22a2d9dd4a53846
Comment 7 Mauro Matteo Cascella 2021-03-08 15:02:31 UTC 
Note that the impact of this flaw is limited by the fact that xattrmap is a recent feature that's little used so far. Additionally, unprivileged users shouldn't be granted write permission on privileged executables in the first place.
Comment 8 Mauro Matteo Cascella 2021-03-08 15:05:04 UTC 
Statement:

This issue does not affect the versions of QEMU as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization, as they did not include support for the 'xattrmap' feature.
Comment 10 Mauro Matteo Cascella 2021-03-08 15:41:58 UTC 
External References:

https://www.openwall.com/lists/oss-security/2021/03/08/1