07.06.2023 19:29, Christian Schoenebeck wrote:
The 9p protocol does not specifically define how server shall behave when client tries to open a special file, however from security POV it does make sense for 9p server to prohibit opening any special file on host side in general. A sane Linux 9p client for instance would never attempt to open a special file on host side, it would always handle those exclusively on its guest side. A malicious client however could potentially escape from the exported 9p tree by creating and opening a device file on host side.With QEMU this could only be exploited in the following unsafe setups: - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' security model. or - Using 9p 'proxy' fs driver (which is running its helper daemon as root). These setups were already discouraged for safety reasons before, however for obvious reasons we are now tightening behaviour on this. Fixes: CVE-2023-2861 Reported-by: Yanwu Shen <yws...@gmail.com> Reported-by: Jietao Xiao <shawtao1...@gmail.com> Reported-by: Jinku Li <j...@xidian.edu.cn> Reported-by: Wenbo Shen <shenwe...@zju.edu.cn> Signed-off-by: Christian Schoenebeck <qemu_...@crudebyte.com> Reviewed-by: Greg Kurz <gr...@kaod.org>
Revived-by: Michael Tokarev <m...@tls.msk.ru> Thank you! /mjt
