Bug 1933668 (CVE-2021-20263) - CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
Summary: CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with x...
Keywords:
Status: NEW
Alias: CVE-2021-20263
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1935071 1935089 1936490
Blocks: 1933638 1934073
TreeView+ depends on / blocked
 
Reported: 2021-03-01 11:32 UTC by Mauro Matteo Cascella
Modified: 2021-03-09 14:57 UTC (History)
18 users (show)

Fixed In Version: qemu 5.2.50
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-03-01 11:32:09 UTC
The new '-o xattrmap' option in virtiofsd causes some cases in which the 'security.capability' xattr in the guest isn't dropped on write, potentially leading to a modified privileged executable. For the problem to happen virtiofsd needs to be running with '-o xattr' and '-o xattrmap' (to enable and rename xattrs, respectively). The problem only occurs if 'security.capability' is one of the xattrs that is being renamed. Different caching modes cause different guest behavior: '-o cache=none' makes the issue easy to reproduce but it may also occur with '-o cache=auto' as well.

Virtiofsd 'xattrmap' feature in QEMU 5.2:
https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317

Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=e586edcb410543768ef009eaa22a2d9dd4a53846

Comment 1 Mauro Matteo Cascella 2021-03-01 11:32:29 UTC
Acknowledgments:

Name: David Alan Gilbert (Red Hat)

Comment 3 Dr. David Alan Gilbert 2021-03-04 10:39:51 UTC
Patch posted to qemu-devel:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html

and pull sent upstream.

Comment 5 Mauro Matteo Cascella 2021-03-04 11:13:33 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1935089]

Comment 6 Dr. David Alan Gilbert 2021-03-04 13:51:30 UTC
Merged upstream qemu: e586edcb410543768ef009eaa22a2d9dd4a53846

Comment 7 Mauro Matteo Cascella 2021-03-08 15:02:31 UTC
Note that the impact of this flaw is limited by the fact that xattrmap is a recent feature that's little used so far. Additionally, unprivileged users shouldn't be granted write permission on privileged executables in the first place.

Comment 8 Mauro Matteo Cascella 2021-03-08 15:05:04 UTC
Statement:

This issue does not affect the versions of QEMU as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization, as they did not include support for the 'xattrmap' feature.

Comment 10 Mauro Matteo Cascella 2021-03-08 15:41:58 UTC
External References:

https://www.openwall.com/lists/oss-security/2021/03/08/1


Note You need to log in before you can comment on or make changes to this bug.